Bug#990331: reportbug: cups-browsed printing fails due to apparmor config with message 'No destination host name supplied by cups-browsed for printer'

Discussion:

(too old to reply)

Gabriel Kerneis

2021-06-25 21:00:01 UTC

Permalink

Package: cups-browsed
Version: 1.28.7-1
Severity: important

Dear Maintainer,

I have a Brother printer configured per [1] using cups-browsed. It used
to work perfectly, but now fails to print with the same error message as

No destination host name supplied by cups-browsed for printer "name", is cups-browsed running?

Note that #887495 is a catch-all without a root cause ever identified,
which is why I'm opening a more specific bug for this issue.

[1] https://wiki.debian.org/CUPSDriverlessPrinting

The cause of my issue lies is app armor config. I noticed the following
lines in the logs:

juin 22 16:42:55 wiyake audit[638]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cups-browsed" pid=638 comm="apparmor_parser"
juin 22 16:42:55 wiyake audit[636]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=636 comm="apparmor_parser"
juin 22 16:42:55 wiyake audit[636]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cupsd" pid=636 comm="apparmor_parser"
juin 22 16:42:55 wiyake audit[636]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cupsd//third_party" pid=636 comm="apparmor_parser"
juin 22 16:42:55 wiyake audit[766]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=766 comm="cupsd" capability=12 capname="net_admin"
juin 22 16:42:55 wiyake audit[782]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" pid=782 comm="cups-browsed" capability=23 capname="sys_nice"
juin 22 16:44:21 wiyake audit[2615]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=2615 comm="cupsd" capability=12 capname="net_admin"
juin 22 16:44:21 wiyake audit[2618]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" pid=2618 comm="cups-browsed" capability=23 capname="sys_nice"

net_admin sounded suspicious, since the error message mentionned a host
name.

I then tried the following workaround, originally found for Ubuntu [2]:

# apt install apparmor-utils
# aa-complain cupsd-browsed
# systemctl restart cups-browsed

[2] https://askubuntu.com/questions/645636/apparmor-with-cupsd-denied-in-logs

It resolved my issue, and my printer immediately started printing the
jobs in the queue. The logs now show:

juin 25 22:23:06 wiyake audit[221791]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cups-browsed" pid=221791 comm="apparmor_parser"
juin 25 22:24:40 wiyake audit[222966]: AVC apparmor="ALLOWED" operation="capable" profile="/usr/sbin/cups-browsed" pid=222966 comm="cups-browsed" capability=23 capname="sys_nice"

I'm not sure what exactly needs to be updated in the apparmor config to
fix this issue. Note that #988764 is also about apparmor issues, but is
marked minor and doesn't seem to block printing. My issue yields to a
complete impossibility to print (at least in my use case).

I'd be happy to test any fix you could provide.

Thanks!

Gabriel

-- System Information:
Debian Release: 11.0
APT prefers testing-security
APT policy: (500, 'testing-security'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-7-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages cups-browsed depends on:
ii cups-daemon 2.3.3op2-3+deb11u1
ii init-system-helpers 1.60
ii libavahi-client3 0.8-5
ii libavahi-common3 0.8-5
ii libavahi-glib1 0.8-5
ii libc6 2.31-12
ii libcups2 2.3.3op2-3+deb11u1
ii libcupsfilters1 1.28.7-1
ii libglib2.0-0 2.66.8-1
ii libldap-2.4-2 2.4.57+dfsg-3
ii lsb-base 11.1.0

Versions of packages cups-browsed recommends:
ii avahi-daemon 0.8-5

cups-browsed suggests no packages.

-- Configuration Files:
/etc/apparmor.d/usr.sbin.cups-browsed changed:
/usr/sbin/cups-browsed flags=(attach_disconnected, complain) {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/cups-client>
#include <abstractions/dbus>
#include <abstractions/p11-kit>
/etc/cups/cups-browsed.conf r,
/etc/cups/lpoptions r,
/etc/cups/ppd/* r,
/{var/,}run/cups/certs/* r,
/var/cache/cups/* rw,
/var/log/cups/* rw,
/tmp/** rw,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.cups-browsed>
}

-- no deb

Florent Rougon

2021-09-11 14:00:01 UTC

Permalink

Hello,

I also had the not-very-helpful message from CUPS:

No destination host name supplied by cups-browsed for printer, is
cups-browsed running?

