Bug 461814 - avc: denied { read } for pid=3500 comm="cupsd" name="tmp" dev=dm-0 ino=1730098 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
avc: denied { read } for pid=3500 comm="cupsd" name="tmp" dev=dm-0 ino=173...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.3
All Linux
medium Severity high
: rc
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-10 15:51 EDT by Jay Turner
Modified: 2015-07-02 07:05 EDT (History)
3 users (show)

See Also:
Fixed In Version: selinux-policy-2.4.6-157.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-09-23 08:20:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jay Turner 2008-09-10 15:51:52 EDT
Description of problem:
Getting the following when attempting to start the cups service in enforcing mode:

Sep 10 15:42:16 haring kernel: type=1400 audit(1221075736.854:69): avc:  denied  { read } for  pid=3500 comm="cupsd" name="tmp" dev=dm-0 ino=1730098 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir

Switching to permissive and attempting to print:

Sep 10 15:49:44 haring kernel: type=1400 audit(1221076184.569:73): avc:  denied  { write } for  pid=3662 comm="cupsd" name="cups" dev=dm-0 ino=1730097 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
Sep 10 15:49:44 haring kernel: type=1400 audit(1221076184.569:74): avc:  denied  { add_name } for  pid=3662 comm="cupsd" name="00000000" scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
Sep 10 15:49:44 haring kernel: type=1400 audit(1221076184.569:75): avc:  denied  { create } for  pid=3662 comm="cupsd" name="00000000" scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:var_spool_t:s0 tclass=file
Sep 10 15:49:44 haring kernel: type=1400 audit(1221076184.569:76): avc:  denied  { setattr } for  pid=3662 comm="cupsd" name="00000000" dev=dm-0 ino=1730662 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:var_spool_t:s0 tclass=file
Sep 10 15:49:44 haring kernel: type=1400 audit(1221076184.584:77): avc:  denied  { write } for  pid=3662 comm="cupsd" path="/var/spool/cups/00000000" dev=dm-0 ino=1730662 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:var_spool_t:s0 tclass=file
Sep 10 15:49:44 haring kernel: type=1400 audit(1221076184.585:78): avc:  denied  { remove_name } for  pid=3662 comm="cupsd" name="00000000" dev=dm-0 ino=1730662 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
Sep 10 15:49:44 haring kernel: type=1400 audit(1221076184.585:79): avc:  denied  { rename } for  pid=3662 comm="cupsd" name="00000000" dev=dm-0 ino=1730662 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:var_spool_t:s0 tclass=file
Sep 10 15:49:47 haring kernel: type=1400 audit(1221076187.712:80): avc:  denied  { unlink } for  pid=3662 comm="cupsd" name="a00198" dev=dm-0 ino=1730667 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:var_spool_t:s0 tclass=file

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-152.el5
kernel-2.6.18-110.el5

How reproducible:
Always

Steps to Reproduce:
1. Restart cups; attempt to print
2.
3.
  
Actual results:


Expected results:


Additional info:
I've forced a relabel of the filesystem and that didn't fix things, so not entirely sure what's going on or if the policy is at fault.  It and the kernel are the only things which have changed.
Comment 1 Daniel Walsh 2008-09-10 16:41:24 EDT
Fixed in selinux-policy-2.4.6-154.el5

Available on http://people.redhat.com/dwalsh/SELinux/RHEL5
Comment 3 Jay Turner 2008-09-11 07:36:49 EDT
Doesn't appear that fixed anything

# rpm -q selinux-policy-targeted
selinux-policy-targeted-2.4.6-154.el5.noarch
# setenforce 0
# service cups start
Starting cups:                                             [  OK  ]

Results in the following syslog:
Sep 11 07:35:16 cobalt kernel: type=1400 audit(1221132916.889:11): avc:  denied  { read } for  pid=5133 comm="cupsd" name="tmp" dev=dm-0 ino=262280 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir


Actually attempting to print results in:
Sep 11 07:36:07 cobalt kernel: type=1400 audit(1221132967.209:12): avc:  denied  { write } for  pid=5133 comm="cupsd" name="cups" dev=dm-0 ino=262279 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
Sep 11 07:36:07 cobalt kernel: type=1400 audit(1221132967.209:13): avc:  denied  { add_name } for  pid=5133 comm="cupsd" name="00000000" scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
Sep 11 07:36:07 cobalt kernel: type=1400 audit(1221132967.210:14): avc:  denied  { create } for  pid=5133 comm="cupsd" name="00000000" scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:var_spool_t:s0 tclass=file
Sep 11 07:36:07 cobalt kernel: type=1400 audit(1221132967.210:15): avc:  denied  { setattr } for  pid=5133 comm="cupsd" name="00000000" dev=dm-0 ino=263177 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:var_spool_t:s0 tclass=file
Sep 11 07:36:07 cobalt kernel: type=1400 audit(1221132967.210:16): avc:  denied  { write } for  pid=5133 comm="cupsd" path="/var/spool/cups/00000000" dev=dm-0 ino=263177 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:var_spool_t:s0 tclass=file
Sep 11 07:36:07 cobalt kernel: type=1400 audit(1221132967.212:17): avc:  denied  { remove_name } for  pid=5133 comm="cupsd" name="00000000" dev=dm-0 ino=263177 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
Sep 11 07:36:07 cobalt kernel: type=1400 audit(1221132967.212:18): avc:  denied  { rename } for  pid=5133 comm="cupsd" name="00000000" dev=dm-0 ino=263177 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:var_spool_t:s0 tclass=file
Sep 11 07:36:10 cobalt kernel: type=1400 audit(1221132970.243:19): avc:  denied  { unlink } for  pid=5133 comm="cupsd" name="a00020" dev=dm-0 ino=263184 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:var_spool_t:s0 tclass=file
Comment 4 Daniel Walsh 2008-09-11 14:04:07 EDT
Ok Try again.

Fixed in selinux-policy-2.4.6-155.el5
Comment 5 Jay Turner 2008-09-11 20:13:21 EDT
-155.el5 build failed
Comment 6 Jay Turner 2008-09-16 09:22:58 EDT
Moving back to assigned so this bug doesn't fall off the radar.
Comment 7 Jay Turner 2008-09-16 14:20:25 EDT
Fix confirmed with -157.el5.  Will close out once that package makes it into a candidate tree.
Comment 8 Jay Turner 2008-09-23 08:20:16 EDT
2.4.6-158.el5 included in beta-candidate trees (20080919.1 for Server and 20080919.2 for Client)

Note You need to log in before you can comment on or make changes to this bug.