Bug 143717
Summary: | files in /etc/cups created with improper SELinux labels | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Tom London <selinux> |
Component: | cups | Assignee: | Tim Waugh <twaugh> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | dwalsh |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i686 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-01-04 15:51:29 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Tom London
2004-12-25 02:08:09 UTC
The following added to /etc/rc.d/rc.local 'works around' this problem: echo "restoring contexts of /etc/cups" restorecon -vv -R /etc/cups The root cause of this is likely to be that system-config-printer needs to re-write these files. However, being configuration files, they are best written to new files and renamed over the originals. dwalsh: I seem to remember asking how this should be dealt with ages ago, but I don't remember if I heard an answer. Here is where the thread ended up: https://www.redhat.com/archives/fedora-devel-list/2004-March/msg00240.html I don't mind if printconf-backend has to run restorecon itself; I don't mind if it needs to open these files O_RDWR -- I just need to know the authoritative answer to "how to adjust configuration files while keeping selinux happy". BTW, my 'work around' from comment #1 doesn't work. Sorry. rc.local must get run before /etc/cups files get written. Need to add this rule file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file) to cups policy. princonf-backend is running under cupsd_config_t and should create files with cupsd_rw_etc_t. I will put this rule in selinux-policy-*-1.19.15-13 Dan I made this change to my policy files, and all appears to work correctly! Thanks. I'll await the 'release' of 1.19.15-13 and close this out. tom |