Description of problem: Getting the following when attempting to start the cups service in enforcing mode: Sep 10 15:42:16 haring kernel: type=1400 audit(1221075736.854:69): avc: denied { read } for pid=3500 comm="cupsd" name="tmp" dev=dm-0 ino=1730098 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir Switching to permissive and attempting to print: Sep 10 15:49:44 haring kernel: type=1400 audit(1221076184.569:73): avc: denied { write } for pid=3662 comm="cupsd" name="cups" dev=dm-0 ino=1730097 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir Sep 10 15:49:44 haring kernel: type=1400 audit(1221076184.569:74): avc: denied { add_name } for pid=3662 comm="cupsd" name="00000000" scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir Sep 10 15:49:44 haring kernel: type=1400 audit(1221076184.569:75): avc: denied { create } for pid=3662 comm="cupsd" name="00000000" scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:var_spool_t:s0 tclass=file Sep 10 15:49:44 haring kernel: type=1400 audit(1221076184.569:76): avc: denied { setattr } for pid=3662 comm="cupsd" name="00000000" dev=dm-0 ino=1730662 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:var_spool_t:s0 tclass=file Sep 10 15:49:44 haring kernel: type=1400 audit(1221076184.584:77): avc: denied { write } for pid=3662 comm="cupsd" path="/var/spool/cups/00000000" dev=dm-0 ino=1730662 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:var_spool_t:s0 tclass=file Sep 10 15:49:44 haring kernel: type=1400 audit(1221076184.585:78): avc: denied { remove_name } for pid=3662 comm="cupsd" name="00000000" dev=dm-0 ino=1730662 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir Sep 10 15:49:44 haring kernel: type=1400 audit(1221076184.585:79): avc: denied { rename } for pid=3662 comm="cupsd" name="00000000" dev=dm-0 ino=1730662 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:var_spool_t:s0 tclass=file Sep 10 15:49:47 haring kernel: type=1400 audit(1221076187.712:80): avc: denied { unlink } for pid=3662 comm="cupsd" name="a00198" dev=dm-0 ino=1730667 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:var_spool_t:s0 tclass=file Version-Release number of selected component (if applicable): selinux-policy-2.4.6-152.el5 kernel-2.6.18-110.el5 How reproducible: Always Steps to Reproduce: 1. Restart cups; attempt to print 2. 3. Actual results: Expected results: Additional info: I've forced a relabel of the filesystem and that didn't fix things, so not entirely sure what's going on or if the policy is at fault. It and the kernel are the only things which have changed.
Fixed in selinux-policy-2.4.6-154.el5 Available on http://people.redhat.com/dwalsh/SELinux/RHEL5
Doesn't appear that fixed anything # rpm -q selinux-policy-targeted selinux-policy-targeted-2.4.6-154.el5.noarch # setenforce 0 # service cups start Starting cups: [ OK ] Results in the following syslog: Sep 11 07:35:16 cobalt kernel: type=1400 audit(1221132916.889:11): avc: denied { read } for pid=5133 comm="cupsd" name="tmp" dev=dm-0 ino=262280 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir Actually attempting to print results in: Sep 11 07:36:07 cobalt kernel: type=1400 audit(1221132967.209:12): avc: denied { write } for pid=5133 comm="cupsd" name="cups" dev=dm-0 ino=262279 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir Sep 11 07:36:07 cobalt kernel: type=1400 audit(1221132967.209:13): avc: denied { add_name } for pid=5133 comm="cupsd" name="00000000" scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir Sep 11 07:36:07 cobalt kernel: type=1400 audit(1221132967.210:14): avc: denied { create } for pid=5133 comm="cupsd" name="00000000" scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:var_spool_t:s0 tclass=file Sep 11 07:36:07 cobalt kernel: type=1400 audit(1221132967.210:15): avc: denied { setattr } for pid=5133 comm="cupsd" name="00000000" dev=dm-0 ino=263177 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:var_spool_t:s0 tclass=file Sep 11 07:36:07 cobalt kernel: type=1400 audit(1221132967.210:16): avc: denied { write } for pid=5133 comm="cupsd" path="/var/spool/cups/00000000" dev=dm-0 ino=263177 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:var_spool_t:s0 tclass=file Sep 11 07:36:07 cobalt kernel: type=1400 audit(1221132967.212:17): avc: denied { remove_name } for pid=5133 comm="cupsd" name="00000000" dev=dm-0 ino=263177 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir Sep 11 07:36:07 cobalt kernel: type=1400 audit(1221132967.212:18): avc: denied { rename } for pid=5133 comm="cupsd" name="00000000" dev=dm-0 ino=263177 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:var_spool_t:s0 tclass=file Sep 11 07:36:10 cobalt kernel: type=1400 audit(1221132970.243:19): avc: denied { unlink } for pid=5133 comm="cupsd" name="a00020" dev=dm-0 ino=263184 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:var_spool_t:s0 tclass=file
Ok Try again. Fixed in selinux-policy-2.4.6-155.el5
-155.el5 build failed
Moving back to assigned so this bug doesn't fall off the radar.
Fix confirmed with -157.el5. Will close out once that package makes it into a candidate tree.
2.4.6-158.el5 included in beta-candidate trees (20080919.1 for Server and 20080919.2 for Client)