[ubuntu-hardened] SELinux breaks cups

Ian W Roberts ianwroberts at internode.on.net
Fri Apr 11 02:19:19 BST 2008

I'm giving ubuntu-8.04-beta-server-amd64 a go on my new home server. It 
installed fine and is mostly running well. Sharing files and (hopefully) 
a printer via samba is the major task for the server.

I've installed SELinux (learning opportunity) and one outstanding 
problem is getting cups running.

When I (re)install cupsys and cupsys-client I get the following:

The following NEW packages will be installed:
cupsys cupsys-client
0 upgraded, 2 newly installed, 0 to remove and 6 not upgraded.
Need to get 0B/1970kB of archives.
After this operation, 10.5MB of additional disk space will be used.
Preconfiguring packages ...
Selecting previously deselected package cupsys.
(Reading database ... 30319 files and directories currently installed.)
Unpacking cupsys (from .../cupsys_1.3.7-1ubuntu2_amd64.deb) ...
Selecting previously deselected package cupsys-client.
Unpacking cupsys-client (from 
.../cupsys-client_1.3.7-1ubuntu2_amd64.deb) ...
Setting up cupsys (1.3.7-1ubuntu2) ...
Unable to find apparmor_parser, installation problem?: Failed.
invoke-rc.d: initscript apparmor, action "force-reload" failed.
* Starting Common Unix Printing System: cupsd start-stop-daemon: Unable 
to start /usr/sbin/cupsd: Permission denied (Permission denied)
invoke-rc.d: initscript cupsys, action "start" failed.
dpkg: error processing cupsys (--configure):
subprocess post-installation script returned error exit status 2
Setting up cupsys-client (1.3.7-1ubuntu2) ...

Errors were encountered while processing:
E: Sub-process /usr/bin/dpkg returned an error code (1)

and syslog displays:

Apr 11 10:03:49 tunnelball kernel: [56186.723703] 
audit(1207874029.018:9): security_compute_sid: invalid context 
unconfined_u:system_r:cupsd_t for 
tcontext=system_ubject_r:cupsd_exec_t tclass=process

Looks like an SELinux problem to me.

I've done quite a bit of web crawling to find a solution. There are a 
number of parallel experiences but no resolutions. Any suggestions 
(other than apt-get remove selinux!)?



Ian W Roberts
e:    ianwroberts at internode.on.net

More information about the ubuntu-hardened mailing list