Bug 796634

Summary: cups-pdf problems in F17 if SELINUX=enforcing
Product: [Fedora] Fedora Reporter: Joachim Backes <joachim.backes>
Component: cups-pdfAssignee: Remi Collet <fedora>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: fedora
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-24 09:01:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Joachim Backes 2012-02-23 11:14:47 UTC 
Description of problem:

The standard SELINUX is set to SELINUX=enforcing in F17.
Running cups-lpd in F17. I edited /etc/cups/cups-pdf.conf by setting
"Out ${DESKTOP}/PDF". But that did not work: No printing output to the pdf printer landed in ~/Desktop/PDF. 

But after setting SELINUX=permissive (in /etc/selinux/config), all pdf printing appears in ~/Desktop/PDF is desired.

The access right of ~/Desktop/PDF are: drwxrwxr-x

Version-Release number of selected component (if applicable):
cups-pdf-2.6.1-1.fc17.x86_64

How reproducible:
always

Steps to Reproduce:
1. Print some stuff to the PDF printer
2.
3.
  
Actual results:
Nothing appears in the directory given by Out ${DESKTOP}/PDF (in etc/cups/cups-pdf.conf)

Expected results:


Additional info:
Comment 1 Joachim Backes 2012-02-23 11:17:03 UTC 
(In reply to comment #0)
> Description of problem:
> 
> The standard SELINUX is set to SELINUX=enforcing in F17.
> Running cups-lpd in F17. I edited /etc/cups/cups-pdf.conf by setting
> "Out ${DESKTOP}/PDF". But that did not work: No printing output to the pdf
> printer landed in ~/Desktop/PDF. 
> 
> But after setting SELINUX=permissive (in /etc/selinux/config), all pdf printing
> appears in ~/Desktop/PDF is desired.
> 
> The access right of ~/Desktop/PDF are: drwxrwxr-x
> 
> Version-Release number of selected component (if applicable):
> cups-pdf-2.6.1-1.fc17.x86_64
> 
> How reproducible:
> always
> 
> Steps to Reproduce:
> 1. Print some stuff to the PDF printer
> 2.
> 3.
> 
> Actual results:
> Nothing appears in the directory given by Out ${DESKTOP}/PDF (in
> etc/cups/cups-pdf.conf)
> 
> Expected results:
> 
> 
> Additional info:

Sorry, typo: I meant "Running cups-pdf in F17" (and not "Running cups-lpd in F17")
Comment 2 Remi Collet 2012-02-23 18:51:00 UTC 
Please check the audit.log to get the full avc denied message.

And :
ls -Zld $HOME/Desktop
ls -Zld $HOME/Desktop/PDF
Comment 3 Joachim Backes 2012-02-23 20:58:16 UTC 
(In reply to comment #2)
> Please check the audit.log to get the full avc denied message.

grep cups audit.log.1|grep -i pdf|grep -i avc
type=AVC msg=audit(1329920737.647:1317): avc:  denied  { write } for  pid=24774 comm="gs" name="PDF" dev="sda7" ino=3020848 scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir
type=AVC msg=audit(1329921055.419:1336): avc:  denied  { write } for  pid=26693 comm="gs" name="PDF" dev="sda7" ino=3020848 scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir
type=AVC msg=audit(1329921249.835:1345): avc:  denied  { write } for  pid=26747 comm="gs" name="PDF" dev="sda7" ino=3020848 scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir
type=AVC msg=audit(1329921406.685:1352): avc:  denied  { write } for  pid=26812 comm="gs" name="PDF" dev="sda7" ino=3020848 scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir
type=AVC msg=audit(1329921592.491:1378): avc:  denied  { write } for  pid=26940 comm="cups-pdf" name="backes" dev="sda7" ino=2883586 scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir
type=AVC msg=audit(1329921709.160:1379): avc:  denied  { write } for  pid=26995 comm="cups-pdf" name="backes" dev="sda7" ino=2883586 scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir
type=AVC msg=audit(1329921713.254:1380): avc:  denied  { write } for  pid=27003 comm="cups-pdf" name="backes" dev="sda7" ino=2883586 scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir
type=AVC msg=audit(1329922116.962:1405): avc:  denied  { write } for  pid=27208 comm="gs" name="PDF" dev="sda7" ino=3020848 scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir

> 
> And :
> ls -Zld $HOME/Desktop
drwxr-xr-x. 5 system_u:object_r:user_home_t:s0 backes backes 4096 Feb 23 14:29 /home/backes/Desktop

> ls -Zld $HOME/Desktop/PDF
drwxrwxr-x. 2 system_u:object_r:default_t:s0   backes backes 4096 Feb 23 11:27 /home/backes/Desktop/PDF
Comment 4 Remi Collet 2012-02-24 06:20:13 UTC 
So, type for PDF directory is not ok.

Please change it to user_home_t (with chcon or restorecon)
Comment 5 Joachim Backes 2012-02-24 09:01:38 UTC 
(In reply to comment #4)
> So, type for PDF directory is not ok.
> 
> Please change it to user_home_t (with chcon or restorecon)

Thanks, works for me!