461814 – avc: denied { read } for pid=3500 comm="cupsd" name="tmp" dev=dm-0 ino=1730098 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir

Bug 461814 - avc: denied { read } for pid=3500 comm="cupsd" name="tmp" dev=dm-0 ino=1730098 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir

Summary: avc: denied { read } for pid=3500 comm="cupsd" name="tmp" dev=dm-0 ino=173...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	5.3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-09-10 19:51 UTC by Jay Turner
Modified:	2015-07-02 11:05 UTC (History)
CC List:	3 users (show)
Fixed In Version:	selinux-policy-2.4.6-157.el5
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-09-23 12:20:16 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2009:0163	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2009-01-20 16:05:21 UTC

Description Jay Turner 2008-09-10 19:51:52 UTC

Description of problem:
Getting the following when attempting to start the cups service in enforcing mode:

Sep 10 15:42:16 haring kernel: type=1400 audit(1221075736.854:69): avc:  denied  { read } for  pid=3500 comm="cupsd" name="tmp" dev=dm-0 ino=1730098 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir

Switching to permissive and attempting to print:

Sep 10 15:49:44 haring kernel: type=1400 audit(1221076184.569:73): avc:  denied  { write } for  pid=3662 comm="cupsd" name="cups" dev=dm-0 ino=1730097 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
Sep 10 15:49:44 haring kernel: type=1400 audit(1221076184.569:74): avc:  denied  { add_name } for  pid=3662 comm="cupsd" name="00000000" scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
Sep 10 15:49:44 haring kernel: type=1400 audit(1221076184.569:75): avc:  denied  { create } for  pid=3662 comm="cupsd" name="00000000" scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:var_spool_t:s0 tclass=file
Sep 10 15:49:44 haring kernel: type=1400 audit(1221076184.569:76): avc:  denied  { setattr } for  pid=3662 comm="cupsd" name="00000000" dev=dm-0 ino=1730662 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:var_spool_t:s0 tclass=file
Sep 10 15:49:44 haring kernel: type=1400 audit(1221076184.584:77): avc:  denied  { write } for  pid=3662 comm="cupsd" path="/var/spool/cups/00000000" dev=dm-0 ino=1730662 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:var_spool_t:s0 tclass=file
Sep 10 15:49:44 haring kernel: type=1400 audit(1221076184.585:78): avc:  denied  { remove_name } for  pid=3662 comm="cupsd" name="00000000" dev=dm-0 ino=1730662 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
Sep 10 15:49:44 haring kernel: type=1400 audit(1221076184.585:79): avc:  denied  { rename } for  pid=3662 comm="cupsd" name="00000000" dev=dm-0 ino=1730662 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:var_spool_t:s0 tclass=file
Sep 10 15:49:47 haring kernel: type=1400 audit(1221076187.712:80): avc:  denied  { unlink } for  pid=3662 comm="cupsd" name="a00198" dev=dm-0 ino=1730667 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:var_spool_t:s0 tclass=file

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-152.el5
kernel-2.6.18-110.el5

How reproducible:
Always

Steps to Reproduce:
1. Restart cups; attempt to print
2.
3.
  
Actual results:


Expected results:


Additional info:
I've forced a relabel of the filesystem and that didn't fix things, so not entirely sure what's going on or if the policy is at fault.  It and the kernel are the only things which have changed.

Comment 1 Daniel Walsh 2008-09-10 20:41:24 UTC

Fixed in selinux-policy-2.4.6-154.el5

Available on http://people.redhat.com/dwalsh/SELinux/RHEL5

Comment 3 Jay Turner 2008-09-11 11:36:49 UTC

Doesn't appear that fixed anything

# rpm -q selinux-policy-targeted
selinux-policy-targeted-2.4.6-154.el5.noarch
# setenforce 0
# service cups start
Starting cups:                                             [  OK  ]

Results in the following syslog:
Sep 11 07:35:16 cobalt kernel: type=1400 audit(1221132916.889:11): avc:  denied  { read } for  pid=5133 comm="cupsd" name="tmp" dev=dm-0 ino=262280 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir


Actually attempting to print results in:
Sep 11 07:36:07 cobalt kernel: type=1400 audit(1221132967.209:12): avc:  denied  { write } for  pid=5133 comm="cupsd" name="cups" dev=dm-0 ino=262279 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
Sep 11 07:36:07 cobalt kernel: type=1400 audit(1221132967.209:13): avc:  denied  { add_name } for  pid=5133 comm="cupsd" name="00000000" scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
Sep 11 07:36:07 cobalt kernel: type=1400 audit(1221132967.210:14): avc:  denied  { create } for  pid=5133 comm="cupsd" name="00000000" scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:var_spool_t:s0 tclass=file
Sep 11 07:36:07 cobalt kernel: type=1400 audit(1221132967.210:15): avc:  denied  { setattr } for  pid=5133 comm="cupsd" name="00000000" dev=dm-0 ino=263177 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:var_spool_t:s0 tclass=file
Sep 11 07:36:07 cobalt kernel: type=1400 audit(1221132967.210:16): avc:  denied  { write } for  pid=5133 comm="cupsd" path="/var/spool/cups/00000000" dev=dm-0 ino=263177 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:var_spool_t:s0 tclass=file
Sep 11 07:36:07 cobalt kernel: type=1400 audit(1221132967.212:17): avc:  denied  { remove_name } for  pid=5133 comm="cupsd" name="00000000" dev=dm-0 ino=263177 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
Sep 11 07:36:07 cobalt kernel: type=1400 audit(1221132967.212:18): avc:  denied  { rename } for  pid=5133 comm="cupsd" name="00000000" dev=dm-0 ino=263177 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:var_spool_t:s0 tclass=file
Sep 11 07:36:10 cobalt kernel: type=1400 audit(1221132970.243:19): avc:  denied  { unlink } for  pid=5133 comm="cupsd" name="a00020" dev=dm-0 ino=263184 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:var_spool_t:s0 tclass=file

Comment 4 Daniel Walsh 2008-09-11 18:04:07 UTC

Ok Try again.

Fixed in selinux-policy-2.4.6-155.el5

Comment 5 Jay Turner 2008-09-12 00:13:21 UTC

-155.el5 build failed

Comment 6 Jay Turner 2008-09-16 13:22:58 UTC

Moving back to assigned so this bug doesn't fall off the radar.

Comment 7 Jay Turner 2008-09-16 18:20:25 UTC

Fix confirmed with -157.el5.  Will close out once that package makes it into a candidate tree.

Comment 8 Jay Turner 2008-09-23 12:20:16 UTC

2.4.6-158.el5 included in beta-candidate trees (20080919.1 for Server and 20080919.2 for Client)

Note You need to log in before you can comment on or make changes to this bug.