Bug 239757

Summary: SELinux is preventing /usr/sbin/cupsd (cupsd_t) "search" access to / (home_root_t)
Product: [Fedora] Fedora Reporter: han pingtian <hanpingtian>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 6CC: dwalsh, twaugh
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-06-01 09:30:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description han pingtian 2007-05-11 02:00:45 UTC 
Description of problem:
When I start the /etc/init.d/cups, the setroubleshoot jumps out and reports this.


Version-Release number of selected component (if applicable):
cups-1.2.10-3.fc6
selinux-policy-2.4.6-62.fc6

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Source Context:  user_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context:  system_u:object_r:home_root_t:s0
Target Objects:  / [ dir ]
Affected RPM Packages:  cups-1.2.10-3.fc6[application]filesystem-2.4.0-1[target]
Policy RPM:  selinux-policy-2.4.6-62.fc6
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.disable_trans
Host Name:  openfree.org
Platform:  Linux openfree.org 2.6.20-1.2948.fc6 #1 SMP Fri Apr 27 19:48:40 EDT
2007 i686 i686
Alert Count:  6
Line Numbers:  

Raw Audit Messages :avc: denied { search } for comm="cupsd" dev=dm-1 egid=0
euid=0 exe="/usr/sbin/cupsd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/"
pid=3917 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=0
subj=user_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=0 tclass=dir
tcontext=system_u:object_r:home_root_t:s0 tty=(none) uid=0
Comment 1 Daniel Walsh 2007-05-14 18:11:55 UTC 
Fixed in selinux-policy-2.4.6-69

Added dontaudit rule
Comment 2 han pingtian 2007-05-25 02:37:39 UTC 
(In reply to comment #1)
> Fixed in selinux-policy-2.4.6-69
> 
> Added dontaudit rule

I upgrade to selinux-policy-2.4.6-69.fc6 this morning. The old one be fixed, but a
new one occurs when I try to print a testparper:
SELinux is preventing /bin/bash (cupsd_t) "write" access to ralf (initrc_tmp_t).

Source Context:               user_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context:               user_u:object_r:initrc_tmp_t:s0
Target Objects:               ralf [ file ]
Affected RPM Packages:        bash-3.1-16.1 [application]
Policy RPM:                   selinux-policy-2.4.6-69.fc6
Selinux Enabled:              True
Policy Type:                  targeted
MLS Enabled:                  True
Enforcing Mode:               Enforcing
Plugin Name:                  plugins.disable_trans
Host Name:                    openfree.org
Platform:                     Linux openfree.org 2.6.20-1.2948.fc6 #1 SMP Fri
Apr 27 19:48:40 EDT 2007 i686 i686
Alert Count:                  2
Line Numbers:

Raw Audit Messages:

avc: denied { write } for comm="sh" dev=dm-0 egid=7 euid=4 exe="/bin/bash"
exit=-13 fsgid=7 fsuid=4 gid=7 items=0 name="ralf" pid=5875
scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=7
subj=user_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=4 tclass=file
tcontext=user_u:object_r:initrc_tmp_t:s0 tty=(none) uid=4
Comment 3 Daniel Walsh 2007-05-25 12:41:57 UTC 
This looks like cupsd is trying to write to a file that was created by an init
script in the /tmp directory?
Comment 4 han pingtian 2007-05-28 00:26:52 UTC 
(In reply to comment #3)
> This looks like cupsd is trying to write to a file that was created by an init
> script in the /tmp directory?

Really? what should I do then?
Comment 5 Daniel Walsh 2007-05-29 14:17:33 UTC 
Tim do you have any ideas?
Comment 6 Tim Waugh 2007-05-29 17:10:25 UTC 
No idea.  What is 'ralf'?

If someone has configured a queue using a URI like file:/tmp/ralf, that is a
mis-configuration..

So what is the URI of the queue you are trying to print to?
Comment 7 han pingtian 2007-05-31 05:01:37 UTC 
I see ... I'm using ibm infoprint printer. There is a file /tmp/ralf:
$ cat /tmp/ralf
/usr/bin/pdpr -x   job-owner=guest -p cncdll5b
Comment 8 Daniel Walsh 2007-05-31 13:39:24 UTC 
For now you can use audit2allow to add these rules to a local customization of
policy to allow cups to work.

# grep cups /var/log/audit/audit.log | audit2allow -M mycups
# semodule -i mycups.pp

And we need to work with IBM on a better way to do this.
Comment 9 han pingtian 2007-06-01 09:30:24 UTC 
Great! I can print now! Thanks!