Bug 239757
Summary: | SELinux is preventing /usr/sbin/cupsd (cupsd_t) "search" access to / (home_root_t) | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | han pingtian <hanpingtian> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED NOTABUG | QA Contact: | Ben Levenson <benl> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6 | CC: | dwalsh, twaugh |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-06-01 09:30:24 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
han pingtian
2007-05-11 02:00:45 UTC
Fixed in selinux-policy-2.4.6-69 Added dontaudit rule (In reply to comment #1) > Fixed in selinux-policy-2.4.6-69 > > Added dontaudit rule I upgrade to selinux-policy-2.4.6-69.fc6 this morning. The old one be fixed, but a new one occurs when I try to print a testparper: SELinux is preventing /bin/bash (cupsd_t) "write" access to ralf (initrc_tmp_t). Source Context: user_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Context: user_u:object_r:initrc_tmp_t:s0 Target Objects: ralf [ file ] Affected RPM Packages: bash-3.1-16.1 [application] Policy RPM: selinux-policy-2.4.6-69.fc6 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: plugins.disable_trans Host Name: openfree.org Platform: Linux openfree.org 2.6.20-1.2948.fc6 #1 SMP Fri Apr 27 19:48:40 EDT 2007 i686 i686 Alert Count: 2 Line Numbers: Raw Audit Messages: avc: denied { write } for comm="sh" dev=dm-0 egid=7 euid=4 exe="/bin/bash" exit=-13 fsgid=7 fsuid=4 gid=7 items=0 name="ralf" pid=5875 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=7 subj=user_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=4 tclass=file tcontext=user_u:object_r:initrc_tmp_t:s0 tty=(none) uid=4 This looks like cupsd is trying to write to a file that was created by an init script in the /tmp directory? (In reply to comment #3) > This looks like cupsd is trying to write to a file that was created by an init > script in the /tmp directory? Really? what should I do then? Tim do you have any ideas? No idea. What is 'ralf'? If someone has configured a queue using a URI like file:/tmp/ralf, that is a mis-configuration.. So what is the URI of the queue you are trying to print to? I see ... I'm using ibm infoprint printer. There is a file /tmp/ralf: $ cat /tmp/ralf /usr/bin/pdpr -x job-owner=guest -p cncdll5b For now you can use audit2allow to add these rules to a local customization of policy to allow cups to work. # grep cups /var/log/audit/audit.log | audit2allow -M mycups # semodule -i mycups.pp And we need to work with IBM on a better way to do this. Great! I can print now! Thanks! |