[pkg-apparmor] Bug#980974: apparmor blocks cups backend outgoing network connections
Christian Boltz
debian-bugs at cboltz.de
Wed Aug 17 19:47:24 BST 2022
Hello,
denials for capabilty net_admin are often a sign that a service uses
systemd libraries on startup, and these systemd libraries do funny[tm]
things. In these cases the net_admin capability is not really needed.
See https://bugzilla.opensuse.org/show_bug.cgi?id=1196850#c3 for the
technical details. (Yes, I'm aware that this bugreport is for Samba, not
cups - but I'm somewhat sure that cups uses the same systemd libraries
on startup.)
I have to admit that I'm only a cups user, but I'd be surprised if it
really needs capability net_admin.
To find out if it's really needed or just "systemd noise", can you please
explicitely deny net_admin and test if printing still works? To do this,
add
deny capability net_admin,
to /etc/apparmor.d/local/usr.sbin.cupsd This will a) deny it and b)
silence the logging. Then reload the profile with
systemctl reload apparmor
I'd also recommend to
aa-enforce cupsd
(in theory deny rules get enforced even in complain mode, but better
safe than sorry)
If printing doesn't work with the deny rule added, please try if it
works if you allow the capability:
capability net_admin,
(and remove the deny rule).
Note, since this bug includes two different AppArmor denials:
capability sys_nice, for cups-browsed is unrelated to what I wrote
above. Please don't change your cups-browsed profile (= keep it in
complain mode) while testing the deny rule in the cupsd profile.
Regards,
Christian Boltz
--
> check up on dusted up coolers / vents etc.
That is the first thing that I did, but I can't imagine that
the amount of dust is automatically changing with the kernel ?
[> David Haller and Raymond Wooninck in opensuse-factory]
More information about the pkg-apparmor-team
mailing list