apparmor prevent cups-pdf to create ~/PDF folder

Same here, one needs to create the directory by hand.
Error message in /var/log/cups/cups-pdf_log:
Fri Oct 3 14:44:32 2008 [ERROR] failed to create directory (/home/myuser/PDF)
Fri Oct 3 14:44:32 2008 [ERROR] failed to create user output directory (/home/myuser/PDF)

Corresponding entry in /var/log/messages (same timestamp):
type=1503 audit(1223037872.247:4): operation="capable" name="dac_override" pid=12739 profile="/usr/lib/cups/backend/cups-pdf"

I think bug #276502 refers to the same problem.

The cupsys package got renamed in the Intrepid cycle to cups; editing the package information on this bug.

Yes, bug 276502 is the same as this; the cups-pdf apparmor profile needs

  capability dac_override,

added to it. I had another apparmor rejection on the main cupsd profile I mentioned in that bug as well, that's not relevant to cups-pdf, but that shouldn't get lost:

[18355.389868] type=1503 audit(1222813703.699:5): operation="file_lock" requested_mask="wk::" denied_mask="k::" fsuid=7 name="/var/cache/cups/help.index" pid=11329 profile="/usr/sbin/cupsd"

Thanks!

Steve Beattie : Thanks for your terminal outputs. Are these outputs related to the document that you tried to print with your PDF printer? If not, these outputs would get a more appropriate attention if you are able to reproduce the bug that caused this apparmor profile to refuse the operation and that you write a new bug report for cups.

By changing the package name, you made me realize that that error happens in that profile : /usr/lib/cups/backend/cups-pdf which is a part of cups-pdf package. According to this, I'm changing again package to cups-pdf.

Saivann, right, but the apparmor profile lives in the cups package itself.

Steve, I fixed your cache/cups/help.index thing in bzr trunk. The main part of this bug report is a dupe of bug 151190.

Martin, sorry, but this is different from bug 151190; my home directories are in the default location. I'm seeing this despite:

  [denisovich ~]$ grep HOME /etc/apparmor.d/tunables/home
  # @{HOME} is a space-separated list of all user home directories. While
  @{HOME}=@{HOMEDIRS}/*/ /root/
  # @{HOMEDIRS} is a space-separated list of where user home directories
  @{HOMEDIRS}=/home/
  [denisovich ~]$ ls -ld /home $HOME
  drwxr-xr-x 5 root root 4096 2008-08-08 11:05 /home
  drwxr-xr-x 66 steve steve 4096 2008-10-06 15:34 /home/steve

The *only* rejection I'm seeing is the dac_override:

  type=APPARMOR_DENIED msg=audit(1223332440.925:7): operation="capable" name="dac_override" pid=17681 profile="/usr/lib/cups/backend/cups-pdf"

I don't have a following inode_create rejection, even after adding the dac_override capability to the profile (and solely adding the dac_override capability to the cups-pdf profile causes the cups-pdf plugin to start working).

An alternative fix would be to include a PDF/ directory in /etc/skel/, but since it seems unpossible to include a tmp/ directory there, I suspect PDF/ is even less likely.

Oh, I see. But I don't really want to give DAC_OVERRIDE to cups-pdf, it's crackful enough as it is, and DAC_OVERRIDE is very powerful. The actual creation of ~/PDF works just fine for me (/home/martin/PDF), at least it did in Hardy (we don't install cups-pdf by default any more). Does it actually break for you now?

Martin Pitt : This bug does not exist in Hardy, you're right. However, this bug is always reproducible in intrepid with standard home folders. ~/PDF folder is not automatically created in intrepid, making cups-pdf unusable for users that won't think to manually create the folder.

I can't get it to work even if I create the PDF directory first. cups-pdf still complains about not being able to create it.

I need to print PDF's from a windows app with wine, and can't think of another way to do it..

cups-pdf doesn't work out of the box, but as pointed here, using dac_override make it work again.

