Bug 390391 - Cups won't start - Selinux problem?
Cups won't start - Selinux problem?
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-19 09:04 EST by Adam Huffman
Modified: 2008-01-30 14:20 EST (History)
3 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 14:20:09 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Huffman 2007-11-19 09:04:33 EST
Description of problem:
I upgraded a machine from F7 to F8 using yum.  Afterwards I ran 'fixfiles
restore' to ensure that the correct Selinux contexts are applied.  However, I
still find that I can only get the Cups service to start if I set Selinux to
permissive mode.

The error I receive when Selinux is in enforcing mode is:

Starting cups: /bin/bash: /usr/sbin/cupsd: Permission denied

Version-Release number of selected component (if applicable):
cups-1.3.4-2.fc8

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Here are some of the messages in /var/log/audit/audit.log:

type=SELINUX_ERR msg=audit(1195473509.843:10048): security_compute_sid:  invalid
context user_u:system_r:cupsd_t:s0-s0:c0.c1023 for
scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:object_r:cupsd_exec_t:s0
tclass=process
type=SELINUX_ERR msg=audit(1195480700.377:11326): security_compute_sid:  invalid
context user_u:system_r:cupsd_t:s0-s0:c0.c1023 for
scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:object_r:cupsd_exec_t:s0
tclass=process
type=SYSCALL msg=audit(1195480700.377:11326): arch=c000003e syscall=59
success=yes exit=0 a0=8c9340 a1=8c9070 a2=8c98b0 a3=37959529f0 items=0
ppid=32218 pid=32219 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts6 comm="cupsd" exe="/usr/sbin/cupsd"
subj=user_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
type=LABEL_LEVEL_CHANGE msg=audit(1195480700.384:11327): user pid=32220 uid=0
auid=500 subj=user_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=Cups-PDF
uri=cups-pdf:/ banners=none,none range=unknown: exe="/usr/sbin/cupsd"
(hostname=saintloup.smith.man.ac.uk, addr=130.88.90.190, terminal=? res=success)'
type=LABEL_LEVEL_CHANGE msg=audit(1195480700.385:11328): user pid=32220 uid=0
auid=500 subj=user_u:system_r:cupsd_t:s0-s0:c0.c1023 msg='printer=Granny
uri=socket://granny.smith.man.ac.uk:9100 banners=none,none range=unknown:
exe="/usr/sbin/cupsd" (hostname=<my hostname>, addr=<my IP>, terminal=?
res=success)'
Comment 1 Tim Waugh 2007-11-19 09:58:37 EST
The SELINUX_ERR messages look like the selinux-policy is not installed right
somehow.
Comment 2 Adam Huffman 2007-11-19 11:43:16 EST
I've tried re-install selinux-policy and selinux-policy-targeted, then
re-installing cups itself, but the error is still there in enforcing mode.
Comment 3 Daniel Walsh 2007-11-19 12:10:29 EST
Please yum update to the latest selinux policy.  It should fix the problem

Fixed in selinux-policy-3.0.8-56.fc8
Comment 4 Adam Huffman 2007-11-19 13:08:15 EST
I've just done that from that updates-testing repo, but it hasn't fixed the problem.
Comment 5 Daniel Walsh 2007-11-19 13:24:43 EST
You might have to log out and log back in.

# semanage user -l
# semanage login -l
# id -Z
Comment 6 Adam Huffman 2007-11-19 13:51:51 EST
Yes, it's working now I've logged out and back in again.

Here's the output of those commands:

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

guest_u         guest      s0         s0                             guest_r
root            sysadm     s0         s0-s0:c0.c1023                 system_r
sysadm_r staff_r
staff_u         staff      s0         s0-s0:c0.c1023                 sysadm_r
staff_r
sysadm_u        sysadm     s0         s0-s0:c0.c1023                 sysadm_r
system_u        user       s0         s0-s0:c0.c1023                 system_r
unconfined_u    unconfined s0         s0-s0:c0.c1023                 system_r
unconfined_r
user_u          user       s0         s0                             system_r user_r
xguest_u        xguest     s0         s0                             xguest_r

Login Name                SELinux User              MLS/MCS Range            

__default__               unconfined_u              s0                       
root                      system_u                  s0-s0:c0.c1023          

unconfined_u:system_r:unconfined_t:s0
(as my normal user)

Thanks a lot for the swift response - as always.
Comment 7 Matt Thompson 2007-12-12 11:47:28 EST
I believe I have hit this bug now.  It seems the only way to restart cups is to
reboot.  To wit:

# service cups start
Starting cups: /bin/bash: /usr/sbin/cupsd: Permission denied
                                                           [FAILED]

From audit.log:
type=SELINUX_ERR msg=audit(1197477894.638:654): security_compute_sid:  invalid
context user_u:system_r:cupsd_t:s0-s0:c0.c1023 for
scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:object_r:cupsd_exec_t:s0
tclass=process

