X-Debbugs-CC: alteholz@debian.org till.kamppeter@gmail.com Hi, Any update on this patch? If allowed, I can offer a deferred NMU with this targeted bugfix. Thanks, Boyuan Yang On Sun, 30 Oct 2022 00:56:47 -0400 Boyuan Yang <byang@debian.org> wrote: > Control: tags -1 +patch > X-Debbugs-CC: alteholz@debian.org till.kamppeter@gmail.com > > Dear Debian cups-filters maintainers, > > On Tue, 06 Sep 2022 13:08:34 -0400 Boyuan Yang <byang@debian.org> wrote: > > Package: cups-browsed > > Version: 1.28.16-1 > > Severity: normal > > > > Dear Debian cups-filters packagers, > > > > On my current Debian/Sid system (as of Sep 2022), the syslog keeps > printing > > the following messages: > > > > kernel: audit: type=1400 audit(1662483939.030:193): apparmor="DENIED" > > operation="open" profile="/usr/sbin/cups-browsed" > > name="/proc/sys/net/ipv6/conf/all/disable_ipv6" pid=3336 comm="cups- > browsed" > > requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > > > > kernel: audit: type=1400 audit(1662483939.030:194): apparmor="DENIED" > > operation="open" profile="/usr/sbin/cups-browsed" > > name="/proc/sys/net/ipv6/conf/all/disable_ipv6" pid=3336 comm="cups- > browsed" > > requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > > > > audit[3336]: AVC apparmor="DENIED" operation="open" > profile="/usr/sbin/cups- > > browsed" name="/proc/sys/net/ipv6/conf/all/disable_ipv6" pid=3336 > > comm="cups-browsed" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > > > > audit[3336]: AVC apparmor="DENIED" operation="open" > profile="/usr/sbin/cups- > > browsed" name="/proc/sys/net/ipv6/conf/all/disable_ipv6" pid=3336 > > comm="cups-browsed" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > > > > > > > > These logs keeps spam my syslog. Please consider looking into it and > adjust > > AppArmor profile or cups-browsed program accordingly. > > Since cups-browsed only needs to read > /proc/sys/net/ipv6/conf/all/disable_ipv6 to determine whether ipv6 is > disabled, I believe this request should be allowed by AppArmor. > > As a result, I am attaching the following one-liner patch (see attachment). > Please consider applying it to avoid spamming syslog journal. > > > > --- a/debian/apparmor/usr.sbin.cups-browsed > +++ b/debian/apparmor/usr.sbin.cups-browsed > @@ -17,6 +17,9 @@ > /var/log/cups/* rw, > /tmp/** rw, > > + # Allow reading system ipv6 status > + /proc/sys/net/ipv6/conf/all/disable_ipv6 r, > + > # Courtesy to the Debian Edu team... > /etc/cups/cups-browsed-debian-edu.conf r, >
Attachment:
signature.asc
Description: This is a digitally signed message part