Hi Debian Edu devs, On Di 15 Feb 2022 16:19:11 CET, Mike Gabriel wrote:
Package: debian-edu-config Version: 2.12.16 Severity: important Control: found -1 2.11.56+deb11u3I debugged an issue in CUPS today where it seemed impossible to see any changes to /etc/cups/cups-browsed.conf (which is a symlink and points to /etc/cups/cups-browsed-debian-edu.conf) being applied when restarting the cups-browsed service.Cause of the problem is apparmor and a missing white-list entry for /etc/cups/cups-browsed-debian-edu.conf.I searched for other files being mentioned in apparmor config, being shipped under a different name in debian-edu-config, symlinked to the original filepath and possibly thus being blocked by apparmor:/etc/apparmor.d/usr.sbin.named: /etc/samba/smb.conf r, /etc/apparmor.d/abstractions/winbind: /etc/samba/smb.conf r, /etc/apparmor.d/usr.sbin.cups-browsed: /etc/cups/cups-browsed.conf r,This issue prevents our custom settings in /etc/cups/cups-browsed-debian-edu.conf to become effective on Debian Edu workstations and also on the mainserver. This needs to be adjusted for Debian Edu bullseye and testing/unstable.
I looked into possible ways of fixing this. Not all solutions are policy compliant.
Solution 1: ----------- The cups-browsed.conf provides /etc/apparmor.d/usr.sbin.cups-browsed (containing apparmor profile)/etc/apparmor.d/local/usr.sbin.cups-browsed (empty file, included by the first)
So, one solution could be to have cf-agent append a line to /etc/apparmor.d/local/usr.sbin.cups-browsed, such as:
echo "/etc/cups/cups-browsed-debian-edu.conf" >> /etc/apparmor.d/local/usr.sbin.cups-browsed
with a prior check if that line already exists in /etc/apparmor.d/local/usr.sbin.cups-browsed.
Solution 2: -----------Ask the cups src:pkg maintainers to add a line /etc/cups/cups-browsed-debian-edu.conf to their /etc/appamor.d/usr.sbin.cups-browsed apparmor profile.
It would be good to get this in with the next cups bullseye-pu upload. Solution 3: -----------Add a usr.sbin.cups-browsed-debian-edu apparmor profile to /etc/apparmor.d/ and disable cups-browsed's usr.sbin.cups-browsed apparmor profile during postinst of debian-edu-config.
Other suggestions??? I tend to go with Solution 1, as that's what we do at various other places, but it's also violating Debian policy strictly speaking (see debian-edu-config bug #311188).
Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
Attachment:
pgp9QXq3r256Z.pgp
Description: Digitale PGP-Signatur