[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1005813: debian-edu-config: apparmor blocks cups-browsed.conf from being read

Hi Debian Edu devs,

On  Di 15 Feb 2022 16:19:11 CET, Mike Gabriel wrote:

Package: debian-edu-config
Version: 2.12.16
Severity: important
Control: found -1 2.11.56+deb11u3

I debugged an issue in CUPS today where it seemed impossible to see any changes to /etc/cups/cups-browsed.conf (which is a symlink and points to /etc/cups/cups-browsed-debian-edu.conf) being applied when restarting the cups-browsed service.

Cause of the problem is apparmor and a missing white-list entry for /etc/cups/cups-browsed-debian-edu.conf.

I searched for other files being mentioned in apparmor config, being shipped under a different name in debian-edu-config, symlinked to the original filepath and possibly thus being blocked by apparmor:

/etc/apparmor.d/usr.sbin.named:  /etc/samba/smb.conf r,
/etc/apparmor.d/abstractions/winbind:  /etc/samba/smb.conf         r,
/etc/apparmor.d/usr.sbin.cups-browsed:  /etc/cups/cups-browsed.conf r,

This issue prevents our custom settings in /etc/cups/cups-browsed-debian-edu.conf to become effective on Debian Edu workstations and also on the mainserver. This needs to be adjusted for Debian Edu bullseye and testing/unstable.

I looked into possible ways of fixing this. Not all solutions are policy compliant.

Solution 1:
The cups-browsed.conf provides

  /etc/apparmor.d/usr.sbin.cups-browsed (containing apparmor profile)
/etc/apparmor.d/local/usr.sbin.cups-browsed (empty file, included by the first)

So, one solution could be to have cf-agent append a line to /etc/apparmor.d/local/usr.sbin.cups-browsed, such as:

echo "/etc/cups/cups-browsed-debian-edu.conf" >> /etc/apparmor.d/local/usr.sbin.cups-browsed

with a prior check if that line already exists in /etc/apparmor.d/local/usr.sbin.cups-browsed.

Solution 2:
Ask the cups src:pkg maintainers to add a line /etc/cups/cups-browsed-debian-edu.conf to their /etc/appamor.d/usr.sbin.cups-browsed apparmor profile.

It would be good to get this in with the next cups bullseye-pu upload.

Solution 3:
Add a usr.sbin.cups-browsed-debian-edu apparmor profile to /etc/apparmor.d/ and disable cups-browsed's usr.sbin.cups-browsed apparmor profile during postinst of debian-edu-config.

Other suggestions??? I tend to go with Solution 1, as that's what we do at various other places, but it's also violating Debian policy strictly speaking (see debian-edu-config bug #311188).


c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

Attachment: pgp9QXq3r256Z.pgp
Description: Digitale PGP-Signatur

Reply to: