| Summary: | SELinux is preventing /usr/sbin/cupsd from 'getattr' accesses on the directory /boot. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Mamoru TASAKA <mtasaka> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 14 | CC: | dominick.grift, dwalsh, jpopelka, mgrepl, twaugh | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | i386 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | setroubleshoot_trace_hash:23471138e0639f2e2bef45ae3f9619febc25899977872002dae8ca41d7f61fb2 | ||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2012-08-16 16:49:22 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
This SELinux AVC is triggered every time I run
# service cupsd restart
on root. Especially, every time I update cups rpm this SELinux AVC occurs.
/boot is separated partition, I don't know if this is related.
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda2 20158332 5996028 13138304 32% /
tmpfs 707136 432 706704 1% /dev/shm
/dev/sda1 705512 35692 633980 6% /boot
/dev/mapper/VolGroup00-LogVol03
225195500 10910272 202845920 6% /home
/dev/mapper/VolGroup00-LogVol00
8063408 151968 7501840 2% /tmp
/dev/mapper/VolGroup00-LogVol01
8063408 3763304 3890504 50% /var
Is CUPS doing a getattr of all mount points? No. Are you really doing "service cupsd restart"? Not "service cups restart"? What does 'rpm -q cups' say, and what about 'rpm -V cups cups-libs'? I will check it next day. Ah, actually it was "service cups restart", not "service cupsd restart".
And:
[root@localhost ~]# rpm -q cups
cups-1.4.8-5.fc14.i686
[root@localhost ~]# rpm -V cups{,-libs}
.M....... c /etc/cups/subscriptions.conf
[root@localhost ~]# cat /etc/cups/subscriptions.conf
# Subscription configuration file for CUPS v1.4.8
# Written by cupsd on 2011-10-04 17:35
NextSubscriptionId 14
<Subscription 13>
Events printer-state-changed printer-restarted printer-shutdown printer-stopped printer-added printer-deleted job-state-changed job-created job-completed job-stopped job-progress
Owner mtasaka
LeaseDuration 86400
Interval 0
ExpirationTime 1317799175
NextEventId 49
</Subscription>
[root@localhost ~]#
Created attachment 526353 [details]
strace log
The output of
# strace -f service cups restart
Oh, could this be it?:
if (statvfs(RequestRoot, &spoolinfo))
k_supported = INT_MAX;
else if ((spoolsize = (double)spoolinfo.f_frsize * spoolinfo.f_blocks / 1024) >
INT_MAX)
k_supported = INT_MAX;
else
k_supported = (int)spoolsize;
It's trying to work out how large a job it can accept.
Actually with gdb next command, SELinux Alert Browser complains when ------------------------------------------------------ 501 if (statvfs(RequestRoot, &spoolinfo)) ------------------------------------------------------ is executed. I think the policy should be modified to allow this. This message is a notice that Fedora 14 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 14. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '14' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 14 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping |
SELinux is preventing /usr/sbin/cupsd from 'getattr' accesses on the ディレクトリ /boot. ***** Plugin catchall (100. confidence) suggests *************************** If cupsd に、 boot directory の getattr アクセスがデフォルトで許可されるべきです。 Then これをバグをして報告すべきです。 このアクセスを許可するために、ローカルポリシーモジュールを生成することができます。 Do このアクセスを一時的に許可するには、以下を実行してください。: # grep cupsd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Context system_u:object_r:boot_t:s0 Target Objects /boot [ dir ] Source cupsd Source Path /usr/sbin/cupsd Port <不明> Host (removed) Source RPM Packages cups-1.4.8-5.fc14 Target RPM Packages filesystem-2.4.35-1.fc14 Policy RPM selinux-policy-3.9.7-44.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.35.11-83.fc14.i686 #1 SMP Mon Feb 7 07:04:18 UTC 2011 i686 i686 Alert Count 2 First Seen 2011年10月04日 11時51分43秒 Last Seen 2011年10月04日 11時51分43秒 Local ID 6361b402-e7be-4c43-a05b-1c4c525c141e Raw Audit Messages type=AVC msg=audit(1317696703.36:27533): avc: denied { getattr } for pid=30020 comm="cupsd" path="/boot" dev=sda1 ino=2 scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:boot_t:s0 tclass=dir type=SYSCALL msg=audit(1317696703.36:27533): arch=i386 syscall=stat64 success=no exit=EACCES a0=bfd37cc2 a1=bfd380b8 a2=ad7ff4 a3=0 items=0 ppid=30019 pid=30020 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm=cupsd exe=/usr/sbin/cupsd subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) Hash: cupsd,cupsd_t,boot_t,dir,getattr audit2allow #============= cupsd_t ============== allow cupsd_t boot_t:dir getattr; audit2allow -R #============= cupsd_t ============== allow cupsd_t boot_t:dir getattr;