Bug 246317
Summary: | selinux blocks CUPS web admin | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | David Munro <dhmunro> |
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 7 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 2.6.4-21.fc7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-06-30 23:13:50 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
David Munro
2007-06-30 06:06:19 UTC
I don't see that behaviour here. Do you get any AVC messages in /var/log/audit/audit.log or in the output of the 'dmesg' command? Please include the version and release of the cups and selinux-policy packages you have installed. The dmesg contained nothing obviously relevant. Here are the messages from /var/log/audit/audit.log: type=USER_AUTH msg=audit(1183224470.819:26): user pid=2208 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='PAM: authentication acct=root : exe="/usr/sbin/cupsd" (hostname=?, addr=?, terminal=? res=success)' type=AVC msg=audit(1183224470.819:27): avc: denied { execute } for pid=3293 comm="cupsd" name="unix_update" dev=sda5 ino=3205028 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file type=SYSCALL msg=audit(1183224470.819:27): arch=40000003 syscall=11 success=no exit=-13 a0=2c78b8 a1=bfee691c a2=2c9408 a3=400 items=0 ppid=2208 pid=3293 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="cupsd" exe="/usr/sbin/cupsd" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) type=USER_ACCT msg=audit(1183224470.819:28): user pid=2208 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='PAM: accounting acct=root : exe="/usr/sbin/cupsd" (hostname=?, addr=?, terminal=? res=failed)' (PID 2208 is indeed the cupsd process) The SELinux troubleshooter has this to say: ------------------------ Additional Information Source Context: system_u:system_r:cupsd_t:SystemLow-SystemHigh Target Context: system_u:object_r:updpwd_exec_t Target Objects: unix_update [ file ] Affected RPM Packages: cups-1.2.10-10.fc7 [application] Policy RPM: selinux-policy-2.6.4-14.fc7 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: plugins.catchall_file Host Name: dogberry Platform: Linux dogberry 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12 15:37:31 EDT 2007 i686 i686 Alert Count: 5 First Seen: Fri Jun 29 21:20:13 2007 Last Seen: Sat Jun 30 10:27:50 2007 Local ID: 48fd4a61-a0d1-4efc-a6a0-f3606266a460 Line Numbers: Raw Audit Messages : avc: denied { execute } for comm="cupsd" dev=sda5 egid=0 euid=0 exe="/usr/sbin/cupsd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="unix_update" pid=3293 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=0 tclass=file tcontext=system_u:object_r:updpwd_exec_t:s0 tty=(none) uid=0 -------------------- I tried restorecon -v /sbin/unix_update as suggested by the SELinux troubleshooter, but it printed nothing and had no effect. Here are the installed packages related to cups or selinux: cups-1.2.10-10.fc7 cups-libs-1.2.10-10.fc7 libselinux-2.0.13-1.fc7 selinux-policy-2.6.4-14.fc7 selinux-policy-targeted-2.6.4-14.fc7 Whoa! After an upgrade to these packages, the CUPS Web administration tools have started to work: selinux-policy-2.6.4-21.fc7 selinux-policy-targeted-2.6.4-21.fc7 I haven't tracked down the difference, but whatever it was, the problem seems to have disappeared. Thank you for your prompt response. |