Control: tags -1 +patch X-Debbugs-CC: alteholz@debian.org till.kamppeter@gmail.com Dear Debian cups-filters maintainers, On Tue, 06 Sep 2022 13:08:34 -0400 Boyuan Yang <byang@debian.org> wrote: > Package: cups-browsed > Version: 1.28.16-1 > Severity: normal > > Dear Debian cups-filters packagers, > > On my current Debian/Sid system (as of Sep 2022), the syslog keeps printing > the following messages: > > kernel: audit: type=1400 audit(1662483939.030:193): apparmor="DENIED" > operation="open" profile="/usr/sbin/cups-browsed" > name="/proc/sys/net/ipv6/conf/all/disable_ipv6" pid=3336 comm="cups- browsed" > requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > > kernel: audit: type=1400 audit(1662483939.030:194): apparmor="DENIED" > operation="open" profile="/usr/sbin/cups-browsed" > name="/proc/sys/net/ipv6/conf/all/disable_ipv6" pid=3336 comm="cups- browsed" > requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > > audit[3336]: AVC apparmor="DENIED" operation="open" profile="/usr/sbin/cups- > browsed" name="/proc/sys/net/ipv6/conf/all/disable_ipv6" pid=3336 > comm="cups-browsed" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > > audit[3336]: AVC apparmor="DENIED" operation="open" profile="/usr/sbin/cups- > browsed" name="/proc/sys/net/ipv6/conf/all/disable_ipv6" pid=3336 > comm="cups-browsed" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 > > > > These logs keeps spam my syslog. Please consider looking into it and adjust > AppArmor profile or cups-browsed program accordingly. Since cups-browsed only needs to read /proc/sys/net/ipv6/conf/all/disable_ipv6 to determine whether ipv6 is disabled, I believe this request should be allowed by AppArmor. As a result, I am attaching the following one-liner patch (see attachment). Please consider applying it to avoid spamming syslog journal. --- a/debian/apparmor/usr.sbin.cups-browsed +++ b/debian/apparmor/usr.sbin.cups-browsed @@ -17,6 +17,9 @@ /var/log/cups/* rw, /tmp/** rw, + # Allow reading system ipv6 status + /proc/sys/net/ipv6/conf/all/disable_ipv6 r, + # Courtesy to the Debian Edu team... /etc/cups/cups-browsed-debian-edu.conf r, It would be really benificial if this fix could enter upcoming Debian 12. Please let me know if you have any questions. Thanks! Best Regards, Boyuan Yang
From c257243882c2f6ab3ceaea7ec99a462f53fb0e1c Mon Sep 17 00:00:00 2001 From: Boyuan Yang <byang@debian.org> Date: Sun, 30 Oct 2022 00:50:55 -0400 Subject: [PATCH] debian/apparmor/: Allow reading disable_ipv6 file under /proc Otherwise syslog is spammed by repeated AppArmor denial: apparmor="DENIED" operation="open" profile="/usr/sbin/cups-browsed" name="/proc/sys/net/ipv6/conf/all/disable_ipv6" pid=61278 comm="cups-browsed" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 This patch would Closes: #1019270. --- debian/apparmor/usr.sbin.cups-browsed | 3 +++ 1 file changed, 3 insertions(+) diff --git a/debian/apparmor/usr.sbin.cups-browsed b/debian/apparmor/usr.sbin.cups-browsed index 9c2dbff..cab1cd0 100644 --- a/debian/apparmor/usr.sbin.cups-browsed +++ b/debian/apparmor/usr.sbin.cups-browsed @@ -17,6 +17,9 @@ /var/log/cups/* rw, /tmp/** rw, + # Allow reading system ipv6 status + /proc/sys/net/ipv6/conf/all/disable_ipv6 r, + # Courtesy to the Debian Edu team... /etc/cups/cups-browsed-debian-edu.conf r, -- 2.37.2
Attachment:
signature.asc
Description: This is a digitally signed message part