Bug#988764: cups-browsed: apparmor blocks access to /usr/share/{cups/,}/locale
Hi OdyX, On Fr 21 Mai 2021 16:45:46 CEST, Didier 'OdyX' Raboud wrote: Le vendredi, 21 mai 2021, 16.26:12 h CEST Mike Gabriel a écrit : Basically, why not? It clutters syslog. It probably won't have functional consequences, but still... Well. At this point of the freeze, I'd rather not burden the release team with such a non-"critical, grave, or serious" bug. https://lists.debian.org/debian-devel-announce/2021/05/msg0.html was 19 days ago, and has As the release draws nearer, fixes for non-RC bugs which do not affect a package's general usability will increasingly be deferred or rejected. Feel free to ask if you feel strongly enough about this, I'll upload if it's accepted! Cheers, -- OdyX alright then. Minor issue. Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpcZXK1IMoWj.pgp Description: Digitale PGP-Signatur
Bug#988764: cups-browsed: apparmor blocks access to /usr/share/{cups/,}/locale
Hi OdyX, On Fr 21 Mai 2021 15:59:04 CEST, Didier 'OdyX' Raboud wrote: Control: tags -1 +pending Hello Mike, and thanks for your patch-provided bugreport. Le mercredi, 19 mai 2021, 12.33:10 h CEST Mike Gabriel a écrit : With CUPS on buster and bullseye I see these messages in /var/log/syslog: May 19 12:26:12 server03 kernel: [4563725.605605] audit: type=1400 audit(1621419972.056:193): apparmor="DENIED" operation="open" profile="/usr/sbin/cups-browsed" name="/usr/share/cups/locale/" pid=17771 comm="cups-browsed" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 May 19 12:26:12 server03 kernel: [4563725.606138] audit: type=1400 audit(1621419972.056:194): apparmor="DENIED" operation="open" profile="/usr/sbin/cups-browsed" name="/usr/share/locale/" pid=17771 comm="cups-browsed" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 May 19 12:27:08 server03 systemd[1]: cups-browsed.service: Succeeded. These error messages / folder access blocks can be amended by this change in /etc/apparmor.d/usr.sbin.cups-browsed: (…) I'll upload to experimental in a moment. I assume it doesn't warrant rising severity and aiming at Bullseye, right? Basically, why not? It clutters syslog. It probably won't have functional consequences, but still... Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgp9cQnOQ9DBe.pgp Description: Digitale PGP-Signatur
Bug#988764: cups-browsed: apparmor blocks access to /usr/share/{cups/,}/locale
Le vendredi, 21 mai 2021, 16.26:12 h CEST Mike Gabriel a écrit : > Basically, why not? It clutters syslog. It probably won't have > functional consequences, but still... Well. At this point of the freeze, I'd rather not burden the release team with such a non-"critical, grave, or serious" bug. https://lists.debian.org/debian-devel-announce/2021/05/msg0.html was 19 days ago, and has > As the release draws nearer, fixes for non-RC bugs which do not affect a > package's general usability will increasingly be deferred or rejected. Feel free to ask if you feel strongly enough about this, I'll upload if it's accepted! Cheers, -- OdyX signature.asc Description: This is a digitally signed message part.
Bug#988764: cups-browsed: apparmor blocks access to /usr/share/{cups/,}/locale
Control: tags -1 +pending Hello Mike, and thanks for your patch-provided bugreport. Le mercredi, 19 mai 2021, 12.33:10 h CEST Mike Gabriel a écrit : > With CUPS on buster and bullseye I see these messages in /var/log/syslog: > > May 19 12:26:12 server03 kernel: [4563725.605605] audit: type=1400 > audit(1621419972.056:193): apparmor="DENIED" operation="open" > profile="/usr/sbin/cups-browsed" name="/usr/share/cups/locale/" > pid=17771 comm="cups-browsed" requested_mask="r" denied_mask="r" > fsuid=0 ouid=0 > May 19 12:26:12 server03 kernel: [4563725.606138] audit: type=1400 > audit(1621419972.056:194): apparmor="DENIED" operation="open" > profile="/usr/sbin/cups-browsed" name="/usr/share/locale/" pid=17771 > comm="cups-browsed" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > May 19 12:27:08 server03 systemd[1]: cups-browsed.service: Succeeded. > > > These error messages / folder access blocks can be amended by this > change in /etc/apparmor.d/usr.sbin.cups-browsed: (…) I'll upload to experimental in a moment. I assume it doesn't warrant rising severity and aiming at Bullseye, right? Best, OdyX signature.asc Description: This is a digitally signed message part.
Bug#988764: cups-browsed: apparmor blocks access to /usr/share/{cups/,}/locale
Package: cups-browsed Version: 1.28.7-1 Severity: normal Tags: patch With CUPS on buster and bullseye I see these messages in /var/log/syslog: May 19 12:26:12 server03 kernel: [4563725.605605] audit: type=1400 audit(1621419972.056:193): apparmor="DENIED" operation="open" profile="/usr/sbin/cups-browsed" name="/usr/share/cups/locale/" pid=17771 comm="cups-browsed" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 May 19 12:26:12 server03 kernel: [4563725.606138] audit: type=1400 audit(1621419972.056:194): apparmor="DENIED" operation="open" profile="/usr/sbin/cups-browsed" name="/usr/share/locale/" pid=17771 comm="cups-browsed" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 May 19 12:27:08 server03 systemd[1]: cups-browsed.service: Succeeded. These error messages / folder access blocks can be amended by this change in /etc/apparmor.d/usr.sbin.cups-browsed: ``` diff --git a/apparmor.d/usr.sbin.cups-browsed b/apparmor.d/usr.sbin.cups-browsed index 4cf9301..cb78f2d 100644 --- a/apparmor.d/usr.sbin.cups-browsed +++ b/apparmor.d/usr.sbin.cups-browsed @@ -10,6 +10,8 @@ /etc/cups/cups-browsed.conf r, /etc/cups/lpoptions r, /etc/cups/ppd/* r, + /usr/share/cups/locale/ r, + /usr/share/locale/ r, /{var/,}run/cups/certs/* r, /var/cache/cups/* rw, /var/log/cups/* rw, ``` Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de pgpnRvveMFGDJ.pgp Description: Digitale PGP-Signatur