Bug#872817: [pkg-apparmor] Bug#872817: cups-daemon: apparmor DENIED
- To: gregor herrmann <gregoa@debian.org>
- Cc: 872817@bugs.debian.org
- Subject: Bug#872817: [pkg-apparmor] Bug#872817: cups-daemon: apparmor DENIED
- From: intrigeri <intrigeri@debian.org>
- Date: Sun, 03 Sep 2017 12:40:36 +0200
- Message-id: <[🔎] 85k21goyjf.fsf@boum.org>
- Reply-to: intrigeri <intrigeri@debian.org>, 872817@bugs.debian.org
- In-reply-to: <150332721209.1488.11856688213382425660.reportbug@jadzia.comodo.priv.at> (gregor herrmann's message of "Mon, 21 Aug 2017 16:53:32 +0200")
- References: <150332721209.1488.11856688213382425660.reportbug@jadzia.comodo.priv.at> <150332721209.1488.11856688213382425660.reportbug@jadzia.comodo.priv.at>
Control: tag -1 + patch
Hi,
gregor herrmann:
> apparmor newbie here.
Thanks for trying AppArmor :)
> Without doing anything printer-related, aa-notify informed me about
> an apparmor problem with cupsd; syslog says:
> Aug 21 16:40:22 jadzia kernel: [95510.664500] audit: type=1400
> audit(1503326422.923:230): apparmor="DENIED" operation="capable"
> profile="/usr/sbin/cupsd" pid=21581 comm="cupsd" capability=2
> capname="dac_read_search"
Thanks! I cannot reproduce this myself, but I'm not surprised: I've
seen profiles that allowed dac_override start needing dac_read_search,
presumably due to a change in libc or similar.
The attached (git format-)patch should fix this problem.
Cheers,
--
intrigeri
>From 43e89c29979d25e7757081b3eb5d1eb619f05d2f Mon Sep 17 00:00:00 2001
From: intrigeri <intrigeri@debian.org>
Date: Sun, 3 Sep 2017 10:39:12 +0000
Subject: [PATCH] AppArmor: allow dac_read_search, now needed on top of
dac_override (Closes: #872817).
---
debian/local/apparmor-profile | 1 +
1 file changed, 1 insertion(+)
diff --git a/debian/local/apparmor-profile b/debian/local/apparmor-profile
index 13c2940d2..053d1c1ff 100644
--- a/debian/local/apparmor-profile
+++ b/debian/local/apparmor-profile
@@ -32,6 +32,7 @@
# lot of files to 'lp' which it cannot read/write afterwards any
# more
capability dac_override,
+ capability dac_read_search,
# the bluetooth backend needs this
network bluetooth,
--
2.14.1
Reply to: