[pkg-apparmor] Bug#968387: apparmor: Broken printing and printer autodiscovery
intrigeri
intrigeri at debian.org
Tue Aug 18 09:27:19 BST 2020
Control: severity -1 important
Control: tag -1 + moreinfo
Control: user pkg-apparmor-team at lists.alioth.debian.org
Control: usertags + buggy-profile
Hi,
> I installed lxc on a freshly installed debian 10 (standard iso + the tasks:
> desktop, kde, print-server, laptop).
First, I'd like to ensure I understand correctly, since you're
mentioning LXC: how is this related to LXC?
Are the problems quoted below happening inside a LXC container?
> - The printer was not autodiscovered in the "Print" window of any program,
> and in the "Add printer" window of system-config-printer-settings.
> - Even after setting the device URI, print jobs did not make it to the printer
> and there were no info about toner levels, printer availability, etc.
>
> I did not touch apparmor, but aa-status said it was enforcing on a lot
> of programs, including /usr/sbin/{cupsd,cups-browsed}, so I ran
>
> aa-complain /usr/sbin/cupsd
> aa-complain /usr/sbin/cups-browsed
Note that aa-complain does not *fully* disable AppArmor profiles:
As its manpage says, 'deny' rules will be enforced even in complain mode.
> Now, the printer was autodiscovered,
So I guess the /usr/sbin/cups-browsed profile was blocking
auto-discovery. To debug this further, we'll need more information,
starting with the output of this command:
journalctl -kaf --no-hostname | grep -w 'apparmor="DENIED"'
> but printing still did not work, so I did
> apt-get autopurge apparmor
>
> Now printing works fine, I have toner level info, etc.
So I guess the /usr/sbin/cupsd profile was blocking printing. To debug
this, we'll need the same debugging info I requested above.
Once you've provided the debugging info, I'll reassign this bug to the
package(s) that ship the buggy AppArmor profiles: most likely,
respectively cups-browsed and/or cups-daemon.
In the meantime I'm downgrading severity to important,
because:
- This problem does not make the apparmor package itself unusable.
- If the problem affected many printers, I would hope we would have
learnt about it earlier.
Thank you for reporting this bug to Debian,
cheers!
More information about the pkg-apparmor-team
mailing list