[pkg-apparmor] Bug#968787: No printer can be installed in cups

Karsten debian at decotrain.de
Sun Aug 23 11:37:20 BST 2020 

Hi,

Am 23.08.20 um 09:50 schrieb intrigeri:
> Control: tag -1 + moreinfo
>
> Hi,
>
> Karsten (2020-08-23):
>> Yes. But the interesting thing is the output when trying to use cups.
>>
>> Aug 23 00:59:15 pc kernel: audit: type=1400 audit(1598137155.941:58): apparmor="DENIED" operation="mknod"
>> profile="/usr/sbin/cupsd" name="/srv/ssd3/var/spool/cups/00000000" pid=612 comm="cupsd" requested_mask="c"
>> denied_mask="c" fsuid=0 ouid=0
> It seems you have symlinks from /var/{log,spool} to
> /srv/ssd3/{log,spool}, or similar. Could you please confirm?

Yes - that's true, because /var and /home are on an HDD and the OS is on an SSD.

> AppArmor resolves symlinks before applying policy. This is necessary
> to avoid anyone bypassing the policy merely by creating a symlink to
> a confined program. There's of course no way the default policy
> shipped in Debian knows about all the symlinks users may choose to set
> up, so some local adjustment will be needed to cope with this
> non-standard setup. I consider this as a general usability problem of
> AppArmor vs. non-standard setup, rather than a bug in this specific
> AppArmor profile.
>
> I think your options are:
>
> A) Use bind-mounts instead of symlinks; I believe this is the cheapest
>    option, both in terms of initial setup and in terms of maintenance.
>    This avoids AppArmor having to do anything special, because the
>    canonical path of /var/{log,spool}/cups will be the one that's
>    already supported in the default AppArmor policy.

Thanks a lot. This could be a solution.

> B) Use the AppArmor "alias" functionality in
>    /etc/apparmor.d/tunables/alias, so that AppArmor knows the mapping
>    between standard canonical paths and your custom local ones.
>
>    For example, something like this:
>
>      alias /var/spool/cups/ -> /srv/ssd3/var/spool/cups/,
>
> Please try one of these :)

I tried this option and it works. Thank you.
Now an printer can be added.

Is there a way to get the working of apparmot more transparent?
There seems only aa-status on the command line.

Cheers
karsten

More information about the pkg-apparmor-team mailing list