Bug 239757 - SELinux is preventing /usr/sbin/cupsd (cupsd_t) "search" access to / (home_root_t)
SELinux is preventing /usr/sbin/cupsd (cupsd_t) "search" access to / (home_ro...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
6
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-05-10 22:00 EDT by han pingtian
Modified: 2007-11-30 17:12 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-06-01 05:30:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description han pingtian 2007-05-10 22:00:45 EDT
Description of problem:
When I start the /etc/init.d/cups, the setroubleshoot jumps out and reports this.


Version-Release number of selected component (if applicable):
cups-1.2.10-3.fc6
selinux-policy-2.4.6-62.fc6

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Source Context:  user_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context:  system_u:object_r:home_root_t:s0
Target Objects:  / [ dir ]
Affected RPM Packages:  cups-1.2.10-3.fc6[application]filesystem-2.4.0-1[target]
Policy RPM:  selinux-policy-2.4.6-62.fc6
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.disable_trans
Host Name:  openfree.org
Platform:  Linux openfree.org 2.6.20-1.2948.fc6 #1 SMP Fri Apr 27 19:48:40 EDT
2007 i686 i686
Alert Count:  6
Line Numbers:  

Raw Audit Messages :avc: denied { search } for comm="cupsd" dev=dm-1 egid=0
euid=0 exe="/usr/sbin/cupsd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/"
pid=3917 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=0
subj=user_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=0 tclass=dir
tcontext=system_u:object_r:home_root_t:s0 tty=(none) uid=0
Comment 1 Daniel Walsh 2007-05-14 14:11:55 EDT
Fixed in selinux-policy-2.4.6-69

Added dontaudit rule
Comment 2 han pingtian 2007-05-24 22:37:39 EDT
(In reply to comment #1)
> Fixed in selinux-policy-2.4.6-69
> 
> Added dontaudit rule

I upgrade to selinux-policy-2.4.6-69.fc6 this morning. The old one be fixed, but a
new one occurs when I try to print a testparper:
SELinux is preventing /bin/bash (cupsd_t) "write" access to ralf (initrc_tmp_t).

Source Context:               user_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context:               user_u:object_r:initrc_tmp_t:s0
Target Objects:               ralf [ file ]
Affected RPM Packages:        bash-3.1-16.1 [application]
Policy RPM:                   selinux-policy-2.4.6-69.fc6
Selinux Enabled:              True
Policy Type:                  targeted
MLS Enabled:                  True
Enforcing Mode:               Enforcing
Plugin Name:                  plugins.disable_trans
Host Name:                    openfree.org
Platform:                     Linux openfree.org 2.6.20-1.2948.fc6 #1 SMP Fri
Apr 27 19:48:40 EDT 2007 i686 i686
Alert Count:                  2
Line Numbers:

Raw Audit Messages:

avc: denied { write } for comm="sh" dev=dm-0 egid=7 euid=4 exe="/bin/bash"
exit=-13 fsgid=7 fsuid=4 gid=7 items=0 name="ralf" pid=5875
scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=7
subj=user_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=4 tclass=file
tcontext=user_u:object_r:initrc_tmp_t:s0 tty=(none) uid=4
Comment 3 Daniel Walsh 2007-05-25 08:41:57 EDT
This looks like cupsd is trying to write to a file that was created by an init
script in the /tmp directory?
Comment 4 han pingtian 2007-05-27 20:26:52 EDT
(In reply to comment #3)
> This looks like cupsd is trying to write to a file that was created by an init
> script in the /tmp directory?

Really? what should I do then?
Comment 5 Daniel Walsh 2007-05-29 10:17:33 EDT
Tim do you have any ideas?
Comment 6 Tim Waugh 2007-05-29 13:10:25 EDT
No idea.  What is 'ralf'?

If someone has configured a queue using a URI like file:/tmp/ralf, that is a
mis-configuration..

So what is the URI of the queue you are trying to print to?
Comment 7 han pingtian 2007-05-31 01:01:37 EDT
I see ... I'm using ibm infoprint printer. There is a file /tmp/ralf:
$ cat /tmp/ralf
/usr/bin/pdpr -x   job-owner=guest@openfree.org -p cncdll5b


Comment 8 Daniel Walsh 2007-05-31 09:39:24 EDT
For now you can use audit2allow to add these rules to a local customization of
policy to allow cups to work.

# grep cups /var/log/audit/audit.log | audit2allow -M mycups
# semodule -i mycups.pp

And we need to work with IBM on a better way to do this.
Comment 9 han pingtian 2007-06-01 05:30:24 EDT
Great! I can print now! Thanks!

Note You need to log in before you can comment on or make changes to this bug.