Using dac_override works although it keeps on failing in /var/log/cups/cups-pdf_log with:

Mon Nov 3 18:48:50 2008 [ERROR] failed to create directory (/home/user/PDF)
Mon Nov 3 18:48:50 2008 [ERROR] failed to create user output directory (/home/user/PDF)

Besides, I've also added the following lines in cupsd to allow access to

/proc/*[0-9]/net r,
/proc/*[0-9]/net/* r,

to eliminate the audit error::

Nov 3 18:29:01 machine kernel: [ 5607.743270] type=1503 audit(): operation="inode_permission" requested_mask="r::" denied_mask="r::" fsuid=7 name="/proc/12870/net/" pid=12870 profile="/usr/sbin/cupsd"
Nov 3 18:29:06 machine kernel: [ 5612.789892] type=1503 audit(): operation="inode_permission" requested_mask="r::" denied_mask="r::" fsuid=7 name="/proc/12878/net/" pid=12878 profile="/usr/sbin/cupsd"

Unable to use PDF printer.. even if PDF directory exists. :(

Any update on this? This is a very annoying bug which, for a typical Linux user, will require to disable or remove AppArmor.

Works for me after creating the PDF directory manually.

Running:
  sudo aa-logprof
solves the problem, as expected.
Without any further need to disable (or fiddle with) AppArmor.
Also the /var/log/cups/cups-pdf_log log file will be clean again.

Running
sudo aa-logprof
prompts the user with a so many questions which not many would know what is being requested.

like listed in here
http://beginlinux.com/desktop_training/ubuntu/1108-create-a-profile-in-apparmor
Would you like to enable access to the profile repository?

(E)nable Repository / (D)isable Repository / Ask Me (L)ater
Connecting to repository.....
Writing updated profile for /usr/bin/ssh.
Setting /usr/bin/ssh to complain mode.

My Ibex got this problem also. So anyone??? Any update package for this? Or i have to do manually?
This bug already 4 moth !!!
I cannot imagine if some company using a lot off ubuntu client

Thanks for all the info and suggestions above, but still not working cups-pdf printer state "Stopped - Backend /usr/lib/cups/backend/cups-pdf does not exist"

I confirm ~/PDF added by me
I also chmod +rwx /usr/lib/cups/backend/cups-pdf to match other backends, so should exist and now be seen.

AA uninstalled, cups-pdf reinstalled, no success.
AA reinstalled (I see capability dac_override added to /etc/apparmor.d/usr.sbin.cupsd thanks)

Not sure what to do next. Very frustrating and killing productivity.

Okay now working. So after upgrade to Ibex:

Delete printer in System, Administration, Printer Configuration
Make directory ~/PDF
Reinstall Cups-pdf
Printer added back automatically in System Printer Configuration, now printing to ~/PDF

note: capability dac_override now added in aa repository, make sure aa upto date as well.

Not working here in Jaunty up-to-date.
Same messages:
from /var/log/syslog:

Feb 27 09:34:07 malouce kernel: [ 2911.778762] type=1503 audit(1235723647.524:177): operation="capable" name="dac_override" pid=9049 profile="/usr/lib/cups/backend/cups-pdf"
Feb 27 09:34:07 malouce kernel: [ 2911.778776] type=1503 audit(1235723647.524:178): operation="capable" name="dac_read_search" pid=9049 profile="/usr/lib/cups/backend/cups-pdf"
Feb 27 09:34:09 malouce kernel: [ 2913.960478] type=1503 audit(1235723649.705:179): operation="inode_permission" requested_mask="rw::" denied_mask="rw::" fsuid=0 name="/var/lib/samba/group_mapping.ldb" pid=3714 profile="/usr/sbin/cupsd"
Feb 27 09:34:09 malouce kernel: [ 2913.960667] type=1503 audit(1235723649.705:180): operation="inode_permission" requested_mask="rw::" denied_mask="rw::" fsuid=0 name="/var/lib/samba/group_mapping.ldb" pid=3714 profile="/usr/sbin/cupsd"
Feb 27 09:34:21 malouce kernel: [ 2926.154864] type=1503 audit(1235723661.900:181): operation="inode_permission" requested_mask="rw::" denied_mask="rw::" fsuid=0 name="/var/lib/samba/group_mapping.ldb" pid=3714 profile="/usr/sbin/cupsd"
Feb 27 09:34:21 malouce kernel: [ 2926.155238] type=1503 audit(1235723661.900:182): operation="inode_permission" requested_mask="rw::" denied_mask="rw::" fsuid=0 name="/var/lib/samba/group_mapping.ldb" pid=3714 profile="/usr/sbin/cupsd"

