Ok, I see it on restart:
root@nsnx2:~# systemctl restart cups.service
root@nsnx2:~#
triggers:
[Sun Mar 15 05:08:47 2026] audit: type=1400 audit(1773232325.694:639):
apparmor="DENIED" operation="open" class="file" profile="/usr/sbin/cupsd"
name="/etc/paperspecs" pid=138364 comm="cupsd" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
[Sun Mar 15 05:08:47 2026] audit: type=1400 audit(1773232325.714:640):
apparmor="DENIED" operation="capable" class="cap" profile="/usr/sbin/cupsd"
pid=138364 comm="cupsd" capability=12 capname="net_admin"
Ah, so it is in /etc/apparmor.d/usr.sbin.cupsd, but only in
/usr/lib/cups/backend/cups-pdf { inside that file, as you said.
Let me try adding it to cupsd:
--- usr.sbin.cupsd 2026-03-11 09:34:52.329977492 -0300
+++ /etc/apparmor.d/usr.sbin.cupsd 2026-03-11 09:34:56.113451147 -0300
@@ -73,6 +73,7 @@
/etc/foomatic/* r,
/etc/gai.conf r,
/etc/papersize r,
+ /etc/paperspecs r,
/etc/pnm2ppa.conf r,
/etc/printcap rwl,
/etc/ssl/** r,
Now I just get the capability denial:
[Sun Mar 15 05:12:08 2026] audit: type=1400 audit(1773232526.491:643):
apparmor="STATUS" operation="profile_replace" profile="unconfined"
name="/usr/sbin/cupsd//third_party" pid=138466 comm="apparmor_parser"
[Sun Mar 15 05:12:13 2026] audit: type=1400 audit(1773232531.584:644):
apparmor="DENIED" operation="capable" class="cap" profile="/usr/sbin/cupsd"
pid=138501 comm="cupsd" capability=12 capname="net_admin"
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2143826
Title:
apparmor denial for /etc/paperspecs
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/2143826/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
