Bug 430829 - SELinux is preventing the /usr/sbin/cupsd from using potentially mislabeled files ().
Summary: SELinux is preventing the /usr/sbin/cupsd from using potentially mislabeled f...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 8
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-01-30 00:00 UTC by Rick Richardson
Modified: 2008-02-26 22:08 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-02-26 22:08:52 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
audit.log (2.00 MB, text/plain)
2008-01-30 15:56 UTC, Rick Richardson
no flags Details
local.te (3.31 KB, text/plain)
2008-01-30 16:37 UTC, Rick Richardson
no flags Details

Description Rick Richardson 2008-01-30 00:00:05 UTC
SELinux is preventing the /usr/sbin/cupsd from using potentially mislabeled
files ().

SELinux has denied /usr/sbin/cupsd access to potentially mislabeled file(s) ().
This means that SELinux will not allow /usr/sbin/cupsd to use these files. It is
common for users to edit files in their home directory or tmp directories and
then move (mv) them to system directories. The problem is that the files end up
with the wrong file context which confined applications are not allowed to access.

f you want /usr/sbin/cupsd to access this files, you need to relabel them using
restorecon -v . You might want to relabel the entire directory using restorecon
-R -v .


"restorecon -v ."?

What directory?? !!

Comment 1 Daniel Walsh 2008-01-30 15:42:10 UTC
Please attach the AVC messages.  /var/log/audit/audit.log

Comment 2 Rick Richardson 2008-01-30 15:56:13 UTC
Created attachment 293421 [details]
audit.log

Comment 3 Daniel Walsh 2008-01-30 16:19:14 UTC
You have cups trying to look at the file /home/rick/prn?  Is this a local
customization.  If you want to allow this you can use audit2allow to add it.  
Cups does not usually read users homedirectories.

Comment 4 Rick Richardson 2008-01-30 16:34:39 UTC
# cat /var/log/audit/audit.log | audit2allow -M local
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i local.pp

# semodule -i local.pp
libsepol.check_assertion_helper: neverallow violated by allow nfsd_t
fixed_disk_device_t:blk_file { read }; Cannot allocate memory.
libsemanage.semanage_expand_sandbox: Expand module failed Cannot allocate memory.
semodule:  Failed!


Comment 5 Rick Richardson 2008-01-30 16:37:37 UTC
Created attachment 293439 [details]
local.te

Comment 6 Daniel Walsh 2008-01-31 18:16:21 UTC
Yes you are trying to load a policy that includes nfs being able to read/write
raw disk.

Try.

# grep cups /var/log/audit/audit.log | audit2allow -M local

Also update to the latest selinux policy.

Comment 7 Daniel Walsh 2008-02-26 22:08:52 UTC
THis is local customization so will not fix.


Note You need to log in before you can comment on or make changes to this bug.