* intrigeri <intrigeri@debian.org> [2017-11-28 09:18]:
Control: reassign -1 cups-daemon Control: tag -1 + moreinfo Control: user pkg-apparmor-team@lists.alioth.debian.org Control: usertags -1 + help-needed Hi, Nuno Oliveira:Enabling apparmor blocks the creation of PDF files with printer-driver-cups-pdf, since the output files are created in ~/PDF. Temporarily disabling the /etc/apparmor.d/usr.sbin.cupsd profile restores printing to pdf files.Thanks for your bug report! The usr.sbin.cupsd profile is supposed to run cups-pdf under a dedicated child profile (/usr/lib/cups/backend/cups-pdf) which does allow write access to ~/PDF, so this is a bug in the current implementation, not simply something that would have been forgotten. Could you please share the AppArmor denial logs? (https://wiki.debian.org/AppArmor/Debug) If you're not willing to do that, just let me know and I'll try to reproduce. Thanks in advance :) Cheers, -- intrigeri
Sure, Here's what I got with AppArmor enabled: type=AVC msg=audit(1511871104.395:10445): apparmor="DENIED" operation="mknod" profile="/usr/lib/cups/backend/cups-pdf" name="/home/host/nuno/PDF/me_host_nuno_PDF.pdf" pid=2095 comm="gs" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 type=SYSCALL msg=audit(1511871104.395:10445): arch=c000003e syscall=2 success=no exit=-13 a0=55e0520ced08 a1=242 a2=1b6 a3=240 items=0 ppid=2094 pid=2095 auid=4294967295 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4294967295 comm="gs" exe="/usr/bin/gs" key=(null) type=PROCTITLE msg=audit(1511871104.395:10445): proctitle=2F7573722F62696E2F6773002D71002D64436F6D7061746962696C6974794C6576656C3D312E34002D644E4F5041555345002D644241544348002D645341464552002D734445564943453D7064667772697465002D734F757470757446696C653D2F686F6D652F79756363612F6E756E6F2F5044462F6D655F79756363615F6E Thanks, Nuno.