Bug#990331: reportbug: cups-browsed printing fails due to apparmor config with message 'No destination host name supplied by cups-browsed for printer'

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#990331: reportbug: cups-browsed printing fails due to apparmor config with message 'No destination host name supplied by cups-browsed for printer'
From: Gabriel Kerneis <gabriel@kerneis.info>
Date: Fri, 25 Jun 2021 22:52:29 +0200
Message-id: <[🔎] 162465434912.242472.2462959827608251368.reportbug@wiyake.lan>
Reply-to: Gabriel Kerneis <gabriel@kerneis.info>, 990331@bugs.debian.org

Package: cups-browsed
Version: 1.28.7-1
Severity: important

Dear Maintainer,

I have a Brother printer configured per [1] using cups-browsed. It used
to work perfectly, but now fails to print with the same error message as
in #887495:
> No destination host name supplied by cups-browsed for printer "name", is cups-browsed running?
Note that #887495 is a catch-all without a root cause ever identified,
which is why I'm opening a more specific bug for this issue.

[1] https://wiki.debian.org/CUPSDriverlessPrinting 

The cause of my issue lies is app armor config. I noticed the following
lines in the logs:

juin 22 16:42:55 wiyake audit[638]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cups-browsed" pid=638 comm="apparmor_parser"
juin 22 16:42:55 wiyake audit[636]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=636 comm="apparmor_parser"
juin 22 16:42:55 wiyake audit[636]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cupsd" pid=636 comm="apparmor_parser"
juin 22 16:42:55 wiyake audit[636]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cupsd//third_party" pid=636 comm="apparmor_parser"
juin 22 16:42:55 wiyake audit[766]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=766 comm="cupsd" capability=12  capname="net_admin"
juin 22 16:42:55 wiyake audit[782]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" pid=782 comm="cups-browsed" capability=23  capname="sys_nice"
juin 22 16:44:21 wiyake audit[2615]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=2615 comm="cupsd" capability=12  capname="net_admin"
juin 22 16:44:21 wiyake audit[2618]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" pid=2618 comm="cups-browsed" capability=23  capname="sys_nice"

net_admin sounded suspicious, since the error message mentionned a host
name.

I then tried the following workaround, originally found for Ubuntu [2]:

# apt install apparmor-utils
# aa-complain cupsd-browsed
# systemctl restart cups-browsed

[2] https://askubuntu.com/questions/645636/apparmor-with-cupsd-denied-in-logs 

It resolved my issue, and my printer immediately started printing the
jobs in the queue. The logs now show:

juin 25 22:23:06 wiyake audit[221791]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cups-browsed" pid=221791 comm="apparmor_parser"
juin 25 22:24:40 wiyake audit[222966]: AVC apparmor="ALLOWED" operation="capable" profile="/usr/sbin/cups-browsed" pid=222966 comm="cups-browsed" capability=23  capname="sys_nice"

I'm not sure what exactly needs to be updated in the apparmor config to
fix this issue. Note that #988764 is also about apparmor issues, but is
marked minor and doesn't seem to block printing. My issue yields to a
complete impossibility to print (at least in my use case).

I'd be happy to test any fix you could provide.

Thanks!

Gabriel

-- System Information:
Debian Release: 11.0
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-7-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cups-browsed depends on:
ii  cups-daemon          2.3.3op2-3+deb11u1
ii  init-system-helpers  1.60
ii  libavahi-client3     0.8-5
ii  libavahi-common3     0.8-5
ii  libavahi-glib1       0.8-5
ii  libc6                2.31-12
ii  libcups2             2.3.3op2-3+deb11u1
ii  libcupsfilters1      1.28.7-1
ii  libglib2.0-0         2.66.8-1
ii  libldap-2.4-2        2.4.57+dfsg-3
ii  lsb-base             11.1.0

Versions of packages cups-browsed recommends:
ii  avahi-daemon  0.8-5

cups-browsed suggests no packages.

-- Configuration Files:
/etc/apparmor.d/usr.sbin.cups-browsed changed:
/usr/sbin/cups-browsed flags=(attach_disconnected, complain) {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/cups-client>
  #include <abstractions/dbus>
  #include <abstractions/p11-kit>
  /etc/cups/cups-browsed.conf r,
  /etc/cups/lpoptions r,
  /etc/cups/ppd/* r,
  /{var/,}run/cups/certs/* r,
  /var/cache/cups/* rw,
  /var/log/cups/* rw,
  /tmp/** rw,
  # Site-specific additions and overrides. See local/README for details.
  #include <local/usr.sbin.cups-browsed>
}


-- no debconf information

Reply to:

Prev by Date: Bug#990210: printer-driver-cups-pdf: produces empty output with gs exit 256, gs from log works
Next by Date: HP ScanJet Pro 3500 f1 Flatbed Scanner and Debian
Previous by thread: Bug#990210: printer-driver-cups-pdf: produces empty output with gs exit 256, gs from log works
Next by thread: HP ScanJet Pro 3500 f1 Flatbed Scanner and Debian
Index(es):
- Date
- Thread