Of course, cups-browsed was well running and I even tried to restart it,
also cups.service, etc. The solution I found, before reading this
report, was inspired by this answer:

https://askubuntu.com/a/1128869

Here it is. First some context: the printer is connected to <hostnameA>
and printing from <hostnameB> first worked, then failed for the *very
same document* in the *very same Okular instance*---I simply wanted to
print two sets of pages from the same document, oh my...

Solution (everything done on <hostnameB>):

1) I purged the cups-browsed package, even though cups-daemon recommends
it.

2) Then I figured out I needed to do “Delete Printer” from the CUPS web
administration page for the printer (otherwise, trying to do step 3
would fail with the incomprehensible error message “Unable to add
printer:Cannot change printer-is-shared for remote queues.”—that,
regardless of whether “Share printer” was being checked).

3) From the CUPS web administration page:

Administration → Add Printer → Discovered Network Printers: Brother
DCP-L2550DN (driverless) @ <hostnameA> (DCP-L2550DN DCP-L2550DN
series) → ... → Add Printer (the button).

Finally, I was able to print from <hostnameB>.

Even though this solution is quite different from that proposed by
Gabriel, this may very well be the same issue, because now that I've
found this report, I see that my /var/log/syslog on <hostnameB> from
before the fix has entries like:

Sep 11 13:39:09 localhost kernel: [15658.624326] audit: type=1400 audit(...): apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=6811 comm="cupsd" capability=12 capname="net_admin"
Sep 11 13:39:09 localhost kernel: [15658.718083] audit: type=1400 audit(...): apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" pid=6814 comm="cups-browsed" capability=23 capname="sys_nice"

Hope this helps other people. Regards,

--
Florent

Brian Potkin

2021-09-11 17:40:02 UTC

Permalink

Post by Florent Rougon
Hello,

Hello Florent,

Thank you for your contribution to this report.
The message is actually from cups-browsed.

Post by Florent Rougon
No destination host name supplied by cups-browsed for printer, is
cups-browsed running?
Of course, cups-browsed was well running and I even tried to restart it,
also cups.service, etc. The solution I found, before reading this
https://askubuntu.com/a/1128869
Here it is. First some context: the printer is connected to <hostnameA>
and printing from <hostnameB> first worked, then failed for the *very
same document* in the *very same Okular instance*---I simply wanted to
print two sets of pages from the same document, oh my...
1) I purged the cups-browsed package, even though cups-daemon recommends
it.

cups-browsed basically provides *auto-setup* of printers and print
queues. Many users apprreciate this function. But, of course, it
may be purged. I often do not use it, but would not dream of advising
other users to do the same, although, like you. I might suggest it.

Post by Florent Rougon
2) Then I figured out I needed to do “Delete Printer” from the CUPS web
administration page for the printer (otherwise, trying to do step 3
would fail with the incomprehensible error message “Unable to add
printer:Cannot change printer-is-shared for remote queues.”—that,
regardless of whether “Share printer” was being checked).
Administration → Add Printer → Discovered Network Printers: Brother
series) → ... → Add Printer (the button).
Finally, I was able to print from <hostnameB>.
Even though this solution is quite different from that proposed by
Gabriel, this may very well be the same issue, because now that I've
found this report, I see that my /var/log/syslog on <hostnameB> from

This solution involves setting up a printer manually. It is perfectly
acceptable.

Post by Florent Rougon
Sep 11 13:39:09 localhost kernel: [15658.624326] audit: type=1400 audit(...): apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=6811 comm="cupsd" capability=12 capname="net_admin"

OK.

Post by Florent Rougon
Sep 11 13:39:09 localhost kernel: [15658.718083] audit: type=1400 audit(...): apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" pid=6814 comm="cups-browsed" capability=23 capname="sys_nice"

I wouldn't expect this line after cups-browsed has been purged. There
isn't an apparmor profile to use.

Post by Florent Rougon
Hope this helps other people. Regards,

It does.

--
Brian.

Florent Rougon

2021-09-11 18:00:01 UTC

Permalink

Hello Brian,

As I wrote in my previous message, the two lines I quoted from my
/var/log/syslog are from **before the fix** (i.e., before I purged
cups-browsed).

Regards

--
Florent

Brian Potkin

2021-09-11 18:10:02 UTC

Permalink

Post by Florent Rougon
Hello Brian,
As I wrote in my previous message, the two lines I quoted from my
/var/log/syslog are from **before the fix** (i.e., before I purged
cups-browsed).

My lax reading, Florent. Thanks for the correction.

Cheers,

Brian.