Description of problem: When I start the /etc/init.d/cups, the setroubleshoot jumps out and reports this. Version-Release number of selected component (if applicable): cups-1.2.10-3.fc6 selinux-policy-2.4.6-62.fc6 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: Source Context: user_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Context: system_u:object_r:home_root_t:s0 Target Objects: / [ dir ] Affected RPM Packages: cups-1.2.10-3.fc6[application]filesystem-2.4.0-1[target] Policy RPM: selinux-policy-2.4.6-62.fc6 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: plugins.disable_trans Host Name: openfree.org Platform: Linux openfree.org 2.6.20-1.2948.fc6 #1 SMP Fri Apr 27 19:48:40 EDT 2007 i686 i686 Alert Count: 6 Line Numbers: Raw Audit Messages :avc: denied { search } for comm="cupsd" dev=dm-1 egid=0 euid=0 exe="/usr/sbin/cupsd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=3917 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=0 subj=user_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=0 tclass=dir tcontext=system_u:object_r:home_root_t:s0 tty=(none) uid=0
Fixed in selinux-policy-2.4.6-69 Added dontaudit rule
(In reply to comment #1) > Fixed in selinux-policy-2.4.6-69 > > Added dontaudit rule I upgrade to selinux-policy-2.4.6-69.fc6 this morning. The old one be fixed, but a new one occurs when I try to print a testparper: SELinux is preventing /bin/bash (cupsd_t) "write" access to ralf (initrc_tmp_t). Source Context: user_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Context: user_u:object_r:initrc_tmp_t:s0 Target Objects: ralf [ file ] Affected RPM Packages: bash-3.1-16.1 [application] Policy RPM: selinux-policy-2.4.6-69.fc6 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: plugins.disable_trans Host Name: openfree.org Platform: Linux openfree.org 2.6.20-1.2948.fc6 #1 SMP Fri Apr 27 19:48:40 EDT 2007 i686 i686 Alert Count: 2 Line Numbers: Raw Audit Messages: avc: denied { write } for comm="sh" dev=dm-0 egid=7 euid=4 exe="/bin/bash" exit=-13 fsgid=7 fsuid=4 gid=7 items=0 name="ralf" pid=5875 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=7 subj=user_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=4 tclass=file tcontext=user_u:object_r:initrc_tmp_t:s0 tty=(none) uid=4
This looks like cupsd is trying to write to a file that was created by an init script in the /tmp directory?
(In reply to comment #3) > This looks like cupsd is trying to write to a file that was created by an init > script in the /tmp directory? Really? what should I do then?
Tim do you have any ideas?
No idea. What is 'ralf'? If someone has configured a queue using a URI like file:/tmp/ralf, that is a mis-configuration.. So what is the URI of the queue you are trying to print to?
I see ... I'm using ibm infoprint printer. There is a file /tmp/ralf: $ cat /tmp/ralf /usr/bin/pdpr -x job-owner=guest -p cncdll5b
For now you can use audit2allow to add these rules to a local customization of policy to allow cups to work. # grep cups /var/log/audit/audit.log | audit2allow -M mycups # semodule -i mycups.pp And we need to work with IBM on a better way to do this.
Great! I can print now! Thanks!