Bug#988764: marked as done (cups-browsed: apparmor blocks access to /usr/share/{cups/,}/locale)

To: Didier Raboud <odyx@debian.org>
Subject: Bug#988764: marked as done (cups-browsed: apparmor blocks access to /usr/share/{cups/,}/locale)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Tue, 24 Aug 2021 13:51:01 +0000
Message-id: <[🔎] handler.988764.D988764.16298129178433.ackdone@bugs.debian.org>
Reply-to: 988764@bugs.debian.org
References: <E1mIWn5-000BW9-1C@fasolo.debian.org> <20210519103310.Horde.RKLHa27Nnd_qs5bNBhJjY2M@mail.das-netzwerkteam.de>

Your message dated Tue, 24 Aug 2021 13:48:35 +0000
with message-id <E1mIWn5-000BW9-1C@fasolo.debian.org>
and subject line Bug#988764: fixed in cups-filters 1.28.10-1
has caused the Debian Bug report #988764,
regarding cups-browsed: apparmor blocks access to /usr/share/{cups/,}/locale
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
988764: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988764
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org

Subject: cups-browsed: apparmor blocks access to /usr/share/{cups/,}/locale

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Date: Wed, 19 May 2021 10:33:10 +0000

Message-id: <20210519103310.Horde.RKLHa27Nnd_qs5bNBhJjY2M@mail.das-netzwerkteam.de>
Package: cups-browsed
Version: 1.28.7-1
Severity: normal
Tags: patch

With CUPS on buster and bullseye I see these messages in /var/log/syslog:
May 19 12:26:12 server03 kernel: [4563725.605605] audit: type=1400audit(1621419972.056:193): apparmor="DENIED" operation="open"profile="/usr/sbin/cups-browsed" name="/usr/share/cups/locale/"pid=17771 comm="cups-browsed" requested_mask="r" denied_mask="r"fsuid=0 ouid=0May 19 12:26:12 server03 kernel: [4563725.606138] audit: type=1400audit(1621419972.056:194): apparmor="DENIED" operation="open"profile="/usr/sbin/cups-browsed" name="/usr/share/locale/" pid=17771comm="cups-browsed" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
May 19 12:27:08 server03 systemd[1]: cups-browsed.service: Succeeded.
These error messages / folder access blocks can be amended by thischange in /etc/apparmor.d/usr.sbin.cups-browsed:
```
diff --git a/apparmor.d/usr.sbin.cups-browsedb/apparmor.d/usr.sbin.cups-browsed
index 4cf9301..cb78f2d 100644
--- a/apparmor.d/usr.sbin.cups-browsed
+++ b/apparmor.d/usr.sbin.cups-browsed
@@ -10,6 +10,8 @@
   /etc/cups/cups-browsed.conf r,
   /etc/cups/lpoptions r,
   /etc/cups/ppd/* r,
+  /usr/share/cups/locale/ r,
+  /usr/share/locale/ r,
   /{var/,}run/cups/certs/* r,
   /var/cache/cups/* rw,
   /var/log/cups/* rw,
```

Greets,
Mike
--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
Attachment: pgpeUMOSAdp6Q.pgp
Description: Digitale PGP-Signatur

--- End Message ---

--- Begin Message ---

To: 988764-close@bugs.debian.org
Subject: Bug#988764: fixed in cups-filters 1.28.10-1
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Tue, 24 Aug 2021 13:48:35 +0000
Message-id: <E1mIWn5-000BW9-1C@fasolo.debian.org>
Reply-to: Didier Raboud <odyx@debian.org>

Source: cups-filters
Source-Version: 1.28.10-1
Done: Didier Raboud <odyx@debian.org>

