#990331 reportbug: cups-browsed printing fails due to apparmor config with message 'No destination host name supplied by cups-browsed for printer'

Package:
cups-browsed
Source:
cups-filters
Description:
OpenPrinting CUPS Filters - cups-browsed
Submitter:
Gabriel Kerneis
Date:
2021-09-11 18:03:03 UTC
Severity:
important
#990331#5
Date:
2021-06-25 20:52:29 UTC
From:
To:
Dear Maintainer,

I have a Brother printer configured per [1] using cups-browsed. It used
to work perfectly, but now fails to print with the same error message as
in #887495:
Note that #887495 is a catch-all without a root cause ever identified,
which is why I'm opening a more specific bug for this issue.

[1] https://wiki.debian.org/CUPSDriverlessPrinting

The cause of my issue lies is app armor config. I noticed the following
lines in the logs:

juin 22 16:42:55 wiyake audit[638]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cups-browsed" pid=638 comm="apparmor_parser"
juin 22 16:42:55 wiyake audit[636]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/lib/cups/backend/cups-pdf" pid=636 comm="apparmor_parser"
juin 22 16:42:55 wiyake audit[636]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cupsd" pid=636 comm="apparmor_parser"
juin 22 16:42:55 wiyake audit[636]: AVC apparmor="STATUS" operation="profile_load" profile="unconfined" name="/usr/sbin/cupsd//third_party" pid=636 comm="apparmor_parser"
juin 22 16:42:55 wiyake audit[766]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=766 comm="cupsd" capability=12  capname="net_admin"
juin 22 16:42:55 wiyake audit[782]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" pid=782 comm="cups-browsed" capability=23  capname="sys_nice"
juin 22 16:44:21 wiyake audit[2615]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=2615 comm="cupsd" capability=12  capname="net_admin"
juin 22 16:44:21 wiyake audit[2618]: AVC apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" pid=2618 comm="cups-browsed" capability=23  capname="sys_nice"

net_admin sounded suspicious, since the error message mentionned a host
name.

I then tried the following workaround, originally found for Ubuntu [2]:

# apt install apparmor-utils
# aa-complain cupsd-browsed
# systemctl restart cups-browsed

[2] https://askubuntu.com/questions/645636/apparmor-with-cupsd-denied-in-logs

It resolved my issue, and my printer immediately started printing the
jobs in the queue. The logs now show:

juin 25 22:23:06 wiyake audit[221791]: AVC apparmor="STATUS" operation="profile_replace" profile="unconfined" name="/usr/sbin/cups-browsed" pid=221791 comm="apparmor_parser"
juin 25 22:24:40 wiyake audit[222966]: AVC apparmor="ALLOWED" operation="capable" profile="/usr/sbin/cups-browsed" pid=222966 comm="cups-browsed" capability=23  capname="sys_nice"

I'm not sure what exactly needs to be updated in the apparmor config to
fix this issue. Note that #988764 is also about apparmor issues, but is
marked minor and doesn't seem to block printing. My issue yields to a
complete impossibility to print (at least in my use case).

I'd be happy to test any fix you could provide.

Thanks!

Gabriel

#990331#10
Date:
2021-09-11 13:48:42 UTC
From:
To:
Hello,

I also had the not-very-helpful message from CUPS:

  No destination host name supplied by cups-browsed for printer, is
  cups-browsed running?

Of course, cups-browsed was well running and I even tried to restart it,
also cups.service, etc. The solution I found, before reading this
report, was inspired by this answer:

https://askubuntu.com/a/1128869

Here it is. First some context: the printer is connected to <hostnameA>
and printing from <hostnameB> first worked, then failed for the *very
same document* in the *very same Okular instance*---I simply wanted to
print two sets of pages from the same document, oh my...

Solution (everything done on <hostnameB>):

1) I purged the cups-browsed package, even though cups-daemon recommends
   it.

2) Then I figured out I needed to do “Delete Printer” from the CUPS web
   administration page for the printer (otherwise, trying to do step 3
   would fail with the incomprehensible error message “Unable to add
   printer:Cannot change printer-is-shared for remote queues.”—that,
   regardless of whether “Share printer” was being checked).

3) From the CUPS web administration page:

   Administration → Add Printer → Discovered Network Printers: Brother
   DCP-L2550DN (driverless) @ <hostnameA> (DCP-L2550DN DCP-L2550DN
   series) → ... → Add Printer (the button).

Finally, I was able to print from <hostnameB>.

Even though this solution is quite different from that proposed by
Gabriel, this may very well be the same issue, because now that I've
found this report, I see that my /var/log/syslog on <hostnameB> from
before the fix has entries like:

Sep 11 13:39:09 localhost kernel: [15658.624326] audit: type=1400 audit(...): apparmor="DENIED" operation="capable" profile="/usr/sbin/cupsd" pid=6811 comm="cupsd" capability=12  capname="net_admin"
Sep 11 13:39:09 localhost kernel: [15658.718083] audit: type=1400 audit(...): apparmor="DENIED" operation="capable" profile="/usr/sbin/cups-browsed" pid=6814 comm="cups-browsed" capability=23  capname="sys_nice"

Hope this helps other people. Regards,

#990331#15
Date:
2021-09-11 17:34:18 UTC
From:
To:
Hello Florent,

Thank you for your contribution to this report.

The message is actually from cups-browsed.

cups-browsed basically provides *auto-setup* of printers and print
queues. Many users apprreciate this function. But, of course, it
may be purged. I often do not use it, but would not dream of advising
other users to do the same, although, like you. I might suggest it.

This solution involves setting up a printer manually. It is perfectly
acceptable.

OK.

I wouldn't expect this line after cups-browsed has been purged. There
isn't an apparmor profile to use.

It does.

#990331#20
Date:
2021-09-11 17:48:06 UTC
From:
To:
Hello Brian,

As I wrote in my previous message, the two lines I quoted from my
/var/log/syslog are from **before the fix** (i.e., before I purged
cups-browsed).

Regards

#990331#25
Date:
2021-09-11 18:00:24 UTC
From:
To:
My lax reading, Florent. Thanks for the correction.

Cheers,

Brian.