Bug 1023937 - SELinux is preventing /usr/libexec/cups-pk-helper-mechanism from 'read' accesses on the file tmpQ1BRQ4.
SELinux is preventing /usr/libexec/cups-pk-helper-mechanism from 'read' acces...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:ff86115e28e28238033319c8104...
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-28 07:50 EDT by Brian J. Murrell
Modified: 2014-12-19 13:29 EST (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-74.30.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-12-19 13:29:22 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
The file /root/local_cups_Policy.pp (957 bytes, application/octet-stream)
2013-10-31 18:03 EDT, Dale Snell
no flags Details

  None (edit)
Description Brian J. Murrell 2013-10-28 07:50:30 EDT
Description of problem:
SELinux is preventing /usr/libexec/cups-pk-helper-mechanism from 'read' accesses on the file tmpQ1BRQ4.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that cups-pk-helper-mechanism should be allowed read access on the tmpQ1BRQ4 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep cups-pk-helper- /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:cupsd_config_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                tmpQ1BRQ4 [ file ]
Source                        cups-pk-helper-
Source Path                   /usr/libexec/cups-pk-helper-mechanism
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           cups-pk-helper-0.2.4-2.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-74.9.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.11.4-201.fc19.x86_64 #1 SMP Thu
                              Oct 10 14:11:18 UTC 2013 x86_64 x86_64
Alert Count                   2
First Seen                    2013-10-27 23:22:33 EDT
Last Seen                     2013-10-27 23:41:36 EDT
Local ID                      d93e9e4b-5072-4f1e-b633-f97c786b8fc4

Raw Audit Messages
type=AVC msg=audit(1382931696.13:1423): avc:  denied  { read } for  pid=27998 comm="cups-pk-helper-" name="tmpQ1BRQ4" dev="dm-5" ino=181263 scontext=system_u:system_r:cupsd_config_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file


type=SYSCALL msg=audit(1382931696.13:1423): arch=x86_64 syscall=open success=no exit=EACCES a0=23f1bd0 a1=0 a2=411588 a3=0 items=0 ppid=1 pid=27998 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=cups-pk-helper- exe=/usr/libexec/cups-pk-helper-mechanism subj=system_u:system_r:cupsd_config_t:s0-s0:c0.c1023 key=(null)

Hash: cups-pk-helper-,cupsd_config_t,user_home_t,file,read

Additional info:
reporter:       libreport-2.1.8
hashmarkername: setroubleshoot
kernel:         3.11.4-201.fc19.x86_64
type:           libreport

Potential duplicate: bug 666185
Comment 1 Daniel Walsh 2013-10-28 17:08:13 EDT
Does bug 666185 look like the same problem to you?
Comment 2 Brian J. Murrell 2013-10-29 22:39:09 EDT
It does look the same, yes.  But I also do not have /tmp linked to my ~/tmp.  I do have $TMPDIR set to ~/tmp though.
Comment 3 Dale Snell 2013-10-31 15:30:49 EDT
Description of problem:
1.  Attempted to print from qpdfview (via cups), which failed.
2.  SELinux detected an error.
3.  Created a new local policy, per the error report.

Note: there was also a failure to allow cups-pk-helper-mechanism to write to a temporary file.

Additional info:
reporter:       libreport-2.1.8
hashmarkername: setroubleshoot
kernel:         3.11.6-200.fc19.x86_64
type:           libreport
Comment 4 Brian J. Murrell 2013-10-31 15:33:04 EDT
(In reply to Dale Snell from comment #3)
> 3.  Created a new local policy, per the error report.

Can you paste the commands you used to create the policy?  Thanks!
Comment 5 Dale Snell 2013-10-31 16:34:08 EDT
Sure thing:

"grep cups-pk-helper- /var/log/audit/audit.log | audit2allow -M local_cups_Policy".

If it helps, my $TMPDIR is set to $HOME/.tmp.
Comment 6 Dale Snell 2013-10-31 16:42:02 EDT
Oops, forgot to add the second line:

"semodule -i local_cups_Policy.pp"
Comment 7 Brian J. Murrell 2013-10-31 16:55:35 EDT
So what was in local_cups_Policy.pp then?  And/Or perhaps what was the output of:

grep cups-pk-helper- /var/log/audit/audit.log
Comment 8 Dale Snell 2013-10-31 18:00:41 EDT
Okay, here you are, the output of

grep cups-pk-helper- /var/log/audit/audit.log

type=AVC msg=audit(1383246773.813:697): avc:  denied  { read } for  pid=3297 comm="cups-pk-helper-" name="tmpK5Wgkz" dev="dm-8" ino=1477148 scontext=system_u:system_r:cupsd_config_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1383246773.813:697): arch=c000003e syscall=2 success=no exit=-13 a0=f95910 a1=0 a2=ffffffffffffffff a3=3e2ee1b2e0 items=0 ppid=1 pid=3297 auid=4294967295 uid=0 gid=0 euid=1000 suid=0 fsuid=1000 egid=1000 sgid=0 fsgid=1000 ses=4294967295 tty=(none) comm="cups-pk-helper-" exe="/usr/libexec/cups-pk-helper-mechanism" subj=system_u:system_r:cupsd_config_t:s0-s0:c0.c1023 key=(null)


Here are the contents of local_cups_Policy.te (.pp to follow as an attachment)

module local_cups_Policy 1.0;

require {
        type user_home_t;
        type cupsd_config_t;
        class file read;
}

#============= cupsd_config_t ==============
allow cupsd_config_t user_home_t:file read;
Comment 9 Dale Snell 2013-10-31 18:03:23 EDT
Created attachment 818073 [details]
The file /root/local_cups_Policy.pp
Comment 10 Brian J. Murrell 2013-12-09 11:21:52 EST
So, I got this one again.  I don't think I really should need to have to create local policy.  SELinux should have sufficient policy built-in to handle this.
Comment 11 Daniel Walsh 2013-12-11 17:22:31 EST
You want me to allow a  confined domain to read random content in users homedirectories?  Because you changed where tmp content is stored?
Comment 12 Brian J. Murrell 2014-08-22 09:48:09 EDT
(In reply to Daniel Walsh from comment #11)
> You want me to allow a  confined domain to read random content in users
> homedirectories?

I think you are putting words in my mouth.  Of course I never suggested that entire home directories should be readible, but allowing access to ~/tmp is not any more unreasonable than allowing the same access in /tmp.

>  Because you changed where tmp content is stored?

Yes.  Because I don't want to have to manage consumption (by users) of my root filesystems.  If they want to fill up their $HOME with files, temporary or otherwise, then that is their resource to do that with.
Comment 13 Daniel Walsh 2014-08-22 16:03:26 EDT
I have no problem labeling ~/tmp dirorectory as user_tmp_t, probably not a bad idea.  Been a while since this bug was commented on.
Comment 14 Daniel Walsh 2014-08-22 16:12:41 EDT
3301303252216f80fb1dc2e7148c26507905a155 fixes this in git.  Basically labels ~/.tmp and ~/tmp as user_tmp_t.
Comment 15 Lukas Vrabec 2014-08-25 09:45:21 EDT
backported to F20,F19.
Comment 16 Fedora Update System 2014-12-03 07:53:19 EST
selinux-policy-3.12.1-74.30.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.30.fc19
Comment 17 Fedora Update System 2014-12-04 01:27:12 EST
Package selinux-policy-3.12.1-74.30.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.30.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-16276/selinux-policy-3.12.1-74.30.fc19
then log in and leave karma (feedback).
Comment 18 Fedora Update System 2014-12-19 13:29:22 EST
selinux-policy-3.12.1-74.30.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.