-- I emailed a reply but it didn;t appear, so I'm posting the text straight in
Hi Martin,
Sure - here you go:
Martin Pitt wrote:
> > Can you please reproduce the situation that caused an error before, and
> > attach /var/log/kern.log? This will show me the exact violations that
> > cause this. Thanks!
> >
> > ** Changed in: cupsys (Ubuntu)
> > Assignee: (unassigned) => Martin Pitt (pitti)
> > Status: New => Incomplete
> >
1st level failure after aa-enforce /usr/sbin/cups; /etc/init.d/cupsys
restart and then try to log into a secure cups page:
-- I emailed a reply but it didn;t appear, so I'm posting the text straight in
Hi Martin,
Sure - here you go:
Martin Pitt wrote:
> > Can you please reproduce the situation that caused an error before, and
> > attach /var/log/kern.log? This will show me the exact violations that
> > cause this. Thanks!
> >
> > ** Changed in: cupsys (Ubuntu)
> > Assignee: (unassigned) => Martin Pitt (pitti)
> > Status: New => Incomplete
> >
1st level failure after aa-enforce /usr/sbin/cups; /etc/init.d/cupsys
restart and then try to log into a secure cups page:
2009/02/13 09:41:07 notice kern rodan kernel: [558478.665721] 7.729:18151) : type=1503 operation= "inode_ permission" mask="a: :" denied_mask="a::" name="/dev/tty" pid=12486 "/usr/sbin/ cupsd" namespace="default" 7.729:18152) : type=1503 operation= "inode_ permission" mask="w: :" denied_mask="w::" name="/ etc/krb5. conf" pid=12486 "/usr/sbin/ cupsd" namespace="default"
audit(123451806
requested_
profile=
2009/02/13 09:41:07 notice kern rodan kernel: [558478.665903]
audit(123451806
requested_
profile=
----
Then I add "/etc/krb5.conf r," to app-armour for usr.sbin.cupsd
Rinse, lather, repeat and we get:
2009/02/13 09:45:33 notice kern rodan kernel: [558743.850245] 3.342:18155) : type=1503 operation= "file_lock" mask="k: :" denied_mask="k::" name="/ etc/krb5. keytab" pid=12702 "/usr/sbin/ cupsd" namespace="default"
audit(123451833
requested_
profile=
So I add
/etc/krb5.keytab k,
(what's "k")?
----
Then we get: 8.333:18172) : type=1503 operation= "file_lock" mask="wk: :" denied_mask="k::" name="/ tmp/krb5cc_ pam_CBTQ2A" "/usr/sbin/ cupsd" namespace="default"
2009/02/13 09:48:28 notice kern rodan kernel: [558918.559183]
audit(123451850
requested_
pid=13023 profile=
(which is the kerberos ticket cache)
*Don't* assume the form of the name of that temp file - it's configurable.
So I add:
/tmp/** rkw,
-----
Re-init and that *seems* to work.
Kerberos auth via PAM is now operational.
But, I have little understanding of apparmor so you may be able to see
sillyness in what I've done.
Cheers - and thanks :)
Glad to be able to help make a great distro 0.0001% better :)
Best wishes
Tim