[pkg-apparmor] Bug#940578: printer-driver-cups-pdf: cups pdf printer cannot create pdf file
intrigeri
intrigeri at debian.org
Wed Sep 18 08:03:40 BST 2019
Control: reassign -1 printer-driver-cups-pdf
Hi,
Martin-Éric Racine:
> This very much seems like an issue caused by AppArmor. Reassigned.
Indeed, the denial is caused by AppArmor.
Thanks for bringing this to our attention!
Now, I doubt the apparmor package is where we can fix this.
My understanding is that Rudolf customized his cups-pdf configuration
to write PDF output to a non-standard location:
>> -- Configuration Files:
>> /etc/cups/cups-pdf.conf changed:
>> Out ${HOME}/Transport
… which makes the cups-pdf AppArmor profile (shipped by the
cups-daemon package in the /etc/apparmor.d/usr.sbin.cupsd file)
unhappy:
>> -- audit error message:
>> audit[11578]: AVC apparmor="DENIED" operation="mknod" profile="/usr/lib/cups/backend/cups-pdf" name="/home/rudi/Transport/home_rudi_Transport.pdf" pid=11578 comm="gs" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Generally, there are three strategies available to deal with this
kind of problems:
A. Generate AppArmor policy dynamically, on service startup, depending
on the service configuration
This is, for example, what libvirt, Samba, and others do. It's the
nicest way to handle this as it requires no action from the user.
Depending on the service specifics, it may be anything between
"rather easy" and "tons of work".
If you choose this option, then this bug should be reassigned to
cups-daemon.
B. Document the need to adjust AppArmor policy when changing default paths
This is less nice to affected users but it's very cheap, and
sometimes it's good enough. For example, when there's little
incentive to change the default paths, so in practice very few
users are affected (which may make the cost/benefit of implementing
option A too big to be worth it).
Here it's already kind of the case:
https://sources.debian.org/src/cups-pdf/3.0.1-5/debian/README.Debian/#L12
But that file incorrectly suggests that this caveat applies only to
Ubuntu, which is not the case anymore. So I would say first thing
is to drop the " (UBUNTU)" annotation.
If you choose this option, then this bug should be reassigned back
to cups-pdf.
C. Disable AppArmor confinement by default for the program that gets blocked
It's unfortunately the best strategy when option A requires too
much work *and* many users would be affected by the problem so
option B is not good enough. For example, we had to do that
for Thunderbird.
In the case at hand, I don't what proportion of cups-pdf users
change the default output path. It seems that reportbug includes
this information so one could gather some quick'n'dirty data from
the BTS, which would help us make a reasonable assessment.
If you choose this option, then this bug should be reassigned to
cups-daemon.
None of these strategies can be implemented in the apparmor package.
I think the maintainers of cups-pdf are the best placed to make the
call wrt. what strategy they prefer to go with, so I'm reassigning
back to cups-pdf. I'm happy to keep providing guidance and info you
might need :)
I've just usertagged this bug so it is on the AppArmor team's radar:
https://udd.debian.org/cgi-bin/bts-usertags.cgi?tag=help-needed&user=pkg-apparmor-team%40lists.alioth.debian.org
To learn about the preferred way to bring AppArmor-related bugs to
the attention of the AppArmor team, please read:
https://wiki.debian.org/AppArmor/Reportbug#Usertags
Cheers,
--
intrigeri
More information about the pkg-apparmor-team
mailing list