Bug 242987 - selinux issues denial of service to cups for directory access
selinux issues denial of service to cups for directory access
Status: CLOSED WORKSFORME
Product: Fedora
Classification: Fedora
Component: anaconda (Show other bugs)
7
i386 Linux
low Severity low
: ---
: ---
Assigned To: Anaconda Maintenance Team
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-06 16:07 EDT by stanl
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-07-06 15:29:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
output of setroubleshooter (2.34 KB, text/plain)
2007-06-06 16:07 EDT, stanl
no flags Details
capture of output from setroubleshoot during 6 hour time period (170.13 KB, image/png)
2007-06-07 17:24 EDT, stanl
no flags Details
capture of output from setroubleshoot during 6 hour time period (170.13 KB, image/png)
2007-06-07 17:26 EDT, stanl
no flags Details

  None (edit)
Description stanl 2007-06-06 16:07:54 EDT
Description of problem:
setroubleshoot browser pops up warning at startup claiming cupsd trying to
overreach its authority.

Version-Release number of selected component (if applicable):
See attached file from setroubleshooter
Packages:  cups-1.2.10-10.fc7

How reproducible:
every time

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 stanl 2007-06-06 16:07:54 EDT
Created attachment 156388 [details]
output of setroubleshooter
Comment 2 Tim Waugh 2007-06-07 08:29:39 EDT
Looks like your / directory has the wrong context.  What does this say?:

/sbin/restorecon -nv /

(it won't make any changes, just show you what it would do without '-n')
Comment 3 stanl 2007-06-07 13:34:10 EDT
/sbin/restorecon reset / context
system_u:object_r:mnt_t:s0->system_u:object_r:root_t:s0

I am getting a lot of these, all for access to mnt_t by various system
daemons.  I only opened one ticket because I thought it must have a
common source.  I can give you more error messages if it will help.
Comment 4 stanl 2007-06-07 17:24:10 EDT
Created attachment 156513 [details]
capture of output from setroubleshoot during 6 hour time period
Comment 5 stanl 2007-06-07 17:24:59 EDT
Actually, I'm beginning to think that this is an SeLinux policy issue.  Since
this morning these are the errors that have been issued.  (see attachment)
Comment 6 stanl 2007-06-07 17:26:00 EDT
Created attachment 156514 [details]
capture of output from setroubleshoot during 6 hour time period
Comment 7 Tim Waugh 2007-06-07 18:48:02 EDT
No, your '/' directory has the wrong context set (perhaps you installed outside
anaconda?).  Use '/sbin/restorecon -v /' to fix it.
Comment 8 stanl 2007-06-07 19:15:42 EDT
No, I used the LiveCD for Fedora 7 to install to disk and then used yum to
install other packages I wanted.

I've now run the above command and will watch for issues.

Thanks for your help.
Comment 9 Tim Waugh 2007-06-08 05:04:59 EDT
Changing component to anaconda and reassigning.
Comment 10 Jeremy Katz 2007-06-25 17:56:14 EDT
Hmmm... I haven't seen this.  How did you do your partitioning?
Comment 11 stanl 2007-06-25 19:42:50 EDT
I used the custom option from the Gnome Live CD.  Three partitions, boot(sda1),
/(sda3), and /home(sda5-extended) - all ext3.  Swap is sda2.  The SETroubleshoot
recommended command appears to have repaired this.  I had to configure the
printer to actually work though it was discovered on setup.
Comment 12 Jeremy Katz 2007-06-28 14:41:47 EDT
I just did a test and wasn't able to reproduce -- did you install with the F7
final live cd or an earlier one?
Comment 13 stanl 2007-06-28 23:05:16 EDT
I used the final live CD.  Perhaps it has to do with the printer?  It is an HP
Laserjet 3200 SE2 using parallel port.

I have no issues since I ran the restorecon command.

And no, I'm not going to reinstall to trace the issue.  :-)

If I'm the only one experiencing this, it can't be too serious and could just be
some obscure interaction.
Comment 14 Jeremy Katz 2007-07-06 15:29:13 EDT
Hmmm, okay.  Closing out for now.  IF someone else hits the same thing, I'll try
to do mroe digging

Note You need to log in before you can comment on or make changes to this bug.