Ooops. Ignore the previous post. Those were the wrong instructions.
These are the correct ones:


1. Install fresh copy of Ubuntu.

2. Install printer-driver-cups-pdf.

3. Change cups-pdf's output directory in /etc/cups/cups-pdf.conf to some
directory outside of the user's home directory, and that the user has
write access to that directory's parent.

4. Make sure the directory defined in step 3 does not exist.

5. Attempt to print using CUPS PDF.

6. Notice the DENIED error in dmesg, and the directory defined in step 3
still does not exist.

6. Notice that cups-pdf lacks an apparmor profile of it's own and is
stored alongside the cupsd profile in /etc/apparmor.d

7. Notice that unlike cupsd, cups-pdf's profile does not have an include
statement for local profile modifications in /etc/apparmor.d/local

8. Attempt to change the default profile for cups-pdf anyway, reload the
new default profile, and try to print again.

9. Find your pdf in the directory defined in step 3.

10. Wait until the cups package is updated again. (Accept the maintainer
version of /etc/apparmor.d/usr.sbin.cupsd when asked.)

11. Notice your changes to the default profile have been wiped out by
the update, and you can no longer print using CUPS PDF if the directory
defined in step 3 is moved or deleted.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cups in Ubuntu.
https://bugs.launchpad.net/bugs/1698693

Title:
  cups-pdf blocked by apparmor

Status in cups package in Ubuntu:
  Incomplete

Bug description:
  cups-pdf cannot create the ~/PDF directory if it does not exist and
  fails with no indication to the user.

  It should however be pointed out that cups-pdf allows the system
  administrator to change it's output directory by changing the Out key
  in /etc/cups/cups-pdf.conf. As such apparmor will get in the way again
  if the admin changes the Out key to some other location outside of the
  ${HOME}/PDF directory. (It's default setting.)

  cups-pdf also does not have an #include for using local overrides in
  it's apparmor config. As such any fixes that the local admin makes
  will be overwritten by the next update to the cups package, breaking
  it again.

  
  Description:  Ubuntu 16.04.2 LTS
  Release:      16.04

  printer-driver-cups-pdf:
    Installed: 2.6.1-21
    Candidate: 2.6.1-21
    Version table:
   *** 2.6.1-21 500
          500 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages
          100 /var/lib/dpkg/status

  cups:
    Installed: 2.1.3-4
    Candidate: 2.1.3-4
    Version table:
   *** 2.1.3-4 500
          500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
          100 /var/lib/dpkg/status

  What happened:
  cups-pdf when installed for the first time fails with the following apparmor 
denials:

  [ 6117.686934] audit: type=1400 audit(1497816878.998:1079): apparmor="DENIED" 
operation="file_inherit" profile="/usr/lib/cups/backend/cups-pdf" pid=6015 
comm="cups-pdf" family="unix" sock_type="stream" protocol=0 
requested_mask="send receive" denied_mask="send receive" addr=none 
peer_addr=none peer="/usr/sbin/cupsd"
  [ 6117.686948] audit: type=1400 audit(1497816878.998:1080): apparmor="DENIED" 
operation="file_inherit" profile="/usr/sbin/cupsd" pid=6015 comm="cups-pdf" 
family="unix" sock_type="stream" protocol=0 requested_mask="send receive" 
denied_mask="send receive" addr=none peer_addr=none 
peer="/usr/lib/cups/backend/cups-pdf"
  [ 6117.688671] audit: type=1400 audit(1497816879.002:1081): apparmor="DENIED" 
operation="open" profile="/usr/lib/cups/backend/cups-pdf" 
name="/var/lib/sss/mc/initgroups" pid=6015 comm="cups-pdf" requested_mask="r" 
denied_mask="r" fsuid=0 ouid=0
  [ 6117.688688] audit: type=1400 audit(1497816879.002:1082): apparmor="DENIED" 
operation="open" profile="/usr/lib/cups/backend/cups-pdf" 
name="/var/lib/sss/mc/initgroups" pid=6015 comm="cups-pdf" requested_mask="r" 
denied_mask="r" fsuid=0 ouid=0
  [ 6117.689719] audit: type=1400 audit(1497816879.002:1083): apparmor="DENIED" 
operation="mkdir" profile="/usr/lib/cups/backend/cups-pdf" 
name="/home/CODENET.LOCAL/codebase/PDF/" pid=6015 comm="cups-pdf" 
requested_mask="c" denied_mask="c" fsuid=0 ouid=0

  
  What I expected to happen:
  cups-pdf creates the pdf file it was supposed to.

  
  As a workaround, I set cups-pdf to use the third-party settings from the cups 
profile, then it worked as expected.
  --- 
  ProblemType: Bug
  ApportVersion: 2.20.9-0ubuntu7.2
  Architecture: amd64
  CupsErrorLog: Error: [Errno 13] Permission denied: '/var/log/cups/error_log'
  CurrentDesktop: MATE
  DistroRelease: Ubuntu 18.04
  InstallationDate: Installed on 2017-11-24 (281 days ago)
  InstallationMedia: Ubuntu-MATE 17.10 "Artful Aardvark" - Release amd64 
(20171018)
  Lpstat:
   device for EPSONET-4550: 
ipp://call.codenet.local:631/printers/EPSON_ET-4550_Series
   device for PDF: cups-pdf:/
  MachineType: Gigabyte Technology Co., Ltd. A320M-S2H
  NonfreeKernelModules: nvidia_modeset nvidia
  Package: cups 2.2.7-1ubuntu2.1
  PackageArchitecture: amd64
  Papersize: letter
  PpdFiles: Error: command ['fgrep', '-H', '*NickName', 
'/etc/cups/ppd/PDF.ppd'] failed with exit code 2: grep: /etc/cups/ppd/PDF.ppd: 
Permission denied
  ProcCmdline: BOOT_IMAGE=/vmlinuz-4.15.0-33-generic 
root=UUID=b719b98c-6702-467b-bad1-38f7ecaed813 ro video=vesafb:off vga=normal 
quiet splash
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.15.0-33-generic 
root=UUID=b719b98c-6702-467b-bad1-38f7ecaed813 ro video=vesafb:off vga=normal 
quiet splash
  ProcVersionSignature: Ubuntu 4.15.0-33.36-generic 4.15.18
  Tags:  bionic apparmor apparmor apparmor apparmor
  Uname: Linux 4.15.0-33-generic x86_64
  UpgradeStatus: Upgraded to bionic on 2018-05-20 (104 days ago)
  UserGroups:
   
  _MarkForUpload: True
  dmi.bios.date: 02/08/2018
  dmi.bios.vendor: American Megatrends Inc.
  dmi.bios.version: F21
  dmi.board.asset.tag: Default string
  dmi.board.name: A320M-S2H-CF
  dmi.board.vendor: Gigabyte Technology Co., Ltd.
  dmi.board.version: x.x
  dmi.chassis.asset.tag: Default string
  dmi.chassis.type: 3
  dmi.chassis.vendor: Default string
  dmi.chassis.version: Default string
  dmi.modalias: 
dmi:bvnAmericanMegatrendsInc.:bvrF21:bd02/08/2018:svnGigabyteTechnologyCo.,Ltd.:pnA320M-S2H:pvrDefaultstring:rvnGigabyteTechnologyCo.,Ltd.:rnA320M-S2H-CF:rvrx.x:cvnDefaultstring:ct3:cvrDefaultstring:
  dmi.product.family: Default string
  dmi.product.name: A320M-S2H
  dmi.product.version: Default string
  dmi.sys.vendor: Gigabyte Technology Co., Ltd.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cups/+bug/1698693/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to