Bug 239757 - SELinux is preventing /usr/sbin/cupsd (cupsd_t) "search" access to / (home_root_t)
Summary: SELinux is preventing /usr/sbin/cupsd (cupsd_t) "search" access to / (home_ro...
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy   
(Show other bugs)
Version: 6
Hardware: i386 Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-05-11 02:00 UTC by han pingtian
Modified: 2007-11-30 22:12 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-06-01 09:30:24 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description han pingtian 2007-05-11 02:00:45 UTC
Description of problem:
When I start the /etc/init.d/cups, the setroubleshoot jumps out and reports this.


Version-Release number of selected component (if applicable):
cups-1.2.10-3.fc6
selinux-policy-2.4.6-62.fc6

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Source Context:  user_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context:  system_u:object_r:home_root_t:s0
Target Objects:  / [ dir ]
Affected RPM Packages:  cups-1.2.10-3.fc6[application]filesystem-2.4.0-1[target]
Policy RPM:  selinux-policy-2.4.6-62.fc6
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.disable_trans
Host Name:  openfree.org
Platform:  Linux openfree.org 2.6.20-1.2948.fc6 #1 SMP Fri Apr 27 19:48:40 EDT
2007 i686 i686
Alert Count:  6
Line Numbers:  

Raw Audit Messages :avc: denied { search } for comm="cupsd" dev=dm-1 egid=0
euid=0 exe="/usr/sbin/cupsd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/"
pid=3917 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=0
subj=user_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=0 tclass=dir
tcontext=system_u:object_r:home_root_t:s0 tty=(none) uid=0

Comment 1 Daniel Walsh 2007-05-14 18:11:55 UTC
Fixed in selinux-policy-2.4.6-69

Added dontaudit rule

Comment 2 han pingtian 2007-05-25 02:37:39 UTC
(In reply to comment #1)
> Fixed in selinux-policy-2.4.6-69
> 
> Added dontaudit rule

I upgrade to selinux-policy-2.4.6-69.fc6 this morning. The old one be fixed, but a
new one occurs when I try to print a testparper:
SELinux is preventing /bin/bash (cupsd_t) "write" access to ralf (initrc_tmp_t).

Source Context:               user_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context:               user_u:object_r:initrc_tmp_t:s0
Target Objects:               ralf [ file ]
Affected RPM Packages:        bash-3.1-16.1 [application]
Policy RPM:                   selinux-policy-2.4.6-69.fc6
Selinux Enabled:              True
Policy Type:                  targeted
MLS Enabled:                  True
Enforcing Mode:               Enforcing
Plugin Name:                  plugins.disable_trans
Host Name:                    openfree.org
Platform:                     Linux openfree.org 2.6.20-1.2948.fc6 #1 SMP Fri
Apr 27 19:48:40 EDT 2007 i686 i686
Alert Count:                  2
Line Numbers:

Raw Audit Messages:

avc: denied { write } for comm="sh" dev=dm-0 egid=7 euid=4 exe="/bin/bash"
exit=-13 fsgid=7 fsuid=4 gid=7 items=0 name="ralf" pid=5875
scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=7
subj=user_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=4 tclass=file
tcontext=user_u:object_r:initrc_tmp_t:s0 tty=(none) uid=4

Comment 3 Daniel Walsh 2007-05-25 12:41:57 UTC
This looks like cupsd is trying to write to a file that was created by an init
script in the /tmp directory?

Comment 4 han pingtian 2007-05-28 00:26:52 UTC
(In reply to comment #3)
> This looks like cupsd is trying to write to a file that was created by an init
> script in the /tmp directory?

Really? what should I do then?

Comment 5 Daniel Walsh 2007-05-29 14:17:33 UTC
Tim do you have any ideas?

Comment 6 Tim Waugh 2007-05-29 17:10:25 UTC
No idea.  What is 'ralf'?

If someone has configured a queue using a URI like file:/tmp/ralf, that is a
mis-configuration..

So what is the URI of the queue you are trying to print to?


Comment 7 han pingtian 2007-05-31 05:01:37 UTC
I see ... I'm using ibm infoprint printer. There is a file /tmp/ralf:
$ cat /tmp/ralf
/usr/bin/pdpr -x   job-owner=guest@openfree.org -p cncdll5b




Comment 8 Daniel Walsh 2007-05-31 13:39:24 UTC
For now you can use audit2allow to add these rules to a local customization of
policy to allow cups to work.

# grep cups /var/log/audit/audit.log | audit2allow -M mycups
# semodule -i mycups.pp

And we need to work with IBM on a better way to do this.

Comment 9 han pingtian 2007-06-01 09:30:24 UTC
Great! I can print now! Thanks!



Note You need to log in before you can comment on or make changes to this bug.