Bug 371371 - selinux blocks cups from starting
selinux blocks cups from starting
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
7
All Linux
medium Severity urgent
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-08 10:57 EST by Bill C. Riemers
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-08 11:19:33 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bill C. Riemers 2007-11-08 10:57:35 EST
Description of problem:

Yesterday I was having the problem that the print to PDF driver no longer
worked, because selinux was blocking access to file_t.   setroubleshooter
recommended:  "touch /.autorelabel;reboot"  So I tried that, and now cups won't
start at all. 

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Run "touch /.autorelabel;reboot"
2. When booted again run:  "service cups restart"
  
Actual results:

[root@hartnell ~]# service cups restart
Stopping cups:                                             [FAILED]
Starting cups:                                             [FAILED]

Expected results:

[root@hartnell ~]# service cups restart
Stopping cups:                                             [SUCCESS]
Starting cups:                                             [SUCCESS]

Additional info:

[root@hartnell log]# tail messages
Nov  8 10:43:44 localhost restorecond: Will not restore a file with more than
one hard link (/etc/resolv.conf) Invalid argument 
Nov  8 10:43:54 localhost kernel: tun: Universal TUN/TAP device driver, 1.6
Nov  8 10:43:54 localhost kernel: tun: (C) 1999-2004 Max Krasnyansky
<maxk@qualcomm.com>
Nov  8 10:43:54 localhost kernel: tun0: Disabled Privacy Extensions
Nov  8 10:44:59 localhost ntpd[3111]: Listening on interface #8 tun0,
10.32.4.123#123 Enabled
Nov  8 10:45:15 localhost cupsd: Unable to read configuration file
'/etc/cups/cupsd.conf' - exiting!
Nov  8 10:45:17 localhost setroubleshoot:      SELinux is preventing access to
files with the default label, default_t.      For complete SELinux messages. run
sealert -l c1d6fbdd-988c-445b-930b-fdabbd3682be
Nov  8 10:45:27 localhost cupsd: Unable to read configuration file
'/etc/cups/cupsd.conf' - exiting!
Nov  8 10:45:29 localhost kernel: IN=tun0 OUT= MAC= SRC=10.33.63.12
DST=10.32.4.123 LEN=1400 TOS=0x00 PREC=0x00 TTL=61 ID=37843 DF PROTO=TCP SPT=993
DPT=52598 WINDOW=2252 RES=0x00 ACK URGP=0 
Nov  8 10:45:29 localhost setroubleshoot:      SELinux is preventing access to
files with the default label, default_t.      For complete SELinux messages. run
sealert -l c1d6fbdd-988c-445b-930b-fdabbd3682be

[root@hartnell log]# sealert -l c1d6fbdd-988c-445b-930b-fdabbd3682be
Summary
    SELinux is preventing access to files with the default label, default_t.

Detailed Description
    SELinux permission checks on files labeled default_t are being denied.
    These files/directories have the default label on them.  This can indicate a
    labeling problem, especially if the files being referred to  are not top
    level directories. Any files/directories under standard system directories,
    /usr, /var. /dev, /tmp, ..., should not be labeled with the default label.
    The default label is for files/directories which do not have a label on a
    parent directory. So if you create a new directory in / you might
    legitimately get this label.

Allowing Access
    If you want a confined domain to use these files you will probably need to
    relabel the file/directory with chcon. In some cases it is just easier to
    relabel the system, to relabel execute: "touch /.autorelabel; reboot"

Additional Information        

Source Context                user_u:system_r:cupsd_t:SystemLow-SystemHigh
Target Context                system_u:object_r:default_t
Target Objects                cache [ dir ]
Affected RPM Packages         cups-1.2.12-6.fc7 [application]
Policy RPM                    selinux-policy-2.6.4-49.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.default
Host Name                     hartnell
Platform                      Linux hartnell 2.6.23.1-21.fc7 #1 SMP Thu Nov 1
                              20:28:15 EDT 2007 x86_64 x86_64
Alert Count                   3
First Seen                    Thu Nov  8 09:42:07 2007
Last Seen                     Thu Nov  8 10:45:27 2007
Local ID                      c1d6fbdd-988c-445b-930b-fdabbd3682be
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm="cupsd" dev=dm-5 egid=0 euid=0
exe="/usr/sbin/cupsd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="cache"
pid=7216 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=0
subj=user_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=0 tclass=dir
tcontext=system_u:object_r:default_t:s0 tty=(none) uid=0

[root@hartnell cups]# ls -laZ /etc/cups/cupsd.conf
-rw-r-----  root lp system_u:object_r:cupsd_rw_etc_t /etc/cups/cupsd.conf
Comment 1 Bill C. Riemers 2007-11-08 11:00:04 EST
BTW.  I don't getting.  The log claims that it is denying access to default_t,
but that is clearly not the security context list for the file.
Comment 2 Bill C. Riemers 2007-11-08 11:00:29 EST
BTW.  I don't get it.  The log claims that it is denying access to default_t,
but that is clearly not the security context list for the file.
Comment 3 Daniel Walsh 2007-11-08 11:06:29 EST
The problem is you have a directory named cache that is labeled default_t?
Comment 4 Bill C. Riemers 2007-11-08 11:19:33 EST
This is user error.  I had copied my /var/cache directory to a separate
filesystem, which had context default_t...  Restoring the security context fixed
the problem.

Bill

Note You need to log in before you can comment on or make changes to this bug.