Following just about everything in this thread, I ran "fixfiles restore", no
help.  Tried logging in and out as root, no help.  And since you asked before:

# semanage user -l

                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles

root            sysadm     s0         SystemLow-SystemHigh           system_r
sysadm_r staff_r
staff_u         staff      s0         SystemLow-SystemHigh           sysadm_r
staff_r
sysadm_u        sysadm     s0         SystemLow-SystemHigh           sysadm_r
system_u        user       s0         SystemLow-SystemHigh           system_r
unconfined_u    unconfined s0         SystemLow-SystemHigh           system_r
unconfined_r
user_u          user       s0         s0                             system_r user_r

# semanage login -l

Login Name                SELinux User              MLS/MCS Range            

__default__               user_u                    s0                       
root                      root                      SystemLow-SystemHigh     

# id -Z
user_u:system_r:unconfined_t
Comment 8 Matt Thompson 2007-12-12 11:54:27 EST
Oh, and as for selinux-policy:

# rpm -q selinux-policy
selinux-policy-3.0.8-64.fc8.noarch
Comment 9 Stephen Smalley 2007-12-12 13:46:36 EST
semanage login -m -s unconfined_u __default__
logout
Comment 10 Matt Thompson 2007-12-12 14:30:52 EST
No go.  Ran semanage command as root, logged out, logged back in, and:

# service cups start
Starting cups: /bin/bash: /usr/sbin/cupsd: Permission denied
                                                           [FAILED]
Comment 11 Matt Thompson 2007-12-12 14:31:36 EST
Also, since that didn't work, is there a command I need to run to undo that?  I
am really not that versed at SELinux, so I don't want to kill my box.
Comment 12 Stephen Smalley 2007-12-12 14:43:08 EST
What does id -Z show now?
And semanage login -l?

Comment 13 Matt Thompson 2007-12-12 14:46:48 EST
(In reply to comment #12)
> What does id -Z show now?

# id -Z
user_u:system_r:unconfined_t

> And semanage login -l?


# semanage login -l

Login Name                SELinux User              MLS/MCS Range            

__default__               unconfined_u              s0                       
root                      root                      SystemLow-SystemHigh   
Comment 14 Stephen Smalley 2007-12-12 14:58:01 EST
Hmm...so your login context didn't change at all.
You can revert the change via semanage login -m again, e.g.
   semanage login -m -s user_u __default__
but that doesn't seem consistent with comment 6.

Dan, what's the default user supposed to be in F8?
Comment 15 Daniel Walsh 2007-12-12 17:13:45 EST
I am changing it to unconfined_u.

# semanage user -m -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023
unconfined_u 
# semanage login -m -s unconfined_u -r s0-s0:c0.c1023 __default__

Log out and log back in.  Now does it start.
Comment 16 Matt Thompson 2007-12-13 07:54:55 EST
(In reply to comment #15)
> I am changing it to unconfined_u.
> 
> # semanage user -m -P unconfined -R "unconfined_r system_r" -r s0-s0:c0.c1023
> unconfined_u 
> # semanage login -m -s unconfined_u -r s0-s0:c0.c1023 __default__
> 
> Log out and log back in.  Now does it start.

No go here.  I ran the two commands above (I assume unconfined_u was continued
from the previous command, otherwise semanage borked), logged out and logged
back in.  And then:

# service cups start
Starting cups: /bin/bash: /usr/sbin/cupsd: Permission denied
                                                           [FAILED]
# id -Z
user_u:system_r:unconfined_t

# semanage login -l

Login Name                SELinux User              MLS/MCS Range            

__default__               unconfined_u              SystemLow-SystemHigh     
root                      root                      SystemLow-SystemHigh  

Are my semanage changes not sticking around?  Or should I be doing all this in
runlevel 3 or 1?  I'm currently being root via "su -".
Comment 17 Daniel Walsh 2007-12-13 10:51:48 EST
Are you logging all the way out?  IE Not just to su.


Do you see any avc messages in /var/log/messages or /var/log/audit/audit.log

Do you see any SELINUX_ERR these files?
Comment 18 Matt Thompson 2007-12-13 11:51:47 EST
(In reply to comment #17)
> Are you logging all the way out?  IE Not just to su.

Nope, that was it.  I was reading "log out" as exit su since I thought I just
just mucking with root.

Sorry for the confusion, but this is the first box I've had where SELinux wasn't
turned off upon build.  I'm trying!

Also:

# service cups start
Starting cups:                                             [  OK  ]

# id -Z
unconfined_u:system_r:unconfined_t:SystemLow-SystemHigh
Comment 19 Daniel Walsh 2008-01-30 14:20:09 EST
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.

Note You need to log in before you can comment on or make changes to this bug.