Bugzilla – Bug 539401
AppArmor lets cupsd fail to start
Last modified: 2016-04-15 09:52:41 UTC
User-Agent: Mozilla/5.0 (compatible; Konqueror/3.5; Linux) KHTML/3.5.10 (like Gecko) SUSE Trying to configure my printer YaST says cups is not running - and it really isn`t: lpstat -h localhost -r lpstat: Verbindung zum Server nicht möglich localhost:631 - no response > cups status Checking for cupsd: unused > cups start Starting cupsdcupsd: Child exited with status 13! startproc: exit status of parent of /usr/sbin/cupsd: 2 Reproducible: Always
Created attachment 318399 [details] /var/log/cups/error_log
Created attachment 318400 [details] /var/log/cups/access_log
switching the Apparmor status of Cups from enforce to complain the following result is given: > cups start Starting cupsdcupsd: Child exited on signal 11! startproc: exit status of parent of /usr/sbin/cupsd: 3 failed
Created attachment 318402 [details] /var/log/cups/error_log apparmor complain mode
Seems to be a problem of the apparmor profile. Unfortunately the 'Update Profile Wizard' still does not work.
When the cupsd works without AppArmor, this bug does not belong to the Bugzilla component "Printing" but to the Bugzilla component "AppArmor". To the AppArmor experts: In openSUSE 11.1 we had bug #474403: "AppArmor makes CUPS irresponsive".
This is a duplicate of bnc#555653. Closing. *** This bug has been marked as a duplicate of bug 555653 ***
Or not at second glance.
Created attachment 330309 [details] updated usr.sbin.cupsd profile Use this profile for cups. It was created by the Apparmor profile generator and then carefully postedited by hand. It should serve all needs. We should distribute a new working usr.sbin.cupsd-profile as an update.
Created attachment 333479 [details] Committed usr.sbin.cupsd. This is the version of the profile I committed to the apparmor-profiles package. There were some things you added that were part of the nameservice abstraction, and some other minor tweaks.
... and submitted to openSUSE:11.2:Update:Test. Anja, what do you think of an update?
+1 (for an update)
Actually, hold off on the update. The profile isn't right quite yet. It started up ok for me but refused to actually print.
I think I've worked out the kinks. An update won't be released for 11.2 but should be for 11.3. openSUSE 11.3 SR 54280
What is the problem (NEEDINFO)? If required, I could test the new cupsd-profile. However this will mean some work as I will have to use a generic printer driver instead of the Brother drivers which need some extra permissions. Also, I don`t see why we should not release an update for 11.2 as it is just a profile that has changed and nonethelesswithstanding that it has been cerated under and for 11.2.
the NEEDINFO is for the maintenance team to get the update approved. Update general looks sensible. +1 why not 11.2? we can fix bugs for all living distros ,)
I also think we can fix it also for 11.2 ... update started. Be so kind and submit also a fixed package for 11.2.
The SWAMPID for this issue is 37580. This issue was rated as low. Please submit fixed packages until 2010-12-31. Also create a patchinfo file using this link: https://swamp.suse.de/webswamp/wf/37580
There are many other apparmor-profiles which would need a revision. Most of them do not work but simply make the app they should protect crash like f.i. the dhcp-client or others. Would you like to work with me to provide a basic set of shielded apps shipped with the distribution? I can test and prepare something that works as me. You could revise and generalize them to be affiliated by the distro. Not only well known authors like Michael Kofler who has written a recommended standard book for Linux say that the main fallacy of Apparmor is the lacking availability of ready to use profiles.
Update released for: apparmor-parser, apparmor-parser-debuginfo, apparmor-parser-debugsource, apparmor-profiles Products: openSUSE 11.3 (debug, i586, x86_64)
(In reply to comment #19) > There are many other apparmor-profiles which would need a revision. Most of > them do not work but simply make the app they should protect crash like f.i. > the dhcp-client or others. > Would you like to work with me to provide a basic set of shielded apps > shipped with the distribution? I can test and prepare something that works as > me. You could revise and generalize them to be affiliated by the distro. Not > only well known authors like Michael Kofler who has written a recommended > standard book for Linux say that the main fallacy of Apparmor is the lacking > availability of ready to use profiles. Update from comment #19 is now released. Feel free to prepare new profiles. If we have some updated one, we can trigger a new update.
(In reply to comment #19) > There are many other apparmor-profiles which would need a revision. Most of > them do not work but simply make the app they should protect crash like f.i. > the dhcp-client or others. > Would you like to work with me to provide a basic set of shielded apps > shipped with the distribution? I can test and prepare something that works as > me. You could revise and generalize them to be affiliated by the distro. Not > only well known authors like Michael Kofler who has written a recommended > standard book for Linux say that the main fallacy of Apparmor is the lacking > availability of ready to use profiles. Sure. If you can generate/update working profiles for the applications you're using, I'd happily accept changes into the apparmor package. As for this report, I'm going to close it as fixed.
This is an autogenerated message for OBS integration: This bug (539401) was mentioned in https://build.opensuse.org/request/show/54280 11.3:Test / apparmor-profiles