Bug 371371 - selinux blocks cups from starting
Summary: selinux blocks cups from starting
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 7
Hardware: All
OS: Linux
medium
urgent
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-11-08 15:57 UTC by Bill C. Riemers
Modified: 2007-11-30 22:12 UTC (History)
0 users

(edit)
Clone Of:
(edit)
Last Closed: 2007-11-08 16:19:33 UTC


Attachments (Terms of Use)

Description Bill C. Riemers 2007-11-08 15:57:35 UTC
Description of problem:

Yesterday I was having the problem that the print to PDF driver no longer
worked, because selinux was blocking access to file_t.   setroubleshooter
recommended:  "touch /.autorelabel;reboot"  So I tried that, and now cups won't
start at all. 

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Run "touch /.autorelabel;reboot"
2. When booted again run:  "service cups restart"
  
Actual results:

[root@hartnell ~]# service cups restart
Stopping cups:                                             [FAILED]
Starting cups:                                             [FAILED]

Expected results:

[root@hartnell ~]# service cups restart
Stopping cups:                                             [SUCCESS]
Starting cups:                                             [SUCCESS]

Additional info:

[root@hartnell log]# tail messages
Nov  8 10:43:44 localhost restorecond: Will not restore a file with more than
one hard link (/etc/resolv.conf) Invalid argument 
Nov  8 10:43:54 localhost kernel: tun: Universal TUN/TAP device driver, 1.6
Nov  8 10:43:54 localhost kernel: tun: (C) 1999-2004 Max Krasnyansky
<maxk@qualcomm.com>
Nov  8 10:43:54 localhost kernel: tun0: Disabled Privacy Extensions
Nov  8 10:44:59 localhost ntpd[3111]: Listening on interface #8 tun0,
10.32.4.123#123 Enabled
Nov  8 10:45:15 localhost cupsd: Unable to read configuration file
'/etc/cups/cupsd.conf' - exiting!
Nov  8 10:45:17 localhost setroubleshoot:      SELinux is preventing access to
files with the default label, default_t.      For complete SELinux messages. run
sealert -l c1d6fbdd-988c-445b-930b-fdabbd3682be
Nov  8 10:45:27 localhost cupsd: Unable to read configuration file
'/etc/cups/cupsd.conf' - exiting!
Nov  8 10:45:29 localhost kernel: IN=tun0 OUT= MAC= SRC=10.33.63.12
DST=10.32.4.123 LEN=1400 TOS=0x00 PREC=0x00 TTL=61 ID=37843 DF PROTO=TCP SPT=993
DPT=52598 WINDOW=2252 RES=0x00 ACK URGP=0 
Nov  8 10:45:29 localhost setroubleshoot:      SELinux is preventing access to
files with the default label, default_t.      For complete SELinux messages. run
sealert -l c1d6fbdd-988c-445b-930b-fdabbd3682be

[root@hartnell log]# sealert -l c1d6fbdd-988c-445b-930b-fdabbd3682be
Summary
    SELinux is preventing access to files with the default label, default_t.

Detailed Description
    SELinux permission checks on files labeled default_t are being denied.
    These files/directories have the default label on them.  This can indicate a
    labeling problem, especially if the files being referred to  are not top
    level directories. Any files/directories under standard system directories,
    /usr, /var. /dev, /tmp, ..., should not be labeled with the default label.
    The default label is for files/directories which do not have a label on a
    parent directory. So if you create a new directory in / you might
    legitimately get this label.

Allowing Access
    If you want a confined domain to use these files you will probably need to
    relabel the file/directory with chcon. In some cases it is just easier to
    relabel the system, to relabel execute: "touch /.autorelabel; reboot"

Additional Information        

Source Context                user_u:system_r:cupsd_t:SystemLow-SystemHigh
Target Context                system_u:object_r:default_t
Target Objects                cache [ dir ]
Affected RPM Packages         cups-1.2.12-6.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-49.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.default
Host Name                     hartnell
Platform                      Linux hartnell 2.6.23.1-21.fc7 #1 SMP Thu Nov 1
                              20:28:15 EDT 2007 x86_64 x86_64
Alert Count                   3
First Seen                    Thu Nov  8 09:42:07 2007
Last Seen                     Thu Nov  8 10:45:27 2007
Local ID                      c1d6fbdd-988c-445b-930b-fdabbd3682be
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm="cupsd" dev=dm-5 egid=0 euid=0
exe="/usr/sbin/cupsd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="cache"
pid=7216 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=0
subj=user_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=0 tclass=dir
tcontext=system_u:object_r:default_t:s0 tty=(none) uid=0

[root@hartnell cups]# ls -laZ /etc/cups/cupsd.conf
-rw-r-----  root lp system_u:object_r:cupsd_rw_etc_t /etc/cups/cupsd.conf

Comment 1 Bill C. Riemers 2007-11-08 16:00:04 UTC
BTW.  I don't getting.  The log claims that it is denying access to default_t,
but that is clearly not the security context list for the file.

Comment 2 Bill C. Riemers 2007-11-08 16:00:29 UTC
BTW.  I don't get it.  The log claims that it is denying access to default_t,
but that is clearly not the security context list for the file.

Comment 3 Daniel Walsh 2007-11-08 16:06:29 UTC
The problem is you have a directory named cache that is labeled default_t?

Comment 4 Bill C. Riemers 2007-11-08 16:19:33 UTC
This is user error.  I had copied my /var/cache directory to a separate
filesystem, which had context default_t...  Restoring the security context fixed
the problem.

Bill


Note You need to log in before you can comment on or make changes to this bug.