from cups-pdf_log:
Fri Feb 27 09:34:07 2009 [ERROR] failed to create directory (/home/syl/PDF)
Fri Feb 27 09:34:07 2009 [ERROR] failed to create user output directory (/home/syl/PDF)

even if ~/PDF is created we have the same result.

The problem seems to be occurring in the prepareuser function of /usr/lib/cups/backend/cups-pdf. Specifically, the following check fails to correctly identify the presence of the user output directory (line 338 of cups-pdf.c):
  if (stat(dirname, &fstatus) || !S_ISDIR(fstatus.ts_mode))

Using up-to-date Ubuntu 8.10 with a clean install of cups and cups-pdf with default config files (i.e. purge and reinstall). Package versions:
  cups: 1.3.9-2ubuntu7
  cups-pdf: 2.4.8-1ubuntu1

Permissions on $HOME and ~/PDF/ both 700, which causes cups-pdf to fail:
  mathew@host:~/PDF$ ls -la
  total 8
  drwx------ 2 mathew mathew 4096 2009-03-13 11:25 .
  drwx------ 68 mathew mathew 4096 2009-03-13 11:16 ..

It appears that AppArmor is preventing the stat and S_ISDIR function calls (from sys/stat.h) from correctly determining the existence of the ~/PDF/ output directory. This is despite the AppArmor profile /etc/apparmor.d/usr.sbin.cupsd granting cups-pdf read/write access to that directory (lines 141-142 of usr.sbin.cupsd):
  @{HOME}/PDF/ rw,
  @{HOME}/PDF/* rw,

When prepareuser fails to find the ~/PDF/ directory, it then tries to (re)create it, which causes cups-pdf to fail as it doesn't (and shouldn't) have write access directly in $HOME.
Trying to print, e.g. '$ lp -d PDF /tmp/test.txt' results in the following error message in /var/log/cups/cups-pdf_log (originating from the prepareuser function):
  Fri Mar 13 12:57:45 2009 [ERROR] failed to create user output directory (/home/mathew/PDF)

The following also appears in /var/log/syslog:
  Mar 13 12:57:45 host kernel: [11411.156535] type=1503 audit(1236902265.708:18): operation="capable" name="dac_override" pid=5562 profile="/usr/lib/cups/backend/cups-pdf"
  Mar 13 12:57:45 host kernel: [11411.156549] type=1503 audit(1236902265.708:19): operation="capable" name="dac_read_search" pid=5562 profile="/usr/lib/cups/backend/cups-pdf"

If the prepareuser function is modified so that it doesn't check for the existence of the output directory, and simply return(s) 0; whenever it is called, cups-pdf works as expected. The unmodified version of cups-pdf will work when either AppArmor is not running, or $HOME is given permissions 701, with ~/PDF/ still having 700 permissions.

Adding the line:
  capability dac_read_search,
to the cups-pdf section of /etc/apparmor.d/usr.sbin.cupsd allows cups-pdf to function as expected in cases where ~/PDF/ exists with permissions 700, and $HOME also has 700 permissions.

This is unusual, as AppArmor should not be interfering with the stat function calls in cups-pdf. From the AppArmor Technical Documentation provided in the apparmor-docs package:

"Stat. Retrieving information about files is always allowed. We believe that providing policy for file information retrieval is more troublesome than the benefit it would provide."

