Bug 430829 - SELinux is preventing the /usr/sbin/cupsd from using potentially mislabeled files ().
SELinux is preventing the /usr/sbin/cupsd from using potentially mislabeled f...
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-29 19:00 EST by Rick Richardson
Modified: 2008-02-26 17:08 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-26 17:08:52 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
audit.log (2.00 MB, text/plain)
2008-01-30 10:56 EST, Rick Richardson
no flags Details
local.te (3.31 KB, text/plain)
2008-01-30 11:37 EST, Rick Richardson
no flags Details

  None (edit)
Description Rick Richardson 2008-01-29 19:00:05 EST
SELinux is preventing the /usr/sbin/cupsd from using potentially mislabeled
files ().

SELinux has denied /usr/sbin/cupsd access to potentially mislabeled file(s) ().
This means that SELinux will not allow /usr/sbin/cupsd to use these files. It is
common for users to edit files in their home directory or tmp directories and
then move (mv) them to system directories. The problem is that the files end up
with the wrong file context which confined applications are not allowed to access.

f you want /usr/sbin/cupsd to access this files, you need to relabel them using
restorecon -v . You might want to relabel the entire directory using restorecon
-R -v .


"restorecon -v ."?

What directory?? !!
Comment 1 Daniel Walsh 2008-01-30 10:42:10 EST
Please attach the AVC messages.  /var/log/audit/audit.log
Comment 2 Rick Richardson 2008-01-30 10:56:13 EST
Created attachment 293421 [details]
audit.log
Comment 3 Daniel Walsh 2008-01-30 11:19:14 EST
You have cups trying to look at the file /home/rick/prn?  Is this a local
customization.  If you want to allow this you can use audit2allow to add it.  
Cups does not usually read users homedirectories.
Comment 4 Rick Richardson 2008-01-30 11:34:39 EST
# cat /var/log/audit/audit.log | audit2allow -M local
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i local.pp

# semodule -i local.pp
libsepol.check_assertion_helper: neverallow violated by allow nfsd_t
fixed_disk_device_t:blk_file { read }; Cannot allocate memory.
libsemanage.semanage_expand_sandbox: Expand module failed Cannot allocate memory.
semodule:  Failed!
Comment 5 Rick Richardson 2008-01-30 11:37:37 EST
Created attachment 293439 [details]
local.te
Comment 6 Daniel Walsh 2008-01-31 13:16:21 EST
Yes you are trying to load a policy that includes nfs being able to read/write
raw disk.

Try.

# grep cups /var/log/audit/audit.log | audit2allow -M local

Also update to the latest selinux policy.
Comment 7 Daniel Walsh 2008-02-26 17:08:52 EST
THis is local customization so will not fix.

Note You need to log in before you can comment on or make changes to this bug.