[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#872817: [pkg-apparmor] Bug#872817: cups-daemon: apparmor DENIED

Control: tag -1 + patch

Hi,

gregor herrmann:
> apparmor newbie here.

Thanks for trying AppArmor :)

> Without doing anything printer-related, aa-notify informed me about
> an apparmor problem with cupsd; syslog says:

> Aug 21 16:40:22 jadzia kernel: [95510.664500] audit: type=1400
> audit(1503326422.923:230): apparmor="DENIED" operation="capable"
> profile="/usr/sbin/cupsd" pid=21581 comm="cupsd" capability=2
> capname="dac_read_search"

Thanks! I cannot reproduce this myself, but I'm not surprised: I've
seen profiles that allowed dac_override start needing dac_read_search,
presumably due to a change in libc or similar.

The attached (git format-)patch should fix this problem.

Cheers,
-- 
intrigeri


>From 43e89c29979d25e7757081b3eb5d1eb619f05d2f Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri@debian.org>
Date: Sun, 3 Sep 2017 10:39:12 +0000
Subject: [PATCH] AppArmor: allow dac_read_search, now needed on top of
 dac_override (Closes: #872817).

---
 debian/local/apparmor-profile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/debian/local/apparmor-profile b/debian/local/apparmor-profile
index 13c2940d2..053d1c1ff 100644
--- a/debian/local/apparmor-profile
+++ b/debian/local/apparmor-profile
@@ -32,6 +32,7 @@
   # lot of files to 'lp' which it cannot read/write afterwards any
   # more
   capability dac_override,
+  capability dac_read_search,
 
   # the bluetooth backend needs this
   network bluetooth,
-- 
2.14.1
Reply to: