Bug 246317

Summary: selinux blocks CUPS web admin
Product: [Fedora] Fedora Reporter: David Munro <dhmunro>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 7   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 2.6.4-21.fc7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-06-30 23:13:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Munro 2007-06-30 06:06:19 UTC 
Description of problem:

When attempting to use the CUPS Web administration tools at
http://localhost:631, SELinux prevents cupsd from verifying the root password. 
The dialog box requesting the username and password pops up, but the root user
and password are not accepted.  When SELinux is placed in Permissive (as opposed
to Enforcing) mode, the root password is accepted and the administrative tasks
can be performed.

Version-Release number of selected component (if applicable):


How reproducible:

Attempt to change any setting under the Administration tab at
http://localhost:631, while SELinux is in Enforcing mode.

Steps to Reproduce:
1. Point browser at http://localhost:631/admin
2. Check any box under Basic Server Settings and click Change Settings
3. Enter root and root password in dialog box
4. Change SELinux from Enforcing to Permissive to see it work correctly
  
Actual results:


Expected results:


Additional info:
Comment 1 Tim Waugh 2007-06-30 10:34:00 UTC 
I don't see that behaviour here.  Do you get any AVC messages in
/var/log/audit/audit.log or in the output of the 'dmesg' command?

Please include the version and release of the cups and selinux-policy packages
you have installed.
Comment 2 David Munro 2007-06-30 18:05:13 UTC 
The dmesg contained nothing obviously relevant.
Here are the messages from /var/log/audit/audit.log:

type=USER_AUTH msg=audit(1183224470.819:26): user pid=2208 uid=0 auid=4294967295
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='PAM: authentication acct=root
: exe="/usr/sbin/cupsd" (hostname=?, addr=?, terminal=? res=success)'
type=AVC msg=audit(1183224470.819:27): avc:  denied  { execute } for  pid=3293
comm="cupsd" name="unix_update" dev=sda5 ino=3205028
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1183224470.819:27): arch=40000003 syscall=11 success=no
exit=-13 a0=2c78b8 a1=bfee691c a2=2c9408 a3=400 items=0 ppid=2208 pid=3293
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="cupsd" exe="/usr/sbin/cupsd"
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
type=USER_ACCT msg=audit(1183224470.819:28): user pid=2208 uid=0 auid=4294967295
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='PAM: accounting acct=root :
exe="/usr/sbin/cupsd" (hostname=?, addr=?, terminal=? res=failed)'

(PID 2208 is indeed the cupsd process)

The SELinux troubleshooter has this to say:

------------------------

Additional Information
Source Context:  system_u:system_r:cupsd_t:SystemLow-SystemHigh
Target Context:  system_u:object_r:updpwd_exec_t
Target Objects:  unix_update [ file ]
Affected RPM Packages:  cups-1.2.10-10.fc7 [application]
Policy RPM:  selinux-policy-2.6.4-14.fc7
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.catchall_file
Host Name:  dogberry
Platform:  Linux dogberry 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12 15:37:31 EDT 2007
i686 i686
Alert Count:  5
First Seen:  Fri Jun 29 21:20:13 2007
Last Seen:  Sat Jun 30 10:27:50 2007
Local ID:  48fd4a61-a0d1-4efc-a6a0-f3606266a460
Line Numbers:  

Raw Audit Messages :

avc: denied { execute } for comm="cupsd" dev=sda5 egid=0 euid=0
exe="/usr/sbin/cupsd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="unix_update"
pid=3293 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=system_u:object_r:updpwd_exec_t:s0 tty=(none) uid=0 

--------------------

I tried restorecon -v /sbin/unix_update as suggested by the SELinux
troubleshooter, but it printed nothing and had no effect.

Here are the installed packages related to cups or selinux:
cups-1.2.10-10.fc7
cups-libs-1.2.10-10.fc7
libselinux-2.0.13-1.fc7
selinux-policy-2.6.4-14.fc7
selinux-policy-targeted-2.6.4-14.fc7
Comment 3 David Munro 2007-06-30 18:41:13 UTC 
Whoa!  After an upgrade to these packages, the CUPS Web administration tools
have started to work:

selinux-policy-2.6.4-21.fc7
selinux-policy-targeted-2.6.4-21.fc7

I haven't tracked down the difference, but whatever it was, the problem seems to
have disappeared.

Thank you for your prompt response.