Description of problem: When attempting to use the CUPS Web administration tools at http://localhost:631, SELinux prevents cupsd from verifying the root password. The dialog box requesting the username and password pops up, but the root user and password are not accepted. When SELinux is placed in Permissive (as opposed to Enforcing) mode, the root password is accepted and the administrative tasks can be performed. Version-Release number of selected component (if applicable): How reproducible: Attempt to change any setting under the Administration tab at http://localhost:631, while SELinux is in Enforcing mode. Steps to Reproduce: 1. Point browser at http://localhost:631/admin 2. Check any box under Basic Server Settings and click Change Settings 3. Enter root and root password in dialog box 4. Change SELinux from Enforcing to Permissive to see it work correctly Actual results: Expected results: Additional info:
I don't see that behaviour here. Do you get any AVC messages in /var/log/audit/audit.log or in the output of the 'dmesg' command? Please include the version and release of the cups and selinux-policy packages you have installed.
The dmesg contained nothing obviously relevant. Here are the messages from /var/log/audit/audit.log: type=USER_AUTH msg=audit(1183224470.819:26): user pid=2208 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='PAM: authentication acct=root : exe="/usr/sbin/cupsd" (hostname=?, addr=?, terminal=? res=success)' type=AVC msg=audit(1183224470.819:27): avc: denied { execute } for pid=3293 comm="cupsd" name="unix_update" dev=sda5 ino=3205028 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file type=SYSCALL msg=audit(1183224470.819:27): arch=40000003 syscall=11 success=no exit=-13 a0=2c78b8 a1=bfee691c a2=2c9408 a3=400 items=0 ppid=2208 pid=3293 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="cupsd" exe="/usr/sbin/cupsd" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) type=USER_ACCT msg=audit(1183224470.819:28): user pid=2208 uid=0 auid=4294967295 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='PAM: accounting acct=root : exe="/usr/sbin/cupsd" (hostname=?, addr=?, terminal=? res=failed)' (PID 2208 is indeed the cupsd process) The SELinux troubleshooter has this to say: ------------------------ Additional Information Source Context: system_u:system_r:cupsd_t:SystemLow-SystemHigh Target Context: system_u:object_r:updpwd_exec_t Target Objects: unix_update [ file ] Affected RPM Packages: cups-1.2.10-10.fc7 [application] Policy RPM: selinux-policy-2.6.4-14.fc7 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: plugins.catchall_file Host Name: dogberry Platform: Linux dogberry 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12 15:37:31 EDT 2007 i686 i686 Alert Count: 5 First Seen: Fri Jun 29 21:20:13 2007 Last Seen: Sat Jun 30 10:27:50 2007 Local ID: 48fd4a61-a0d1-4efc-a6a0-f3606266a460 Line Numbers: Raw Audit Messages : avc: denied { execute } for comm="cupsd" dev=sda5 egid=0 euid=0 exe="/usr/sbin/cupsd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="unix_update" pid=3293 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=0 tclass=file tcontext=system_u:object_r:updpwd_exec_t:s0 tty=(none) uid=0 -------------------- I tried restorecon -v /sbin/unix_update as suggested by the SELinux troubleshooter, but it printed nothing and had no effect. Here are the installed packages related to cups or selinux: cups-1.2.10-10.fc7 cups-libs-1.2.10-10.fc7 libselinux-2.0.13-1.fc7 selinux-policy-2.6.4-14.fc7 selinux-policy-targeted-2.6.4-14.fc7
Whoa! After an upgrade to these packages, the CUPS Web administration tools have started to work: selinux-policy-2.6.4-21.fc7 selinux-policy-targeted-2.6.4-21.fc7 I haven't tracked down the difference, but whatever it was, the problem seems to have disappeared. Thank you for your prompt response.