Bug 194586 - cupsd doesn't start on fc5 with selinux enabled
Summary: cupsd doesn't start on fc5 with selinux enabled
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: cups
Version: 5
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tim Waugh
QA Contact:
URL:
Whiteboard: bzcl34nup
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-06-14 08:38 UTC by Oliver Mangold
Modified: 2008-05-06 15:59 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-05-06 15:59:49 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Oliver Mangold 2006-06-14 08:38:08 UTC 
Description of problem:

After upgrading from fc4, cupsd doesn't start on boot with selinux enabled.
When running '/etc/init.d/cupsd start' from root shell, it says [FAILED].

When doing

setenforce 0
/etc/init.d/cupsd start

it works. So to me it seems, that there is something wrong with selinux.

/var/log/audit/audit.log says:
------------------------------------------------------- 
type=AVC msg=audit(1150274411.338:782): avc:  denied  { read } for  pid=15657
comm="printconf-backe" name=".fonts.cache-2" dev=sda5 ino=22151792
scontext=user_u:system_r:cupsd_config_t:s0
tcontext=user_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1150274411.338:782): arch=40000003 syscall=11 success=yes
exit=0 a0=8bb7fd8 a1=8bb8028 a2=8bb8130 a3=8bb7ea8 items=3 pid=15657 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="printconf-backe"
exe="/usr/bin/python"
type=AVC_PATH msg=audit(1150274411.338:782): 
path="/home/om/.rh-fontconfig/.fonts.cache-2"
type=CWD msg=audit(1150274411.338:782):  cwd="/root"
type=PATH msg=audit(1150274411.338:782): item=0
name="/usr/sbin/printconf-backend" flags=101  inode=1095166 dev=08:05
mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1150274411.338:782): item=1 flags=101  inode=1099837
dev=08:05 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1150274411.338:782): item=2 flags=101  inode=23166978
dev=08:05 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1150274412.198:783): avc:  denied  { read } for  pid=15659
comm="cupsd" name=".fonts.cache-2" dev=sda5 ino=22151792
scontext=user_u:system_r:cupsd_t:s0-s0:c0.c255
tcontext=user_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1150274412.198:783): arch=40000003 syscall=11 success=yes
exit=0 a0=8849088 a1=8849530 a2=88493c8 a3=8848e20 items=2 pid=15659 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cupsd"
exe="/usr/sbin/cupsd"
type=AVC_PATH msg=audit(1150274412.198:783): 
path="/home/om/.rh-fontconfig/.fonts.cache-2"
type=CWD msg=audit(1150274412.198:783):  cwd="/root"
type=PATH msg=audit(1150274412.198:783): item=0 name="/usr/sbin/cupsd" flags=101
 inode=1090059 dev=08:05 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1150274412.198:783): item=1 flags=101  inode=23166978
dev=08:05 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1150274412.226:784): avc:  denied  { execstack } for 
pid=15659 comm="cupsd" scontext=user_u:system_r:cupsd_t:s0-s0:c0.c255
tcontext=user_u:system_r:cupsd_t:s0-s0:c0.c255 tclass=process
type=SYSCALL msg=audit(1150274412.226:784): arch=40000003 syscall=125 success=no
exit=-13 a0=bfd8c000 a1=1000 a2=1000007 a3=fffff000 items=0 pid=15659 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cupsd"
exe="/usr/sbin/cupsd"
-----------------------------------------------------
Version-Release number of selected component (if applicable):

cups-1.2.1-1.7
selinux-policy-targeted-2.2.43-4.fc5

How reproducible:

/etc/init.d/cupsd stop
setenforce 1
/etc/init.d/cupsd start
Comment 1 Daniel Walsh 2006-06-15 22:37:55 UTC 
Why is cups trying to read users Home directories?

Why is it requireng execstack?  It should not
Comment 2 Tim Waugh 2006-06-16 08:26:27 UTC 
I don't see this here.

If you run this command, as root, what output do you get?:

rpm -ql cups | xargs restorecon -v
Comment 3 Oliver Mangold 2006-06-16 08:42:20 UTC 
(In reply to comment #1)
> Why is cups trying to read users Home directories?

I'm not sure. I didn't do any cups configuration explaining that. I just
installed my printers using system-config-printer.
The only reason I can imagine would be, that I installed some fonts being in a
user home directory. Is this a problem?

> Why is it requireng execstack?  It should not 

Really don't have any idea.
Comment 4 Oliver Mangold 2006-06-16 08:44:32 UTC 
(In reply to comment #2)

> If you run this command, as root, what output do you get?:
> 
> rpm -ql cups | xargs restorecon -v
> 
It doesn't say anything. I'm not familiar with selinux. Does this mean, the
security contexts of cups are not set?
Comment 5 Tim Waugh 2006-06-26 12:27:36 UTC 
Are you still getting this?  I've never been able to reproduce it here.
Comment 6 Oliver Mangold 2006-06-26 14:11:06 UTC 
> Are you still getting this?  I've never been able to reproduce it here.

I just took again a look on this. Cause Daniel said, it shouldn't need
execstack, I took a look on the cups source. To me it seemed to, that it doesn't
need it, so I rebuilt cups and installed it. This solves the problem. But after
reinstalling the original .i386-package, it the same as in the beginning.
I assume, that after the every update I'll have to rebuild it again (I tried
cups-1.2.1-2.i386.rpm, and it still has the bug).

Quite funny, that the compiled one is that different from the source.
Comment 7 Tim Waugh 2006-06-26 14:20:54 UTC 
I expect the difference is just the initscript -- we looking in the wrong
package. :-)

The audit messages seem to be due to /usr/share/printconf/util/backend.py.  So
what does 'rpm -V system-config-printer' say?
Comment 8 Oliver Mangold 2006-06-26 14:32:14 UTC 
It says nothing. Seems to be the original.

The package is system-config-printer-0.6.151.7-1 (just for the case that this
helps you with anything.)
Comment 9 Tim Waugh 2006-07-04 14:42:49 UTC 
*baffled*
Comment 10 petrosyan 2008-03-17 05:59:22 UTC 
Fedora Core 5 and Fedora Core 6 are no longer maintained. Is this bug still
present in Fedora 7 or Fedora 8?
Comment 11 Bug Zapper 2008-04-04 03:04:38 UTC 
Fedora apologizes that these issues have not been resolved yet. We're
sorry it's taken so long for your bug to be properly triaged and acted
on. We appreciate the time you took to report this issue and want to
make sure no important bugs slip through the cracks.

If you're currently running a version of Fedora Core between 1 and 6,
please note that Fedora no longer maintains these releases. We strongly
encourage you to upgrade to a current Fedora release. In order to
refocus our efforts as a project we are flagging all of the open bugs
for releases which are no longer maintained and closing them.
http://fedoraproject.org/wiki/LifeCycle/EOL

If this bug is still open against Fedora Core 1 through 6, thirty days
from now, it will be closed 'WONTFIX'. If you can reporduce this bug in
the latest Fedora version, please change to the respective version. If
you are unable to do this, please add a comment to this bug requesting
the change.

Thanks for your help, and we apologize again that we haven't handled
these issues to this point.

The process we are following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.

And if you'd like to join the bug triage team to help make things
better, check out http://fedoraproject.org/wiki/BugZappers
Comment 12 Bug Zapper 2008-05-06 15:59:47 UTC 
This bug is open for a Fedora version that is no longer maintained and
will not be fixed by Fedora. Therefore we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen thus bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.
Note You need to log in before you can comment on or make changes to this bug.