Hi, Laurent Bigonville (2024-01-10): > I see a lot of denials from apparmor regarding net_admin capability: > > type=AVC msg=audit(1704872737.703:1422): apparmor="DENIED" > operation="capable" class="cap" profile="/usr/sbin/cupsd" pid=149384 > comm="cupsd" capability=12 capname="net_admin" > > Not too sure what part requires it, but I guess it should be either > allowed or the audit trail should be suppressed
Yep. After a quick scan of the last bug report about this (https://bugs.debian.org/980974), I understand the conclusion was that this access could be legitimate for 2 candidate reasons: - running cupsd via systemd triggers this, "caused by setsockopt(2) with option SO_SNDBUFFORCE" - ipp-usb does network stuff that may require net_admin This suggests we should allow net_admin. And it looks like that bug was closed merely because someone shared how they *silenced the audit trail locally*, which sounds like a misunderstanding to me. Could perhaps the maintainers take another look at #980974 and check if my conclusions make sense? If they do, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980974#15 Thanks, -- intrigeri
