Bug 430829

Summary: SELinux is preventing the /usr/sbin/cupsd from using potentially mislabeled files ().
Product: [Fedora] Fedora Reporter: Rick Richardson <rickrich>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 8   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-02-26 22:08:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
audit.log
none
local.te none

Description Rick Richardson 2008-01-30 00:00:05 UTC
SELinux is preventing the /usr/sbin/cupsd from using potentially mislabeled
files ().

SELinux has denied /usr/sbin/cupsd access to potentially mislabeled file(s) ().
This means that SELinux will not allow /usr/sbin/cupsd to use these files. It is
common for users to edit files in their home directory or tmp directories and
then move (mv) them to system directories. The problem is that the files end up
with the wrong file context which confined applications are not allowed to access.

f you want /usr/sbin/cupsd to access this files, you need to relabel them using
restorecon -v . You might want to relabel the entire directory using restorecon
-R -v .


"restorecon -v ."?

What directory?? !!

Comment 1 Daniel Walsh 2008-01-30 15:42:10 UTC
Please attach the AVC messages.  /var/log/audit/audit.log

Comment 2 Rick Richardson 2008-01-30 15:56:13 UTC
Created attachment 293421 [details]
audit.log

Comment 3 Daniel Walsh 2008-01-30 16:19:14 UTC
You have cups trying to look at the file /home/rick/prn?  Is this a local
customization.  If you want to allow this you can use audit2allow to add it.  
Cups does not usually read users homedirectories.

Comment 4 Rick Richardson 2008-01-30 16:34:39 UTC
# cat /var/log/audit/audit.log | audit2allow -M local
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i local.pp

# semodule -i local.pp
libsepol.check_assertion_helper: neverallow violated by allow nfsd_t
fixed_disk_device_t:blk_file { read }; Cannot allocate memory.
libsemanage.semanage_expand_sandbox: Expand module failed Cannot allocate memory.
semodule:  Failed!


Comment 5 Rick Richardson 2008-01-30 16:37:37 UTC
Created attachment 293439 [details]
local.te

Comment 6 Daniel Walsh 2008-01-31 18:16:21 UTC
Yes you are trying to load a policy that includes nfs being able to read/write
raw disk.

Try.

# grep cups /var/log/audit/audit.log | audit2allow -M local

Also update to the latest selinux policy.

Comment 7 Daniel Walsh 2008-02-26 22:08:52 UTC
THis is local customization so will not fix.