-- I mounted /var/spool as tmpfs. So the following issue is provocated. [19:01] raphael@schlebby ~ $ mount |grep spool tmpfs on /var/spool type tmpfs (rw,noatime,seclabel,size=367556k) [19:39] raphael@schlebby ~ $ df -h /var/spool/ Dateisystem Größe Benutzt Verf. Verw% Eingehängt auf tmpfs 359M 8,0K 359M 1% /var/spool [19:40] raphael@schlebby ~ $ ll -a /var/spool/ insgesamt 4 drwxrwxrwt. 4 root root 80 25. Feb 02:58 . drwxr-xr-x. 20 root root 4096 25. Feb 02:57 .. drwx------. 2 root root 80 25. Feb 06:43 cron drwxr-xr-x. 3 root root 60 25. Feb 02:58 cups [19:40] raphael@schlebby ~ $ ll -a /var/spool/cups/ insgesamt 0 drwxr-xr-x. 3 root root 60 25. Feb 02:58 . drwxrwxrwt. 4 root root 80 25. Feb 02:58 .. drwxr-xr-x. 2 root root 40 25. Feb 02:58 tmp SELinux is preventing /usr/sbin/cupsd from search access on the directory /var/spool. ***** Plugin catchall (100. confidence) suggests ************************** If sie denken, dass es cupsd standardmässig erlaubt sein sollte, search Zugriff auf spool directory zu erhalten. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen: # grep cupsd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Context system_u:object_r:tmpfs_t:s0 Target Objects /var/spool [ dir ] Source cupsd Source Path /usr/sbin/cupsd Port <Unknown> Host localhost.localdomain Source RPM Packages cups-1.7.0-9.fc20.x86_64 Target RPM Packages filesystem-3.2-19.fc20.x86_64 Policy RPM selinux-policy-3.12.1-122.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name schlebby Platform Linux schlebby 3.13.3-201.fc20.x86_64 #1 SMP Fri Feb 14 19:08:32 UTC 2014 x86_64 x86_64 Alert Count 5 First Seen 2014-02-25 19:36:28 CET Last Seen 2014-02-25 19:36:32 CET Local ID 3885c1e0-2377-44e3-8636-dc0bee0b33bb Raw Audit Messages type=AVC msg=audit(1393353392.945:1316): avc: denied { search } for pid=27122 comm="cupsd" name="/" dev="tmpfs" ino=12112 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir type=SYSCALL msg=audit(1393353392.945:1316): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=7f37ea1e2704 a2=90800 a3=0 items=0 ppid=1 pid=27122 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=cupsd exe=/usr/sbin/cupsd subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) Hash: cupsd,cupsd_t,tmpfs_t,dir,search
selinux-policy-3.12.1-122.fc20.noarch
This looks like your /var/spool is mislabeled? Does the following change the labels? restorecon -R -v /var Did you mount a tmpfs as /var/spool?
(In reply to Daniel Walsh from comment #2) > This looks like your /var/spool is mislabeled? > > Does the following change the labels? > restorecon -R -v /var > > Did you mount a tmpfs as /var/spool? Well, the issue is that it is tmpfs, indeed. So the labels can't be persistently kept, can they?
I think adding the following as a mount option will fix your problem. rootcontext="system_u:object_r:var_spool_t:s0"
The suggested mount options help. Thanks for the quick response!