Bug#990331: reportbug: cups-browsed printing fails due to apparmor config with message 'No destination host name supplied by cups-browsed for printer'
On Sat 11 Sep 2021 at 19:48:06 +0200, Florent Rougon wrote: > Hello Brian, > > As I wrote in my previous message, the two lines I quoted from my > /var/log/syslog are from **before the fix** (i.e., before I purged > cups-browsed). My lax reading, Florent. Thanks for the correction. Cheers, Brian.
Bug#990331: reportbug: cups-browsed printing fails due to apparmor config with message 'No destination host name supplied by cups-browsed for printer'
Hello Brian, As I wrote in my previous message, the two lines I quoted from my /var/log/syslog are from **before the fix** (i.e., before I purged cups-browsed). Regards -- Florent
Bug#990331: reportbug: cups-browsed printing fails due to apparmor config with message 'No destination host name supplied by cups-browsed for printer'
On Sat 11 Sep 2021 at 15:48:42 +0200, Florent Rougon wrote: > Hello, Hello Florent, Thank you for your contribution to this report. > I also had the not-very-helpful message from CUPS: The message is actually from cups-browsed. > No destination host name supplied by cups-browsed for printer, is > cups-browsed running? > > Of course, cups-browsed was well running and I even tried to restart it, > also cups.service, etc. The solution I found, before reading this > report, was inspired by this answer: > > https://askubuntu.com/a/1128869 > > Here it is. First some context: the printer is connected to > and printing from first worked, then failed for the *very > same document* in the *very same Okular instance*---I simply wanted to > print two sets of pages from the same document, oh my... > > Solution (everything done on ): > > 1) I purged the cups-browsed package, even though cups-daemon recommends >it. cups-browsed basically provides *auto-setup* of printers and print queues. Many users apprreciate this function. But, of course, it may be purged. I often do not use it, but would not dream of advising other users to do the same, although, like you. I might suggest it. > 2) Then I figured out I needed to do “Delete Printer” from the CUPS web >administration page for the printer (otherwise, trying to do step 3 >would fail with the incomprehensible error message “Unable to add >printer:Cannot change printer-is-shared for remote queues.”—that, >regardless of whether “Share printer” was being checked). > > 3) From the CUPS web administration page: > >Administration → Add Printer → Discovered Network Printers: Brother >DCP-L2550DN (driverless) @ (DCP-L2550DN DCP-L2550DN >series) → ... → Add Printer (the button). > > Finally, I was able to print from . > > Even though this solution is quite different from that proposed by > Gabriel, this may very well be the same issue, because now that I've > found this report, I see that my /var/log/syslog on from > before the fix has entries like: This solution involves setting up a printer manually. It is perfectly acceptable. > Sep 11 13:39:09 localhost kernel: [15658.624326] audit: type=1400 audit(...): > apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=6811 > comm="cupsd" capability=12 capname="net_admin" OK. > Sep 11 13:39:09 localhost kernel: [15658.718083] audit: type=1400 audit(...): > apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" > pid=6814 comm="cups-browsed" capability=23 capname="sys_nice" I wouldn't expect this line after cups-browsed has been purged. There isn't an apparmor profile to use. > Hope this helps other people. Regards, It does. -- Brian.
Bug#990331: reportbug: cups-browsed printing fails due to apparmor config with message 'No destination host name supplied by cups-browsed for printer'
Hello, I also had the not-very-helpful message from CUPS: No destination host name supplied by cups-browsed for printer, is cups-browsed running? Of course, cups-browsed was well running and I even tried to restart it, also cups.service, etc. The solution I found, before reading this report, was inspired by this answer: https://askubuntu.com/a/1128869 Here it is. First some context: the printer is connected to and printing from first worked, then failed for the *very same document* in the *very same Okular instance*---I simply wanted to print two sets of pages from the same document, oh my... Solution (everything done on ): 1) I purged the cups-browsed package, even though cups-daemon recommends it. 2) Then I figured out I needed to do “Delete Printer” from the CUPS web administration page for the printer (otherwise, trying to do step 3 would fail with the incomprehensible error message “Unable to add printer:Cannot change printer-is-shared for remote queues.”—that, regardless of whether “Share printer” was being checked). 3) From the CUPS web administration page: Administration → Add Printer → Discovered Network Printers: Brother DCP-L2550DN (driverless) @ (DCP-L2550DN DCP-L2550DN series) → ... → Add Printer (the button). Finally, I was able to print from . Even though this solution is quite different from that proposed by Gabriel, this may very well be the same issue, because now that I've found this report, I see that my /var/log/syslog on from before the fix has entries like: Sep 11 13:39:09 localhost kernel: [15658.624326] audit: type=1400 audit(...): apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=6811 comm="cupsd" capability=12 capname="net_admin" Sep 11 13:39:09 localhost kernel: [15658.718083] audit: type=1400 audit(...): apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" pid=6814 comm="cups-browsed" capability=23 capname="sys_nice" Hope this helps other people. Regards, -- Florent
Bug#990331: reportbug: cups-browsed printing fails due to apparmor config with message 'No destination host name supplied by cups-browsed for printer'
Package: cups-browsed
Version: 1.28.7-1
Severity: important
Dear Maintainer,
I have a Brother printer configured per [1] using cups-browsed. It used
to work perfectly, but now fails to print with the same error message as
in #887495:
> No destination host name supplied by cups-browsed for printer "name", is
> cups-browsed running?
