Description of problem: Every time printing is attempted with cups, several errors regarding to SELinux denying cupsd the ability to manage "subscriptions.conf" show up. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.3.1-99.fc9.noarch cups-1.3.9-1.fc9.i386 How reproducible: Always Steps to Reproduce: 1. Try to print something to a cupsd managed printer 2. Errors show up; cupsd tries to rename subscriptions.conf to subscriptions.conf.O; then tries to write to subscriptions.conf; then tries to rename subscriptions.conf. All these fail. 3. Raw SELinux audit report: Summary: SELinux is preventing cupsd (cupsd_t) "rename" to ./subscriptions.conf.O (cupsd_etc_t). Detailed Description: SELinux denied access requested by cupsd. It is not expected that this access is required by cupsd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./subscriptions.conf.O, restorecon -v './subscriptions.conf.O' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Context system_u:object_r:cupsd_etc_t:s0 Target Objects ./subscriptions.conf.O [ file ] Source cupsd Source Path /usr/sbin/cupsd Port <Unknown> Host jupiter.acf.aquezada.com Source RPM Packages cups-1.3.9-1.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-99.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name jupiter.acf.aquezada.com Platform Linux jupiter.acf.aquezada.com 2.6.26.5-45.fc9.i686 #1 SMP Sat Sep 20 03:45:00 EDT 2008 i686 i686 Alert Count 70 First Seen Sun 19 Oct 2008 05:49:34 PM EDT Last Seen Sun 26 Oct 2008 09:08:09 PM EDT Local ID d7944301-cb0c-4bcb-ace3-05b711531f74 Line Numbers Raw Audit Messages host=jupiter.acf.aquezada.com type=AVC msg=audit(1225069689.815:1006): avc: denied { rename } for pid=2401 comm="cupsd" name="subscriptions.conf.O" dev=dm-0 ino=131098 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cupsd_etc_t:s0 tclass=file host=jupiter.acf.aquezada.com type=SYSCALL msg=audit(1225069689.815:1006): arch=40000003 syscall=38 success=no exit=-13 a0=bfb588f8 a1=bfb58cf8 a2=b7f5dff4 a3=bfb588f8 items=0 ppid=1 pid=2401 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cupsd" exe="/usr/sbin/cupsd" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
This looks like a labeling problem. What does # restorecon -R -v /etc/cups subscriptions.conf.O has the wrong label on it. Any idea of how this got created?
No idea how it got this way - I never touch SELinux, it just works. But thanks.