We believe that the bug you reported is fixed in the latest version of
cups-filters, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 988764@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Didier Raboud <odyx@debian.org> (supplier of updated cups-filters package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 24 Aug 2021 15:25:58 +0200
Source: cups-filters
Architecture: source
Version: 1.28.10-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Printing Team <debian-printing@lists.debian.org>
Changed-By: Didier Raboud <odyx@debian.org>
Closes: 988434 988764 989306
Changes:
 cups-filters (1.28.10-1) unstable; urgency=low
 .
   * New 1.28.10 upstream version
     - Stop installing ttfread, not built anymore
   * Packaging cleanup:
     - Redo get-orig-source d/rules target
     - Run wrap-and-sort -baskt
     - Upgrade to S-V 4.6.0 without changes needed
 .
 cups-filters (1.28.9-1) experimental; urgency=medium
 .
   * New 1.28.9 upstream version
   * Only install /etc/modules-load.d/cups-filters.conf on
     amd64 i386 mips64el mipsel alpha hppa ia64 sparc64 (Closes: #989306)
 .
 cups-filters (1.28.8-3) experimental; urgency=medium
 .
   [ Mike Gabriel ]
   * Apparmor: allow read-access to /usr/share/{,cups/}locale (Closes: #988764)
 .
 cups-filters (1.28.8-2) experimental; urgency=low
 .
   [ Sergio Durigan Junior ]
   * Backport upstream patch to circumvent conflict with upcoming OpenLDAP 2.5:
     cups-browsed: Renamed ldap_connect() due to conflict in new openldap
     (Closes: #988434)
 .
 cups-filters (1.28.8-1) experimental; urgency=low
 .
   * New 1.28.8 upstream release
Checksums-Sha1:
 4917a39436ef0b5ad5f4b64a8e9d7ac8a13fbbfe 2939 cups-filters_1.28.10-1.dsc
 b0958ef20c50dc41cbbaf8903e4fdb3a1231b3ec 1503924 cups-filters_1.28.10.orig.tar.xz
 8cc79bccef227c7cdac8ca9db5162a5021b27379 83228 cups-filters_1.28.10-1.debian.tar.xz
Checksums-Sha256:
 f021a2fed0e911ae596549ccc368f1c9dc69b67812f9dedd9448043bc0ec29c0 2939 cups-filters_1.28.10-1.dsc
 cf8c904694c44cf689b5724e46d23da9ae5125d54374b340c642077cc29ca837 1503924 cups-filters_1.28.10.orig.tar.xz
 c4b7a9df6e2643b835169d222e83a472ab1c405463cdf39d0a46ec4b2c00f1f1 83228 cups-filters_1.28.10-1.debian.tar.xz
Files:
 cfe7de244e50fe4195c7d9751639fee9 2939 net optional cups-filters_1.28.10-1.dsc
 828b8c81534ecb996d6c6b7e1332412f 1503924 net optional cups-filters_1.28.10.orig.tar.xz
 572ea071ecdb60b67dfa0e8f7841f78a 83228 net optional cups-filters_1.28.10-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEJ3k7rA0YCplkx4gZqcb6xg1jAWkFAmEk9XAACgkQqcb6xg1j
AWkCsRAAqS7iP4wStFwbs/+Trei6qsJFNTTfh/r+D8NGO30K0aiVUOgwpXHaDqwr
IYtuIPIZbQgHgpfDgRjP05Qs2PY4fZ298udvZZLfEFlhPkbxfQvKLUmPYZ5Xc+Nu
Mes5nwv2AXcIGNxyBUGvXrbI4EYiGr7N3hvy9VmUEQeuwaciNyHm+Rw98Mdk10R8
QvbSxnSkNvggg86MCf/VieH+YQZpf2cT67pjN4XhfncqzP381XI4nTingADwkPkb
CwAQsbUHSTZlkmcjr7pFeLy8NczI8x2nEOmEW1BOWh3y2HFoKNS2UnIO5fkTSAHo
F2CDK4QEiw0X/Wxnach9LtIqtEEmPbNuYYtvQ91T6xc0hzSZ4a6aJruKXpC2Dskm
DNHeOSYR9PbtZP6FGqwEJZdQ6GE99wGZqm1ajwVPLuWBvTlVVgptu8jr36d/HSYz
eVR9/SiJ35uqZSqw81jZaEf6lxvYKqF8Dy8XM+EOqC0sSPmw+LdipFunFr+JcsqE
qqaOKIsrGQ5WQa2aFmoVDORMjMnkCGHPe/FkzQe/xwAI6m2inN00V/ySCYgQtzrr
oZ3w0da59d/P9pSWEoe3Gizp2/QHmTktGeOzMRVg3wG451P36IXdqtHTiiGOgyWC
Q+AE2Rx5DCEeZ3X5PHy13TDEEwjzuuGYgth7HyJHxUM18ksmiSg=
=7CS4
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Processed: Re: Bug#992784: cups: libcupsimage2 not a dependancy
Next by Date: Bug#989306: marked as done (cups-filters: parallel port modules force included on ARM kernels)
Previous by thread: Bug#992784: marked as done (cups: libcupsimage2 not a dependancy)
Next by thread: Bug#989306: marked as done (cups-filters: parallel port modules force included on ARM kernels)
Index(es):
- Date
- Thread