I am unsure if the failure of cups-pdf's stat call is the result of a bug in AppArmor itself, or an overly restrictive AppArmor profile for the cups package.

Bug still present in 9.04 Jaunty even if i manually create the ~/PDF directory.

Works fine with apparmor disabled.

I have added

   capability dac_read_search,

to the cups-pdf section of /etc/apparmor.d/usr.sbin.cupsd and also chmod 700 ~/PDF and $HOME.

   capability dac_override,

is already present in the general cupsd section.

Made no difference.

cups-pdf remains unusable.

Confirmed. This is an old bug from at least Intrepid, possibly Hardy. It's still present on Jaunty:

Mon Apr 27 21:07:41 2009 [DEBUG] switching to new gid (lpadmin)
Mon Apr 27 21:07:41 2009 [DEBUG] initialization finished (v2.5.0)
Mon Apr 27 21:07:41 2009 [DEBUG] user identified (ward)
Mon Apr 27 21:07:41 2009 [DEBUG] output directory name generated (/home/ward/PDF)
Mon Apr 27 21:07:41 2009 [DEBUG] user information prepared
Mon Apr 27 21:07:41 2009 [DEBUG] spoolfile name created (/var/spool/cups-pdf/SPOOL/cups2pdf-27444)
Mon Apr 27 21:07:41 2009 [DEBUG] source stream ready
Mon Apr 27 21:07:41 2009 [DEBUG] destination stream ready (/var/spool/cups-pdf/SPOOL/cups2pdf-27444)
Mon Apr 27 21:07:41 2009 [DEBUG] owner set for spoolfile (/var/spool/cups-pdf/SPOOL/cups2pdf-27444)
Mon Apr 27 21:07:42 2009 [DEBUG] found beginning of postscript code (%!PS-Adobe-3.0)
Mon Apr 27 21:07:42 2009 [DEBUG] now extracting postscript code
Mon Apr 27 21:07:42 2009 [DEBUG] found title in ps code (([ubuntu] [SOLVED] apparmor cupspdf in Hardy [Archive] - Ubuntu Forums))
Mon Apr 27 21:07:42 2009 [DEBUG] found end of postscript code (%%EOF)
Mon Apr 27 21:07:42 2009 [DEBUG] all data written to spoolfile (/var/spool/cups-pdf/SPOOL/cups2pdf-27444)
Mon Apr 27 21:07:42 2009 [DEBUG] trying to use PS title (([ubuntu] [SOLVED] apparmor cupspdf in Hardy [Archive] - Ubuntu Forums))
Mon Apr 27 21:07:42 2009 [DEBUG] removing trailing newlines from title (([ubuntu] [SOLVED] apparmor cupspdf in Hardy [Archive] - Ubuntu Forums))
Mon Apr 27 21:07:42 2009 [DEBUG] removing enclosing parentheses () from full title (([ubuntu] [SOLVED] apparmor cupspdf in Hardy [Archive] - Ubuntu Forums))
Mon Apr 27 21:07:42 2009 [DEBUG] removing special characters from title ([ubuntu] [SOLVED] apparmor cupspdf in Hardy [Archive] - Ubuntu Forums)
Mon Apr 27 21:07:42 2009 [DEBUG] truncating title (_ubuntu___SOLVED__apparmor_cupspdf_in_Hardy__Archive__-_Ubuntu_F)
Mon Apr 27 21:07:42 2009 [DEBUG] title successfully retrieved (job_637-_ubuntu___SOLVED__apparmor_cupspdf_in_Hardy__Archive__-_Ubuntu_F)
Mon Apr 27 21:07:42 2009 [DEBUG] input data read from stdin
Mon Apr 27 21:07:42 2009 [DEBUG] output filename created (/home/ward/PDF/job_637-_ubuntu___SOLVED__apparmor_cupspdf_in_Hardy__Archive__-_Ubuntu_F.pdf)
Mon Apr 27 21:07:42 2009 [DEBUG] ghostscript commandline built (/usr/bin/gs -q -dCompatibilityLevel=1.4 -dNOPAUSE -dBATCH -dSAFER -sDEVICE=pdfwrite -sOutputFile="/home/ward/PDF/job_637-_ubuntu___SOLVED__apparmor_cupspdf_in_Hardy__Archive__-_Ubuntu_F.pdf" -dAutoRotatePages=/PageByPage -dAutoFilterColorImages=false -dColorImageFilter=/FlateEncode -dPDFSETTINGS=/prepress -c .setpdfwrite -f /var/spool/cups-pdf/SPOOL/cups2pdf-27444)
Mon Apr 27 21:07:42 2009 [DEBUG] output file unlinked (/home/ward/PDF/job_637-_ubuntu___SOLVED__apparmor_cupspdf_in_Hardy__Archive__-_Ubuntu_F.pdf)
Mon Apr 27 21:07:42 2009 [DEBUG] TMPDIR set for GhostScript (/var/tmp)
Mon Apr 27 21:07:42 2009 [DEBUG] entering child process
Mon Apr 27 21:07:42 2009 [DEBUG] GID set for current user
Mon Apr 27 21:07:42 2009 [DEBUG] UID set for current user (ward)
Mon Apr 27 21:07:42 2009 [DEBUG] ghostscript has finished (256)
...

