Bug 1384633 - SELinux is preventing cupsd from 'rename' accesses on the file /etc/cups/subscriptions.conf.
Summary: SELinux is preventing cupsd from 'rename' accesses on the file /etc/cups/subs...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 25
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:15b8829ed9f3f5a59dc4c98aefd...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-10-13 17:49 UTC by Paul W. Frields
Modified: 2016-11-03 12:33 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-03 12:33:27 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Paul W. Frields 2016-10-13 17:49:14 UTC 
Description of problem:
This error occurred during a normal session, no print jobs requested.
SELinux is preventing cupsd from 'rename' accesses on the file /etc/cups/subscriptions.conf.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/etc/cups/subscriptions.conf default label should be cupsd_rw_etc_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /etc/cups/subscriptions.conf

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that cupsd should be allowed rename access on the subscriptions.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'cupsd' --raw | audit2allow -M my-cupsd
# semodule -X 300 -i my-cupsd.pp

Additional Information:
Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:cupsd_etc_t:s0
Target Objects                /etc/cups/subscriptions.conf [ file ]
Source                        cupsd
Source Path                   cupsd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           cups-2.2.0-2.fc25.x86_64
Policy RPM                    selinux-policy-3.13.1-218.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.8.0-0.rc8.git0.1.fc25.x86_64 #1
                              SMP Mon Sep 26 17:12:24 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-10-13 13:42:47 EDT
Last Seen                     2016-10-13 13:42:47 EDT
Local ID                      bbc25f29-ff01-4743-9c25-0caf48fe8f73

Raw Audit Messages
type=AVC msg=audit(1476380567.625:357): avc:  denied  { rename } for  pid=1888 comm="cupsd" name="subscriptions.conf" dev="dm-0" ino=787177 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cupsd_etc_t:s0 tclass=file permissive=0


Hash: cupsd,cupsd_t,cupsd_etc_t,file,rename

Version-Release number of selected component:
selinux-policy-3.13.1-218.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc8.git0.1.fc25.x86_64
type:           libreport

Potential duplicate: bug 838234
Comment 1 Paul W. Frields 2016-11-03 12:33:27 UTC 
This machine has been upgraded several times from F21->22->23->24->25.  I did a 'restorecon -rv /etc/cups' and it looks like the label no longer matched the expected targeted policy.  I'm going to call this CLOSED CURRENTRELEASE and can reopen if needed.
Note You need to log in before you can comment on or make changes to this bug.