Description of problem: I upgraded a machine from F7 to F8 using yum. Afterwards I ran 'fixfiles restore' to ensure that the correct Selinux contexts are applied. However, I still find that I can only get the Cups service to start if I set Selinux to permissive mode. The error I receive when Selinux is in enforcing mode is: Starting cups: /bin/bash: /usr/sbin/cupsd: Permission denied Version-Release number of selected component (if applicable): cups-1.3.4-2.fc8 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: Here are some of the messages in /var/log/audit/audit.log: type=SELINUX_ERR msg=audit(1195473509.843:10048): security_compute_sid: invalid context user_u:system_r:cupsd_t:s0-s0:c0.c1023 for scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:object_r:cupsd_exec_t:s0 tclass=process type=SELINUX_ERR msg=audit(1195480700.377:11326): security_compute_sid: invalid context user_u:system_r:cupsd_t:s0-s0:c0.c1023 for scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:object_r:cupsd_exec_t:s0 tclass=process type=SYSCALL msg=audit(1195480700.377:11326): arch=c000003e syscall=59 success=yes exit=0 a0=8c9340 a1=8c9070 a2=8c98b0 a3=37959529f0 items=0 ppid=32218 pid=32219 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 comm="cupsd" exe="/usr/sbin/cupsd" subj=user_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) type=LABEL_LEVEL_CHANGE msg=audit(1195480700.384:11327): user pid=32220 uid=0 auid=500 subj=user_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=Cups-PDF uri=cups-pdf:/ banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=saintloup.smith.man.ac.uk, addr=130.88.90.190, terminal=? res=success)' type=LABEL_LEVEL_CHANGE msg=audit(1195480700.385:11328): user pid=32220 uid=0 auid=500 subj=user_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=Granny uri=socket://granny.smith.man.ac.uk:9100 banners=none,none range=unknown: exe="/usr/sbin/cupsd" (hostname=<my hostname>, addr=<my IP>, terminal=? res=success)'
The SELINUX_ERR messages look like the selinux-policy is not installed right somehow.
I've tried re-install selinux-policy and selinux-policy-targeted, then re-installing cups itself, but the error is still there in enforcing mode.
Please yum update to the latest selinux policy. It should fix the problem Fixed in selinux-policy-3.0.8-56.fc8
I've just done that from that updates-testing repo, but it hasn't fixed the problem.
You might have to log out and log back in. # semanage user -l # semanage login -l # id -Z
Yes, it's working now I've logged out and back in again. Here's the output of those commands: Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles guest_u guest s0 s0 guest_r root sysadm s0 s0-s0:c0.c1023 system_r sysadm_r staff_r staff_u staff s0 s0-s0:c0.c1023 sysadm_r staff_r sysadm_u sysadm s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r unconfined_u unconfined s0 s0-s0:c0.c1023 system_r unconfined_r user_u user s0 s0 system_r user_r xguest_u xguest s0 s0 xguest_r Login Name SELinux User MLS/MCS Range __default__ unconfined_u s0 root system_u s0-s0:c0.c1023 unconfined_u:system_r:unconfined_t:s0 (as my normal user) Thanks a lot for the swift response - as always.
I believe I have hit this bug now. It seems the only way to restart cups is to reboot. To wit: # service cups start Starting cups: /bin/bash: /usr/sbin/cupsd: Permission denied [FAILED] From audit.log: type=SELINUX_ERR msg=audit(1197477894.638:654): security_compute_sid: invalid context user_u:system_r:cupsd_t:s0-s0:c0.c1023 for scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:object_r:cupsd_exec_t:s0 tclass=process Following just about everything in this thread, I ran "fixfiles restore", no help. Tried logging in and out as root, no help. And since you asked before: # semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles root sysadm s0 SystemLow-SystemHigh system_r sysadm_r staff_r staff_u staff s0 SystemLow-SystemHigh sysadm_r staff_r sysadm_u sysadm s0 SystemLow-SystemHigh sysadm_r system_u user s0 SystemLow-SystemHigh system_r unconfined_u unconfined s0 SystemLow-SystemHigh system_r unconfined_r user_u user s0 s0 system_r user_r # semanage login -l Login Name SELinux User MLS/MCS Range __default__ user_u s0 root root SystemLow-SystemHigh # id -Z user_u:system_r:unconfined_t
Oh, and as for selinux-policy: # rpm -q selinux-policy selinux-policy-3.0.8-64.fc8.noarch
semanage login -m -s unconfined_u __default__ logout
No go. Ran semanage command as root, logged out, logged back in, and: # service cups start Starting cups: /bin/bash: /usr/sbin/cupsd: Permission denied [FAILED]
Also, since that didn't work, is there a command I need to run to undo that? I am really not that versed at SELinux, so I don't want to kill my box.
What does id -Z show now? And semanage login -l?
(In reply to comment #12) > What does id -Z show now? # id -Z user_u:system_r:unconfined_t > And semanage login -l? # semanage login -l Login Name SELinux User MLS/MCS Range __default__ unconfined_u s0 root root SystemLow-SystemHigh
Hmm...so your login context didn't change at all. You can revert the change via semanage login -m again, e.g. semanage login -m -s user_u __default__ but that doesn't seem consistent with comment 6. Dan, what's the default user supposed to be in F8?
I am changing it to unconfined_u. # semanage user -m -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023 unconfined_u # semanage login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ Log out and log back in. Now does it start.
(In reply to comment #15) > I am changing it to unconfined_u. > > # semanage user -m -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023 > unconfined_u > # semanage login -m -s unconfined_u -r s0-s0:c0.c1023 __default__ > > Log out and log back in. Now does it start. No go here. I ran the two commands above (I assume unconfined_u was continued from the previous command, otherwise semanage borked), logged out and logged back in. And then: # service cups start Starting cups: /bin/bash: /usr/sbin/cupsd: Permission denied [FAILED] # id -Z user_u:system_r:unconfined_t # semanage login -l Login Name SELinux User MLS/MCS Range __default__ unconfined_u SystemLow-SystemHigh root root SystemLow-SystemHigh Are my semanage changes not sticking around? Or should I be doing all this in runlevel 3 or 1? I'm currently being root via "su -".
Are you logging all the way out? IE Not just to su. Do you see any avc messages in /var/log/messages or /var/log/audit/audit.log Do you see any SELINUX_ERR these files?
(In reply to comment #17) > Are you logging all the way out? IE Not just to su. Nope, that was it. I was reading "log out" as exit su since I thought I just just mucking with root. Sorry for the confusion, but this is the first box I've had where SELinux wasn't turned off upon build. I'm trying! Also: # service cups start Starting cups: [ OK ] # id -Z unconfined_u:system_r:unconfined_t:SystemLow-SystemHigh
Bulk closing all bugs in Fedora updates in the modified state. If you bug is not fixed, please reopen.