Bug 143717
| Summary: | files in /etc/cups created with improper SELinux labels | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Tom London <selinux> |
| Component: | cups | Assignee: | Tim Waugh <twaugh> |
| Status: | CLOSED RAWHIDE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | dwalsh |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i686 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-01-04 15:51:29 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
The following added to /etc/rc.d/rc.local 'works around' this problem: echo "restoring contexts of /etc/cups" restorecon -vv -R /etc/cups The root cause of this is likely to be that system-config-printer needs to re-write these files. However, being configuration files, they are best written to new files and renamed over the originals. dwalsh: I seem to remember asking how this should be dealt with ages ago, but I don't remember if I heard an answer. Here is where the thread ended up: https://www.redhat.com/archives/fedora-devel-list/2004-March/msg00240.html I don't mind if printconf-backend has to run restorecon itself; I don't mind if it needs to open these files O_RDWR -- I just need to know the authoritative answer to "how to adjust configuration files while keeping selinux happy". BTW, my 'work around' from comment #1 doesn't work. Sorry. rc.local must get run before /etc/cups files get written. Need to add this rule file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file) to cups policy. princonf-backend is running under cupsd_config_t and should create files with cupsd_rw_etc_t. I will put this rule in selinux-policy-*-1.19.15-13 Dan I made this change to my policy files, and all appears to work correctly! Thanks. I'll await the 'release' of 1.19.15-13 and close this out. tom |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041216 Firefox/1.0 Fedora/1.0-6 Description of problem: On a system running SELinux strict/enforcing, latest Rawhide: Each time I boot, some of the files in /etc/cups are assigned the wrong SELinux label. [root@fedora program]# restorecon -vv -R /etc/cups restorecon reset context /etc/cups/cupsd.conf->system_u:object_r:cupsd_rw_etc_t restorecon reset context /etc/cups/lpoptions->system_u:object_r:cupsd_rw_etc_t restorecon reset context /etc/cups/ppd/psc-900-series-2.ppd->system_u:object_r:cupsd_rw_etc_t restorecon reset context /etc/cups/ppd/HP950.ppd->system_u:object_r:cupsd_rw_etc_t restorecon reset context /etc/cups/ppd/HP5MP.ppd->system_u:object_r:cupsd_rw_etc_t restorecon reset context /etc/cups/ppd/psc-950-2.ppd->system_u:object_r:cupsd_rw_etc_t restorecon reset context /etc/cups/printers.conf->system_u:object_r:cupsd_rw_etc_t These files are given a type of cupsd_etc_t (the type of /etc/cups) instead of cupsd_rw_etc_t. This causes a cascade of AVCs to be produced when printing or when the printer changes states. Version-Release number of selected component (if applicable): cups-1.1.23-0.rc1.1 How reproducible: Always Steps to Reproduce: 1. do 'restorecon -R /etc/cups' (on system running strict/enforcing) 2. reboot 3. ls -lZ /etc/cups Additional info: