Bug 860528

Summary:	cupsd[1334]: p11-kit: couldn't open config file: /root/.pkcs11/pkcs11.conf: Permission denied
Product:	[Fedora] Fedora	Reporter:	xset1980
Component:	p11-kit	Assignee:	Stef Walter <stefw>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	high
Version:	18	CC:	andrew.kavalov, atulya.swayankar, bugzilla, eddie, ipilcher, jpopelka, kalevlember, mads, mclasen, stefw, tmraz
Target Milestone:	---	Keywords:	Reopened
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	p11-kit-0.14-2.fc18	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2013-05-23 12:39:15 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description xset1980 2012-09-26 04:36:20 UTC

Description of problem:

i see on /var/log/messages on every boot this message:
Sep 26 01:25:06 fedora18 cupsd[1334]: p11-kit: couldn't open config file: /root/.pkcs11/pkcs11.conf: Permission denied

Version-Release number of selected component (if applicable):

Fedora 18 KDE Alpha up to date
p11-kit-0.14-1.fc18.i686


How reproducible:

Always

Steps to Reproduce:
1.Install F18 Alpha
2.yum update -y
3.reboot and tail -f /var/log/messages
  
Actual results:


Expected results:


Additional info:

Comment 1 Stef Walter 2012-09-26 05:47:26 UTC

This sounds like an SELinux policy problem. Is pkcs11.conf mentioned in /var/log/audit/audit.log?

Comment 2 xset1980 2012-09-26 20:16:59 UTC

(In reply to comment #1)
> This sounds like an SELinux policy problem. Is pkcs11.conf mentioned in
> /var/log/audit/audit.log?

@Stef Walter,

No, is no mentioned in /var/log/audit/audit.log:


[root@fedora18 ~]# cat /var/log/messages |grep -i cupsd
Sep 21 22:13:54 localhost cupsd[4297]: p11-kit: couldn't open config file: /root/.pkcs11/pkcs11.conf: Permission denied
Sep 21 23:30:11 localhost cupsd[1223]: p11-kit: couldn't open config file: /root/.pkcs11/pkcs11.conf: Permission denied
Sep 21 02:46:27 localhost cupsd[1382]: p11-kit: couldn't open config file: /root/.pkcs11/pkcs11.conf: Permission denied
Sep 21 00:32:26 localhost cupsd[1368]: p11-kit: couldn't open config file: /root/.pkcs11/pkcs11.conf: Permission denied
Sep 21 01:02:05 fedora18 cupsd[1460]: p11-kit: couldn't open config file: /root/.pkcs11/pkcs11.conf: Permission denied
Sep 21 16:43:52 fedora18 cupsd[1301]: p11-kit: couldn't open config file: /root/.pkcs11/pkcs11.conf: Permission denied
Sep 25 10:07:06 fedora18 cupsd[1405]: p11-kit: couldn't open config file: /root/.pkcs11/pkcs11.conf: Permission denied
Sep 25 11:32:42 fedora18 cupsd[1300]: p11-kit: couldn't open config file: /root/.pkcs11/pkcs11.conf: Permission denied
Sep 25 12:23:07 fedora18 cupsd[1312]: p11-kit: couldn't open config file: /root/.pkcs11/pkcs11.conf: Permission denied
Sep 25 23:20:51 fedora18 cupsd[1304]: p11-kit: couldn't open config file: /root/.pkcs11/pkcs11.conf: Permission denied
Sep 25 23:50:21 fedora18 cupsd[1322]: p11-kit: couldn't open config file: /root/.pkcs11/pkcs11.conf: Permission denied
Sep 26 00:20:11 fedora18 cupsd[1312]: p11-kit: couldn't open config file: /root/.pkcs11/pkcs11.conf: Permission denied
Sep 26 01:25:06 fedora18 cupsd[1334]: p11-kit: couldn't open config file: /root/.pkcs11/pkcs11.conf: Permission denied
Sep 26 16:41:38 fedora18 cupsd[1419]: p11-kit: couldn't open config file: /root/.pkcs11/pkcs11.conf: Permission denied
[root@fedora18 ~]# cat /var/log/audit/audit.log |grep pkcs11.conf
[root@fedora18 ~]# cat /var/log/audit/audit.log |grep p11-kit
[root@fedora18 ~]#

Comment 3 Mads Kiilerich 2012-11-13 20:45:04 UTC

It seems very wrong to me that a service running as system_u:system_r:cupsd_t should have anything to do in /root .

Comment 4 Stef Walter 2012-11-14 10:42:46 UTC

Well, if we want to make big claims: It seems wrong to me that a printing service is running as root.

But in any case. p11-kit tries to access config files both in /etc and in the user's home directory. 

So there's a patch to fix this upstream. It requires testing and review before I'll merge it. Thanks for your help.

Comment 5 Stef Walter 2012-11-14 10:43:28 UTC

Oh, in case it wasn't obvious: https://bugs.freedesktop.org/show_bug.cgi?id=57115

Comment 6 Ian Pilcher 2012-12-31 00:14:04 UTC

My samba log is full of these messages (and I don't even have a /root/pkcs11 directory).

Comment 7 atulya.swayankar 2013-02-01 08:40:55 UTC

(In reply to comment #6)
> My samba log is full of these messages (and I don't even have a /root/pkcs11
> directory).

I am also getting same error when i start httpd
(in my system also there is no /root/.pkcs11   directory is there )

Comment 8 Stef Walter 2013-02-01 08:58:56 UTC

Fix for this has been merged upstream. I'll leave it to Kalev to decide whether to back-port a patch for this into Fedora 18.

Comment 9 Frank Büttner 2013-05-12 07:41:45 UTC

The problem happened again, when restart the cupsd.
And printing is not possible.
[root@bart ~]# systemctl restart colord.service 
[root@bart ~]# systemctl restart cups.service 
[root@bart ~]# tail -f /var/log/messages
May 12 09:11:00 bart colord: Device added: cups-Cups-PDF
May 12 09:11:00 bart colord: Profile added: ffgtk-fax-Gray..
May 12 09:11:00 bart colord[5423]: (colord:5423): Cd-WARNING **: failed to get session [pid 5431]: Unbekannter Fehler -2
May 12 09:11:00 bart colord: Device added: cups-ffgtk-fax
May 12 09:11:00 bart colord: Profile added: HP_Laserjet_1200-Gray..
May 12 09:11:00 bart colord: Profile added: HP_Laserjet_1200-RGB..
May 12 09:11:00 bart colord[5423]: (colord:5423): Cd-WARNING **: failed to get session [pid 5431]: Unbekannter Fehler -2
May 12 09:11:00 bart colord: Device added: cups-HP_Laserjet_1200
May 12 09:11:00 bart cupsd[5431]: p11-kit: couldn't open config file: /root/.pkcs11/pkcs11.conf: Permission denied
May 12 09:11:02 bart systemd[1]: Started CUPS Printing Service.

Comment 10 Frank Büttner 2013-05-12 07:44:31 UTC

cups-1.5.4-20.fc18.x86_64
colord-0.1.31-1.fc18.x86_64
p11-kit-0.14-1.fc18.x86_64

The last update that was installed was: 
May 12 08:35:23 Updated: nspr-4.9.6-1.fc18.x86_64
May 12 08:35:24 Updated: ibus-m17n-1.3.4-8.fc18.x86_64

Comment 11 Stef Walter 2013-05-13 04:51:14 UTC

Please test this build and see if it fixes your problem: http://koji.fedoraproject.org/koji/taskinfo?taskID=5370883

Note: Your inability to print may be for completely different reasons. So when testing this patch please use the following criteria: "Is the error in the logs gone?"

Comment 12 Frank Büttner 2013-05-13 16:14:52 UTC

Yes it will fix it.
Printing is working again and no errors:
[root@bart ~]# systemctl restart colord.service
[root@bart ~]# systemctl restart cups.service
[root@bart ~]# tail -f /var/log/messages
May 13 18:12:38 bart colord: Profile added: Cups-PDF-RGB..
May 13 18:12:38 bart colord[4190]: (colord:4190): Cd-WARNING **: failed to get session [pid 4205]: Unbekannter Fehler -2
May 13 18:12:38 bart colord: Device added: cups-Cups-PDF
May 13 18:12:38 bart colord: Profile added: ffgtk-fax-Gray..
May 13 18:12:38 bart colord[4190]: (colord:4190): Cd-WARNING **: failed to get session [pid 4205]: Unbekannter Fehler -2
May 13 18:12:38 bart colord: Device added: cups-ffgtk-fax
May 13 18:12:38 bart colord: Profile added: HP_Laserjet_1200-Gray..
May 13 18:12:38 bart colord: Profile added: HP_Laserjet_1200-RGB..
May 13 18:12:38 bart colord[4190]: (colord:4190): Cd-WARNING **: failed to get session [pid 4205]: Unbekannter Fehler -2
May 13 18:12:38 bart colord: Device added: cups-HP_Laserjet_1200
May 13 18:13:33 bart dbus-daemon[796]: dbus[796]: [system] Activating service name='org.opensuse.CupsPkHelper.Mechanism' (using servicehelper)
May 13 18:13:33 bart dbus[796]: [system] Activating service name='org.opensuse.CupsPkHelper.Mechanism' (using servicehelper)
May 13 18:13:33 bart dbus-daemon[796]: dbus[796]: [system] Successfully activated service 'org.opensuse.CupsPkHelper.Mechanism'
May 13 18:13:33 bart dbus[796]: [system] Successfully activated service 'org.opensuse.CupsPkHelper.Mechanism'
May 13 18:13:40 bart systemd[1]: Started CUPS Printing Service.

Comment 13 Stef Walter 2013-05-13 19:16:27 UTC

I can do a Fedora update for this. Will wait for necessary permission from the package maintainer.

Comment 14 Fedora Admin XMLRPC Client 2013-05-13 19:29:47 UTC

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 15 Fedora Update System 2013-05-13 20:47:22 UTC

p11-kit-0.14-2.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/p11-kit-0.14-2.fc18

Comment 16 Fedora Update System 2013-05-15 03:28:19 UTC

Package p11-kit-0.14-2.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing p11-kit-0.14-2.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-8209/p11-kit-0.14-2.fc18
then log in and leave karma (feedback).

Comment 17 Fedora Update System 2013-05-23 12:39:15 UTC

p11-kit-0.14-2.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.