| Summary: | SELinux is preventing /usr/sbin/cupsd from 'read' accesses on the file printers.conf. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jason Antonacci <jason.antonacci> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 14 | CC: | dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:9798fa972a21db777d66598246e601c8bcbe663a78768c88460b37556e894712 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-02-09 19:35:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Have just re-installed FC14 x86_64 replacing FC14 i386. Backed up many etc files incl. /etc/cups/printers.conf file so I would not have to re-install printers again. Copied the file back to /etc/cups/ and restarted cups. SELinux error appeared. Changed permissions from 600 to 640 and restarted cups. SELinux error appeared again. Changed ownership to root:lp and restarted cups. SELinux error appeared again. Update selinux policy: # sudo grep cupsd /var/log/audit/audit.log | audit2allow -M mypol # sudo semodule -i mypol.pp # sudo service cups restart SELinux error appeared again. Trying autorelabel on next restart. You could have just run restorecon. The problem is if you moved files off a system with no labels to a system with labels, they will be unlabeled. If you copied them, you probably would have had better luck. The best would be to have copyied them and then run restorecon on them. |
SELinux is preventing /usr/sbin/cupsd from 'read' accesses on the file printers.conf. ***** Plugin file (36.8 confidence) suggests ******************************* If you think this is caused by a badly mislabeled machine. Then you need to fully relabel. Do touch /.autorelabel; reboot ***** Plugin file (36.8 confidence) suggests ******************************* If you think this is caused by a badly mislabeled machine. Then you need to fully relabel. Do touch /.autorelabel; reboot ***** Plugin catchall_labels (23.2 confidence) suggests ******************** If you want to allow cupsd to have read access on the printers.conf file Then you need to change the label on printers.conf Do # semanage fcontext -a -t FILE_TYPE 'printers.conf' where FILE_TYPE is one of the following: anon_inodefs_t, etc_runtime_t, openct_var_run_t, cupsd_var_run_t, hplip_var_run_t, pcscd_var_run_t, snmpd_var_lib_t, ld_so_cache_t, print_spool_t, cupsd_interface_t, hplip_exec_t, lpr_exec_t, system_dbusd_var_lib_t, bin_t, cert_t, cupsd_t, selinux_config_t, lib_t, usr_t, var_t, cupsd_rw_etc_t, sssd_public_t, sysctl_type, locale_t, cupsd_tmp_t, etc_t, fonts_t, abrt_var_run_t, proc_t, sysfs_t, usbfs_t, fonts_cache_t, ifconfig_exec_t, krb5_keytab_t, krb5_conf_t, readable_t, cupsd_etc_t, cupsd_log_t, sysctl_crypto_t, fail2ban_var_lib_t, security_t, initrc_exec_t, udev_tbl_t, shell_exec_t, abrt_t, lib_t, hplip_etc_t, printconf_t, user_cron_spool_t, var_lib_t, updpwd_exec_t, afs_cache_t, dbusd_etc_t, abrt_helper_exec_t, domain, samba_etc_t, logrotate_exec_t, apm_exec_t, faillog_t, cups_pdf_exec_t, ld_so_t, proc_net_t, cupsd_exec_t, cupsd_lock_t, chkpwd_exec_t, textrel_shlib_t, mta_exec_type, hostname_exec_t, samba_var_t, initrc_var_run_t, rpm_script_tmp_t, net_conf_t, root_t. Then execute: restorecon -v 'printers.conf' ***** Plugin catchall (5.04 confidence) suggests *************************** If you believe that cupsd should be allowed read access on the printers.conf file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep cupsd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Context system_u:object_r:file_t:s0 Target Objects printers.conf [ file ] Source cupsd Source Path /usr/sbin/cupsd Port <Unknown> Host (removed) Source RPM Packages cups-1.4.6-1.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-29.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux localhost.localdomain 2.6.35.10-74.fc14.x86_64 #1 SMP Thu Dec 23 16:04:50 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Wed 09 Feb 2011 01:24:31 PM EST Last Seen Wed 09 Feb 2011 01:24:31 PM EST Local ID 23226b73-dfe7-4a8e-a7d9-2f99fa8f9889 Raw Audit Messages type=AVC msg=audit(1297275871.527:38355): avc: denied { read } for pid=2846 comm="cupsd" name="printers.conf" dev=sda3 ino=2760474 scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file type=SYSCALL msg=audit(1297275871.527:38355): arch=x86_64 syscall=open success=no exit=EACCES a0=7fff60849940 a1=0 a2=0 a3=7fff6084a290 items=0 ppid=2845 pid=2846 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm=cupsd exe=/usr/sbin/cupsd subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) Hash: cupsd,cupsd_t,file_t,file,read audit2allow #============= cupsd_t ============== #!!!! This avc is allowed in the current policy allow cupsd_t file_t:file read; audit2allow -R #============= cupsd_t ============== #!!!! This avc is allowed in the current policy allow cupsd_t file_t:file read;