Description of problem: SELinux is preventing cupsd from 'getattr' accesses on the file /var/cache/cups/job.cache.O. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /var/cache/cups/job.cache.O default label should be cupsd_rw_etc_t. Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly. Do # /sbin/restorecon -v /var/cache/cups/job.cache.O ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that cupsd should be allowed getattr access on the job.cache.O file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'cupsd' --raw | audit2allow -M my-cupsd # semodule -X 300 -i my-cupsd.pp Additional Information: Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Context system_u:object_r:unlabeled_t:s0 Target Objects /var/cache/cups/job.cache.O [ file ] Source cupsd Source Path cupsd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.3-15.fc30.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.20.0-0.rc7.git1.1.fc30.x86_64 #1 SMP Tue Dec 18 22:52:01 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-12-22 22:39:11 +05 Last Seen 2018-12-22 22:39:11 +05 Local ID 81009296-f8c2-4a94-8dd0-677baf8429bf Raw Audit Messages type=AVC msg=audit(1545500351.151:127): avc: denied { getattr } for pid=1165 comm="cupsd" path="/var/cache/cups/job.cache.O" dev="nvme0n1p2" ino=3015317 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Hash: cupsd,cupsd_t,unlabeled_t,file,getattr Version-Release number of selected component: selinux-policy-3.14.3-15.fc30.noarch Additional info: component: selinux-policy reporter: libreport-2.9.7 hashmarkername: setroubleshoot kernel: 4.20.0-0.rc7.git1.1.fc30.x86_64 type: libreport
Hi, It looks like the file in the setroubleshoot report has incorrect label. The unlabeled_t label is displayed when a file was created in SELinux disabled state or when its actual label does not currently exist. Along with the restorecon plugin suggestion, you can fix the label with a single command: # /sbin/restorecon -v /var/cache/cups/job.cache.O or relabel all filesystems: # fixfiles onboot and reboot the system. Closing as NOTABUG. Feel free to reopen the bugzilla if the issue persists.