Note that #887495 is a catch-all without a root cause ever identified,
which is why I'm opening a more specific bug for this issue.
[1] https://wiki.debian.org/CUPSDriverlessPrinting
The cause of my issue lies is app armor config. I noticed the following
lines in the logs:
juin 22 16:42:55 wiyake audit[638]: AVC apparmor="STATUS"
operation="profile_load" profile="unconfined" name="/usr/sbin/cups-browsed"
pid=638 comm="apparmor_parser"
juin 22 16:42:55 wiyake audit[636]: AVC apparmor="STATUS"
operation="profile_load" profile="unconfined"
name="/usr/lib/cups/backend/cups-pdf" pid=636 comm="apparmor_parser"
juin 22 16:42:55 wiyake audit[636]: AVC apparmor="STATUS"
operation="profile_load" profile="unconfined" name="/usr/sbin/cupsd" pid=636
comm="apparmor_parser"
juin 22 16:42:55 wiyake audit[636]: AVC apparmor="STATUS"
operation="profile_load" profile="unconfined"
name="/usr/sbin/cupsd//third_party" pid=636 comm="apparmor_parser"
juin 22 16:42:55 wiyake audit[766]: AVC apparmor="DENIED" operation="capable"
profile="/usr/sbin/cupsd" pid=766 comm="cupsd" capability=12
capname="net_admin"
juin 22 16:42:55 wiyake audit[782]: AVC apparmor="DENIED" operation="capable"
profile="/usr/sbin/cups-browsed" pid=782 comm="cups-browsed" capability=23
capname="sys_nice"
juin 22 16:44:21 wiyake audit[2615]: AVC apparmor="DENIED" operation="capable"
profile="/usr/sbin/cupsd" pid=2615 comm="cupsd" capability=12
capname="net_admin"
juin 22 16:44:21 wiyake audit[2618]: AVC apparmor="DENIED" operation="capable"
profile="/usr/sbin/cups-browsed" pid=2618 comm="cups-browsed" capability=23
capname="sys_nice"
net_admin sounded suspicious, since the error message mentionned a host
name.
I then tried the following workaround, originally found for Ubuntu [2]:
# apt install apparmor-utils
# aa-complain cupsd-browsed
# systemctl restart cups-browsed
[2] https://askubuntu.com/questions/645636/apparmor-with-cupsd-denied-in-logs
It resolved my issue, and my printer immediately started printing the
jobs in the queue. The logs now show:
juin 25 22:23:06 wiyake audit[221791]: AVC apparmor="STATUS"
operation="profile_replace" profile="unconfined" name="/usr/sbin/cups-browsed"
pid=221791 comm="apparmor_parser"
juin 25 22:24:40 wiyake audit[222966]: AVC apparmor="ALLOWED"
operation="capable" profile="/usr/sbin/cups-browsed" pid=222966
comm="cups-browsed" capability=23 capname="sys_nice"
I'm not sure what exactly needs to be updated in the apparmor config to
fix this issue. Note that #988764 is also about apparmor issues, but is
marked minor and doesn't seem to block printing. My issue yields to a
complete impossibility to print (at least in my use case).
I'd be happy to test any fix you could provide.
Thanks!
Gabriel
-- System Information:
Debian Release: 11.0
APT prefers testing-security
APT policy: (500, 'testing-security'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.10.0-7-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages cups-browsed depends on:
ii cups-daemon 2.3.3op2-3+deb11u1
ii init-system-helpers 1.60
ii libavahi-client3 0.8-5
ii libavahi-common3 0.8-5
ii libavahi-glib1 0.8-5
ii libc62.31-12
ii libcups2 2.3.3op2-3+deb11u1
ii libcupsfilters1 1.28.7-1
ii libglib2.0-0 2.66.8-1
ii libldap-2.4-22.4.57+dfsg-3
ii lsb-base 11.1.0
Versions of packages cups-browsed recommends:
ii avahi-daemon 0.8-5
cups-browsed suggests no packages.
-- Configuration Files:
/etc/apparmor.d/usr.sbin.cups-browsed changed:
/usr/sbin/cups-browsed flags=(attach_disconnected, complain) {
#include
#include
#include
#include
#include
/etc/cups/cups-browsed.conf r,
/etc/cups/lpoptions r,
/etc/cups/ppd/* r,
/{var/,}run/cups/certs/* r,
/var/cache/cups/* rw,
/var/log/cups/* rw,
/tmp/** rw,
# Site-specific additions and overrides. See local/README for details.
#include
}
-- no debconf information
