[pkg-apparmor] Bug#968787: No printer can be installed in cups
Karsten
debian at decotrain.de
Sun Aug 23 11:37:20 BST 2020
Hi,
Am 23.08.20 um 09:50 schrieb intrigeri:
> Control: tag -1 + moreinfo
>
> Hi,
>
> Karsten (2020-08-23):
>> Yes. But the interesting thing is the output when trying to use cups.
>>
>> Aug 23 00:59:15 pc kernel: audit: type=1400 audit(1598137155.941:58): apparmor="DENIED" operation="mknod"
>> profile="/usr/sbin/cupsd" name="/srv/ssd3/var/spool/cups/00000000" pid=612 comm="cupsd" requested_mask="c"
>> denied_mask="c" fsuid=0 ouid=0
> It seems you have symlinks from /var/{log,spool} to
> /srv/ssd3/{log,spool}, or similar. Could you please confirm?
Yes - that's true, because /var and /home are on an HDD and the OS is on an SSD.
> AppArmor resolves symlinks before applying policy. This is necessary
> to avoid anyone bypassing the policy merely by creating a symlink to
> a confined program. There's of course no way the default policy
> shipped in Debian knows about all the symlinks users may choose to set
> up, so some local adjustment will be needed to cope with this
> non-standard setup. I consider this as a general usability problem of
> AppArmor vs. non-standard setup, rather than a bug in this specific
> AppArmor profile.
>
> I think your options are:
>
> A) Use bind-mounts instead of symlinks; I believe this is the cheapest
> option, both in terms of initial setup and in terms of maintenance.
> This avoids AppArmor having to do anything special, because the
> canonical path of /var/{log,spool}/cups will be the one that's
> already supported in the default AppArmor policy.
Thanks a lot. This could be a solution.
> B) Use the AppArmor "alias" functionality in
> /etc/apparmor.d/tunables/alias, so that AppArmor knows the mapping
> between standard canonical paths and your custom local ones.
>
> For example, something like this:
>
> alias /var/spool/cups/ -> /srv/ssd3/var/spool/cups/,
>
> Please try one of these :)
I tried this option and it works. Thank you.
Now an printer can be added.
Is there a way to get the working of apparmot more transparent?
There seems only aa-status on the command line.
Cheers
karsten
More information about the pkg-apparmor-team
mailing list