1069845 – SELinux is preventing /usr/sbin/cupsd from search access on the directory /var/spool.

Bug 1069845 - SELinux is preventing /usr/sbin/cupsd from search access on the directory /var/spool.

Summary: SELinux is preventing /usr/sbin/cupsd from search access on the directory /va...

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	20
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-02-25 18:41 UTC by Raphael Groner
Modified:	2014-05-24 12:21 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-03-01 22:02:09 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1096545	0	unspecified	CLOSED	userWindow.py:435:on_userWin_ok_button_clicked:RuntimeError: couldn't open `/var/spool/mail/user': No such file or direc...	2021-02-22 00:41:40 UTC

Internal Links: 1096545

Description Raphael Groner 2014-02-25 18:41:47 UTC

-- I mounted /var/spool as tmpfs. So the following issue is provocated.

[19:01] raphael@schlebby ~ $ mount |grep spool
tmpfs on /var/spool type tmpfs (rw,noatime,seclabel,size=367556k)
[19:39] raphael@schlebby ~ $ df -h /var/spool/
Dateisystem    Größe Benutzt Verf. Verw% Eingehängt auf
tmpfs           359M    8,0K  359M    1% /var/spool
[19:40] raphael@schlebby ~ $ ll -a /var/spool/
insgesamt 4
drwxrwxrwt.  4 root root   80 25. Feb 02:58 .
drwxr-xr-x. 20 root root 4096 25. Feb 02:57 ..
drwx------.  2 root root   80 25. Feb 06:43 cron
drwxr-xr-x.  3 root root   60 25. Feb 02:58 cups
[19:40] raphael@schlebby ~ $ ll -a /var/spool/cups/
insgesamt 0
drwxr-xr-x. 3 root root 60 25. Feb 02:58 .
drwxrwxrwt. 4 root root 80 25. Feb 02:58 ..
drwxr-xr-x. 2 root root 40 25. Feb 02:58 tmp


SELinux is preventing /usr/sbin/cupsd from search access on the directory /var/spool.

*****  Plugin catchall (100. confidence) suggests   **************************

If sie denken, dass es cupsd standardmässig erlaubt sein sollte, search Zugriff auf spool directory zu erhalten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
# grep cupsd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:tmpfs_t:s0
Target Objects                /var/spool [ dir ]
Source                        cupsd
Source Path                   /usr/sbin/cupsd
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           cups-1.7.0-9.fc20.x86_64
Target RPM Packages           filesystem-3.2-19.fc20.x86_64
Policy RPM                    selinux-policy-3.12.1-122.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     schlebby
Platform                      Linux schlebby 3.13.3-201.fc20.x86_64 #1 SMP Fri
                              Feb 14 19:08:32 UTC 2014 x86_64 x86_64
Alert Count                   5
First Seen                    2014-02-25 19:36:28 CET
Last Seen                     2014-02-25 19:36:32 CET
Local ID                      3885c1e0-2377-44e3-8636-dc0bee0b33bb

Raw Audit Messages
type=AVC msg=audit(1393353392.945:1316): avc:  denied  { search } for  pid=27122 comm="cupsd" name="/" dev="tmpfs" ino=12112 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir


type=SYSCALL msg=audit(1393353392.945:1316): arch=x86_64 syscall=openat success=no exit=EACCES a0=ffffffffffffff9c a1=7f37ea1e2704 a2=90800 a3=0 items=0 ppid=1 pid=27122 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=cupsd exe=/usr/sbin/cupsd subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)

Hash: cupsd,cupsd_t,tmpfs_t,dir,search

Comment 1 Raphael Groner 2014-02-25 18:43:27 UTC

selinux-policy-3.12.1-122.fc20.noarch

Comment 2 Daniel Walsh 2014-02-26 17:47:31 UTC

This looks like your /var/spool is mislabeled?

Does the following change the labels?
restorecon -R -v /var

Did you mount a tmpfs as /var/spool?

Comment 3 Raphael Groner 2014-02-26 17:58:33 UTC

(In reply to Daniel Walsh from comment #2)
> This looks like your /var/spool is mislabeled?
> 
> Does the following change the labels?
> restorecon -R -v /var
> 
> Did you mount a tmpfs as /var/spool?

Well, the issue is that it is tmpfs, indeed. So the labels can't be persistently kept, can they?

Comment 4 Daniel Walsh 2014-02-26 18:02:04 UTC

I think adding the following as a mount option will fix your problem.
rootcontext="system_u:object_r:var_spool_t:s0"

Comment 5 Raphael Groner 2014-03-01 22:02:09 UTC

The suggested mount options help. Thanks for the quick response!

Note You need to log in before you can comment on or make changes to this bug.