The cupsd apparmor profile does not allow cups-pdf to use mknod (and why it needs to use it is beyond me), but if your're brave you can change this by editing the /etc/apparmor.d/usr.sbin.cupsd apparmor profile (make a backup first please):
Code:
sudo gedit /etc/apparmor.d/usr.sbin.cupsd
Scroll down and find the section:
Code:
# separate profile since this needs to write into /home
/usr/lib/cups/backend/cups-pdf {
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
capability chown,
capability fowner,
capability fsetid,
capability setgid,
capability setuid,
# unfortunate, but required for when $HOME is 700
capability dac_override,
/bin/dash ixr,
/bin/bash ixr,
/bin/cp ixr,
/etc/papersize r,
/etc/cups/cups-pdf.conf r,
@{HOME}/PDF/ rw,
@{HOME}/PDF/* rw,
/usr/bin/gs ixr,
/usr/lib/cups/backend/cups-pdf mr,
/usr/lib/ghostscript/** mr,
/usr/share/** r,
/var/log/cups/cups-pdf_log w,
/var/spool/cups-pdf/** rw,
}
And add capability mknod Your section now looks like this:
Code:
# separate profile since this needs to write into /home
/usr/lib/cups/backend/cups-pdf {
#include <abstractions/base>
#include <abstractions/fonts>
#include <abstractions/nameservice>
#include <abstractions/user-tmp>
capability chown,
capability fowner,
capability fsetid,
capability mknod,
capability setgid,
capability setuid,
# unfortunate, but required for when $HOME is 700
capability dac_override,
/bin/dash ixr,
/bin/bash ixr,
/bin/cp ixr,
/etc/papersize r,
/etc/cups/cups-pdf.conf r,
@{HOME}/PDF/ rw,
@{HOME}/PDF/* rw,
/usr/bin/gs ixr,
/usr/lib/cups/backend/cups-pdf mr,
/usr/lib/ghostscript/** mr,
/usr/share/** r,
/var/log/cups/cups-pdf_log w,
/var/spool/cups-pdf/** rw,
}
Save and restart apparmor.
Code:
sudo service apparmor restart
Edit: As an alternative you can disable the cupsd profile from being enforced:
Code:
sudo aa-complain /usr/sbin/cupsd
apparmour conflicts with cups-pdf?
Adv Reply
Bookmarks