Bug 390391
| Summary: | Cups won't start - Selinux problem? | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Adam Huffman <bloch> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 8 | CC: | fortran, sdsmall, twaugh |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Current | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-01-30 19:20:09 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Adam Huffman
2007-11-19 14:04:33 UTC
The SELINUX_ERR messages look like the selinux-policy is not installed right somehow. I've tried re-install selinux-policy and selinux-policy-targeted, then re-installing cups itself, but the error is still there in enforcing mode. Please yum update to the latest selinux policy. It should fix the problem Fixed in selinux-policy-3.0.8-56.fc8 I've just done that from that updates-testing repo, but it hasn't fixed the problem. You might have to log out and log back in. # semanage user -l # semanage login -l # id -Z Yes, it's working now I've logged out and back in again.
Here's the output of those commands:
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
guest_u guest s0 s0 guest_r
root sysadm s0 s0-s0:c0.c1023 system_r
sysadm_r staff_r
staff_u staff s0 s0-s0:c0.c1023 sysadm_r
staff_r
sysadm_u sysadm s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r
unconfined_u unconfined s0 s0-s0:c0.c1023 system_r
unconfined_r
user_u user s0 s0 system_r user_r
xguest_u xguest s0 s0 xguest_r
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0
root system_u s0-s0:c0.c1023
unconfined_u:system_r:unconfined_t:s0
(as my normal user)
Thanks a lot for the swift response - as always.
I believe I have hit this bug now. It seems the only way to restart cups is to
reboot. To wit:
# service cups start
Starting cups: /bin/bash: /usr/sbin/cupsd: Permission denied
[FAILED]
From audit.log:
type=SELINUX_ERR msg=audit(1197477894.638:654): security_compute_sid: invalid
context user_u:system_r:cupsd_t:s0-s0:c0.c1023 for
scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:object_r:cupsd_exec_t:s0
tclass=process
Following just about everything in this thread, I ran "fixfiles restore", no
help. Tried logging in and out as root, no help. And since you asked before:
# semanage user -l
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
root sysadm s0 SystemLow-SystemHigh system_r
sysadm_r staff_r
staff_u staff s0 SystemLow-SystemHigh sysadm_r
staff_r
sysadm_u sysadm s0 SystemLow-SystemHigh sysadm_r
system_u user s0 SystemLow-SystemHigh system_r
unconfined_u unconfined s0 SystemLow-SystemHigh system_r
unconfined_r
user_u user s0 s0 system_r user_r
# semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ user_u s0
root root SystemLow-SystemHigh
# id -Z
user_u:system_r:unconfined_t
Oh, and as for selinux-policy: # rpm -q selinux-policy selinux-policy-3.0.8-64.fc8.noarch semanage login -m -s unconfined_u __default__ logout No go. Ran semanage command as root, logged out, logged back in, and:
# service cups start
Starting cups: /bin/bash: /usr/sbin/cupsd: Permission denied
[FAILED]
Also, since that didn't work, is there a command I need to run to undo that? I am really not that versed at SELinux, so I don't want to kill my box. What does id -Z show now? And semanage login -l? (In reply to comment #12) > What does id -Z show now? # id -Z user_u:system_r:unconfined_t > And semanage login -l? # semanage login -l Login Name SELinux User MLS/MCS Range __default__ unconfined_u s0 root root SystemLow-SystemHigh Hmm...so your login context didn't change at all. You can revert the change via semanage login -m again, e.g. semanage login -m -s user_u __default__ but that doesn't seem consistent with comment 6. Dan, what's the default user supposed to be in F8? I am changing it to unconfined_u. # semanage user -m -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u # semanage login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ Log out and log back in. Now does it start. (In reply to comment #15) > I am changing it to unconfined_u. > > # semanage user -m -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023 > unconfined_u > # semanage login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ > > Log out and log back in. Now does it start. No go here. I ran the two commands above (I assume unconfined_u was continued from the previous command, otherwise semanage borked), logged out and logged back in. And then: # service cups start Starting cups: /bin/bash: /usr/sbin/cupsd: Permission denied [FAILED] # id -Z user_u:system_r:unconfined_t # semanage login -l Login Name SELinux User MLS/MCS Range __default__ unconfined_u SystemLow-SystemHigh root root SystemLow-SystemHigh Are my semanage changes not sticking around? Or should I be doing all this in runlevel 3 or 1? I'm currently being root via "su -". Are you logging all the way out? IE Not just to su. Do you see any avc messages in /var/log/messages or /var/log/audit/audit.log Do you see any SELINUX_ERR these files? (In reply to comment #17) > Are you logging all the way out? IE Not just to su. Nope, that was it. I was reading "log out" as exit su since I thought I just just mucking with root. Sorry for the confusion, but this is the first box I've had where SELinux wasn't turned off upon build. I'm trying! Also: # service cups start Starting cups: [ OK ] # id -Z unconfined_u:system_r:unconfined_t:SystemLow-SystemHigh Bulk closing all bugs in Fedora updates in the modified state. If you bug is not fixed, please reopen. |