#990331 reportbug: cups-browsed printing fails due to apparmor config with message 'No destination host name supplied by cups-browsed for printer' #990331
- Package:
- cups-browsed
- Source:
- cups-filters
- Description:
- OpenPrinting CUPS Filters - cups-browsed
- Submitter:
- Gabriel Kerneis
- Date:
- 2021-09-11 18:03:03 UTC
- Severity:
- important
Dear Maintainer, I have a Brother printer configured per [1] using cups-browsed. It used to work perfectly, but now fails to print with the same error message as in #887495: Note that #887495 is a catch-all without a root cause ever identified, which is why I'm opening a more specific bug for this issue. [1] https://wiki.debian.org/CUPSDriverlessPrinting The cause of my issue lies is app armor config. I noticed the following lines in the logs: juin 22 16:42:55 wiyake audit[638]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cups-browsed" pid=638 comm="apparmor_parser" juin 22 16:42:55 wiyake audit[636]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=636 comm="apparmor_parser" juin 22 16:42:55 wiyake audit[636]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cupsd" pid=636 comm="apparmor_parser" juin 22 16:42:55 wiyake audit[636]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cupsd//third_party" pid=636 comm="apparmor_parser" juin 22 16:42:55 wiyake audit[766]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=766 comm="cupsd" capability=12 capname="net_admin" juin 22 16:42:55 wiyake audit[782]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" pid=782 comm="cups-browsed" capability=23 capname="sys_nice" juin 22 16:44:21 wiyake audit[2615]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=2615 comm="cupsd" capability=12 capname="net_admin" juin 22 16:44:21 wiyake audit[2618]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" pid=2618 comm="cups-browsed" capability=23 capname="sys_nice" net_admin sounded suspicious, since the error message mentionned a host name. I then tried the following workaround, originally found for Ubuntu [2]: # apt install apparmor-utils # aa-complain cupsd-browsed # systemctl restart cups-browsed [2] https://askubuntu.com/questions/645636/apparmor-with-cupsd-denied-in-logs It resolved my issue, and my printer immediately started printing the jobs in the queue. The logs now show: juin 25 22:23:06 wiyake audit[221791]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cups-browsed" pid=221791 comm="apparmor_parser" juin 25 22:24:40 wiyake audit[222966]: AVC apparmor="ALLOWED" operation="capable" profile="/usr/sbin/cups-browsed" pid=222966 comm="cups-browsed" capability=23 capname="sys_nice" I'm not sure what exactly needs to be updated in the apparmor config to fix this issue. Note that #988764 is also about apparmor issues, but is marked minor and doesn't seem to block printing. My issue yields to a complete impossibility to print (at least in my use case). I'd be happy to test any fix you could provide. Thanks! Gabriel
Hello, I also had the not-very-helpful message from CUPS: No destination host name supplied by cups-browsed for printer, is cups-browsed running? Of course, cups-browsed was well running and I even tried to restart it, also cups.service, etc. The solution I found, before reading this report, was inspired by this answer: https://askubuntu.com/a/1128869 Here it is. First some context: the printer is connected to <hostnameA> and printing from <hostnameB> first worked, then failed for the *very same document* in the *very same Okular instance*---I simply wanted to print two sets of pages from the same document, oh my... Solution (everything done on <hostnameB>): 1) I purged the cups-browsed package, even though cups-daemon recommends it. 2) Then I figured out I needed to do “Delete Printer” from the CUPS web administration page for the printer (otherwise, trying to do step 3 would fail with the incomprehensible error message “Unable to add printer:Cannot change printer-is-shared for remote queues.”—that, regardless of whether “Share printer” was being checked). 3) From the CUPS web administration page: Administration → Add Printer → Discovered Network Printers: Brother DCP-L2550DN (driverless) @ <hostnameA> (DCP-L2550DN DCP-L2550DN series) → ... → Add Printer (the button). Finally, I was able to print from <hostnameB>. Even though this solution is quite different from that proposed by Gabriel, this may very well be the same issue, because now that I've found this report, I see that my /var/log/syslog on <hostnameB> from before the fix has entries like: Sep 11 13:39:09 localhost kernel: [15658.624326] audit: type=1400 audit(...): apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=6811 comm="cupsd" capability=12 capname="net_admin" Sep 11 13:39:09 localhost kernel: [15658.718083] audit: type=1400 audit(...): apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" pid=6814 comm="cups-browsed" capability=23 capname="sys_nice" Hope this helps other people. Regards,
Hello Florent, Thank you for your contribution to this report. The message is actually from cups-browsed. cups-browsed basically provides *auto-setup* of printers and print queues. Many users apprreciate this function. But, of course, it may be purged. I often do not use it, but would not dream of advising other users to do the same, although, like you. I might suggest it. This solution involves setting up a printer manually. It is perfectly acceptable. OK. I wouldn't expect this line after cups-browsed has been purged. There isn't an apparmor profile to use. It does.
Hello Brian, As I wrote in my previous message, the two lines I quoted from my /var/log/syslog are from **before the fix** (i.e., before I purged cups-browsed). Regards
My lax reading, Florent. Thanks for the correction. Cheers, Brian.