Bug 1952171 - SELinux is preventing cupsd from 'write' accesses on the file /etc/cups/subscriptions.conf.N.
Summary: SELinux is preventing cupsd from 'write' accesses on the file /etc/cups/subsc...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 33
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:130ae95988abad73a7aa26a6ec2...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-04-21 16:38 UTC by xzj8b3
Modified: 2021-04-23 17:42 UTC (History)
8 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2021-04-23 17:42:21 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description xzj8b3 2021-04-21 16:38:29 UTC 
Description of problem:
defaulth
SELinux is preventing cupsd from 'write' accesses on the file /etc/cups/subscriptions.conf.N.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

Se vuoi fissare l'etichetta.$TARGETL'etichetta predefinita _PATH dovrebbe essere cupsd_rw_etc_t.
Then puoi eseguire restorecon. Il tentativo di accesso potrebbe essere stato interrotto a causa di autorizzazioni insufficienti per accedere a una directory superiore, nel qual caso provare a modificare il seguente comando di conseguenza.
Do
# /sbin/restorecon -v /etc/cups/subscriptions.conf.N

*****  Plugin catchall (1.49 confidence) suggests   **************************

Se ci credi cupsd dovrebbe essere consentito write accesso al subscriptions.conf.N file per impostazione predefinita.
Then si dovrebbe riportare il problema come bug.
E' possibile generare un modulo di politica locale per consentire questo accesso.
Do
consentire questo accesso per ora eseguendo: # ausearch -c 'cupsd'--raw | audit2allow -M my-$MODULE_NOME # semodule -X 300 -i miei-cupsd.pp

Additional Information:
Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:cupsd_etc_t:s0
Target Objects                /etc/cups/subscriptions.conf.N [ file ]
Source                        cupsd
Source Path                   cupsd
Port                          <Sconosciuto>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.6-36.fc33.noarch
Local Policy RPM              selinux-policy-targeted-3.14.6-36.fc33.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.11.14-200.fc33.x86_64 #1 SMP Wed
                              Apr 14 15:25:53 UTC 2021 x86_64 x86_64
Alert Count                   2
First Seen                    2021-04-21 18:36:06 CEST
Last Seen                     2021-04-21 18:36:53 CEST
Local ID                      6b9f6351-8b09-44e6-9ba5-75a291d4c6f8

Raw Audit Messages
type=AVC msg=audit(1619023013.81:747): avc:  denied  { write } for  pid=1004 comm="cupsd" name="subscriptions.conf.N" dev="sda3" ino=1449081 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cupsd_etc_t:s0 tclass=file permissive=0


Hash: cupsd,cupsd_t,cupsd_etc_t,file,write

Version-Release number of selected component:
selinux-policy-targeted-3.14.6-36.fc33.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.14.0
hashmarkername: setroubleshoot
kernel:         5.11.14-200.fc33.x86_64
type:           libreport

Potential duplicate: bug 1473275
Comment 1 xzj8b3 2021-04-21 17:28:09 UTC 
Similar problem has been detected:

Defaulth

hashmarkername: setroubleshoot
kernel:         5.11.14-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-36.fc33.noarch
reason:         SELinux is preventing cupsd from 'write' accesses on the file /etc/cups/subscriptions.conf.N.
type:           libreport
Comment 2 xzj8b3 2021-04-22 15:26:31 UTC 
Similar problem has been detected:

defaulth

hashmarkername: setroubleshoot
kernel:         5.11.15-200.fc33.x86_64
package:        selinux-policy-targeted-3.14.6-36.fc33.noarch
reason:         SELinux is preventing cupsd from 'write' accesses on the file /etc/cups/subscriptions.conf.N.
type:           libreport
Comment 3 Zdenek Pytela 2021-04-22 17:31:48 UTC 
Hi,

It looks like the file in the setroubleshoot report has incorrect label. Along with the restorecon plugin suggestion, you can fix the label with a single command:

  # /sbin/restorecon -v /etc/cups/subscriptions.conf.N

Do you happen to know how it happened and how the file was created?
Comment 4 xzj8b3 2021-04-23 16:38:33 UTC 
Really Thanks, with SeLinux I don't manage very well
Comment 5 Zdenek Pytela 2021-04-23 17:42:21 UTC 
I suppose the restorecon command resolved you problem, so closing this bz, but feel free to reopen it if the issue persists.
Note You need to log in before you can comment on or make changes to this bug.