Bug#980974: apparmor blocks cups backend outgoing network connections

To: Chris Bainbridge <chris.bainbridge@gmail.com>, 980974@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Bug#980974: apparmor blocks cups backend outgoing network connections
From: Brian Potkin <claremont102@gmail.com>
Date: Mon, 25 Jan 2021 23:21:20 +0000
Message-id: <[🔎] 25012021231101.69713d33a23a@desktop.copernicus.org.uk>
Reply-to: Brian Potkin <claremont102@gmail.com>, 980974@bugs.debian.org
In-reply-to: <[🔎] CAP-bSRYSPUUvzXben2CQkopnne9nDDgXrVX8kqh=HPKT8mUsYA@mail.gmail.com>
References: <[🔎] CAP-bSRYSPUUvzXben2CQkopnne9nDDgXrVX8kqh=HPKT8mUsYA@mail.gmail.com> <[🔎] CAP-bSRYSPUUvzXben2CQkopnne9nDDgXrVX8kqh=HPKT8mUsYA@mail.gmail.com>

user pkg-apparmor-team@lists.alioth.debian.org
usertags #980974 help-needed
thanks



On Sun 24 Jan 2021 at 22:53:00 +0000, Chris Bainbridge wrote:

> Package: cups
> Version: 2.3.3op1-7
> 
> After upgrading to bullseye, TCP connections from cupsd to localhost
> appeared to be blocked:
> 
> Jan 23 23:39:29 debian audit[2172]: AVC apparmor="DENIED"
> operation="capable" profile="/usr/sbin/cupsd" pid=2172 comm="cupsd"
> capability=12  capname="net_admin"
> Jan 23 23:39:29 debian systemd[1]: Started CUPS Scheduler.
> Jan 23 23:39:29 debian kernel: kauditd_printk_skb: 10 callbacks suppressed
> Jan 23 23:39:29 debian kernel: audit: type=1400 audit(1611445169.589:22):
> apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=2172
> comm="cupsd" capability=12>
> Jan 23 23:39:29 debian systemd[1]: Started Make remote CUPS printers
> available locally.
> Jan 23 23:39:29 debian audit[2174]: AVC apparmor="DENIED"
> operation="capable" profile="/usr/sbin/cups-browsed" pid=2174
> comm="cups-browsed" capability=23  capname="sys_nice"
> 
> I worked around this with `aa-complain cupsd`, `aa-complain cups-browsed`,
> but I would guess that this should work without modifications, unless this
> (TCP connections from cupsd to backend driver) is considered non-standard
> usage?

Triaging this report, Chris, but my knowledge of apparmor is very
limited. However, I have a minimal unstable installation (base
system plus only cups) and can reproduce this behaviour. The last
line (but not the first) disappears when cups-browsed is purged.

Regards,

Brian/

Reply to:

References:
- Bug#980974: apparmor blocks cups backend outgoing network connections
  - From: Chris Bainbridge <chris.bainbridge@gmail.com>

Prev by Date: Bug#980973: Cups attempts to probe, configure unsupported Canon USB printers
Next by Date: Bug#980973: Cups attempts to probe, configure unsupported Canon USB printers
Previous by thread: Bug#980974: apparmor blocks cups backend outgoing network connections
Next by thread: Bug#980975: cups error: Failed to create /var/spool/cups/tmp/.hplip
Index(es):
- Date
- Thread