In Ubuntu 9.04 Jaunty this works:
mkdir ~/PDF ; chmod 701 $HOME ~/PDF

I'm having the same problem in karmic

Happens even when I have already created ~/PDF and tried it with a number of permissions without success.

Adding "capability dac_read_search," to the cups-pdf section of /etc/apparmor.d/usr.sbin.cupsd didn't help at all either.

My user home is not under /home so I've already added it to /etc/apparmor.d/tunables/home

No joy.

I had nearly same problem in karmic. I already had the PDF directory in my $HOME. Before updating to karmic, this worked normal.

Since karmic, I couldn't create PDF, too. I got logs like this.

audit(1267978731.819:427): operation="open" pid=16967 parent=16966 profile="/usr/lib/cups/backend/cups-pdf" requested_mask="rw::" denied_mask="r::" fsuid=1000 ouid=1000 name="/home/pasche/PDF/Google.pdf"

and

[Job 216] GPL Ghostscript 8.70: **** Could not open the file /home/pasche/PDF/Google.pdf .

in /var/log/cups/error_log

I solved my problem in purging cups-pdf and reinstalling cups. I previously removed /etc/apparmor.d/usr.sbin.cupsd and manually extracted this file from package "cups" because it hasn't been installed with the "--reinstall" command of apt-get.

Now I can normally create PDF files as earlier.

But, I get the following errors in syslog.

Mar 7 17:33:42 tux2 kernel: [114768.642428] type=1503 audit(1267979622.879:457): operation="open" pid=17642 parent=17641 profile="/usr/lib/cups/backend/cups-pdf" requested_mask="::rw" denied_mask="::rw" fsuid=1000 ouid=0 name="/dev/tty"
Mar 7 17:33:42 tux2 kernel: [114768.649111] type=1503 audit(1267979622.887:458): operation="open" pid=17642 parent=17641 profile="/usr/lib/cups/backend/cups-pdf" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/proc/filesystems"
Mar 7 17:33:42 tux2 kernel: [114768.650529] type=1503 audit(1267979622.887:459): operation="open" pid=17642 parent=17641 profile="/usr/lib/cups/backend/cups-pdf" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/proc/filesystems"

But this does not seem to break anything yet.

Regards,

pasche

SOLVED by the easiest way (Disabling cups apparmor profile)

Run these commands ...

mkdir $HOME/PDF
mkdir $HOME/PDF
sudo mv /etc/apparmor.d/usr.sbin.cupsd /etc/apparmor.d/disable/.
sudo /etc/init.d/apparmor restart

I did as John Stiles instructs in post #18 and worked ok at the first attempt in my Linux Mint Julia edition (based on Ubuntu Maverick Meerkat).
Thanks a lot to John for this clear and simple workaround.