Bug 502524 - Summary: SELinux is preventing cupsd (cupsd_t) "write" to ./printers.conf (cupsd_etc_t).
Summary: SELinux is preventing cupsd (cupsd_t) "write" to ./printers.conf (c...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2009-05-25 14:54 EDT by Vic Bancroft
Modified: 2009-08-21 17:25 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-08-21 17:25:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vic Bancroft 2009-05-25 14:54:16 EDT
Source Context                unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:cupsd_etc_t:s0
Target Objects                ./printers.conf [ file ]
Source                        cupsd
Source Path                   /usr/sbin/cupsd
Port                          <Unknown>
Host                          lewis.dlogic.net
Source RPM Packages           cups-1.3.10-5.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-58.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     lewis.dlogic.net
Platform                      Linux lewis.dlogic.net
                     #1 SMP Mon Mar 23
                              23:08:10 EDT 2009 x86_64 x86_64
Alert Count                   4
First Seen                    Mon 25 May 2009 10:13:31 AM EDT
Last Seen                     Mon 25 May 2009 10:14:13 AM EDT
Local ID                      d947d256-185b-4d3e-80c9-22a38d10966e
Line Numbers                  

Raw Audit Messages            

node=lewis.dlogic.net type=AVC msg=audit(1243260853.747:3421): avc:  denied  { write } for  pid=23366 comm="cupsd" name="printers.conf" dev=sda1 ino=1270330 scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cupsd_etc_t:s0 tclass=file

node=lewis.dlogic.net type=SYSCALL msg=audit(1243260853.747:3421): arch=c000003e syscall=2 success=no exit=-13 a0=7fffe79fdac0 a1=241 a2=1b6 a3=2d20666e6f632e73 items=0 ppid=1 pid=23366 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="cupsd" exe="/usr/sbin/cupsd" subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
Comment 1 Miroslav Grepl 2009-05-26 05:22:31 EDT
This is a mislabeled file. Execute

# restorecon -R -v /etc/cups

Should fix it.
Comment 2 Daniel Walsh 2009-05-26 08:53:57 EDT
Any idea how this got mislabeled?  Did you edit this file by hand?
Comment 3 Vic Bancroft 2009-05-28 22:44:29 EDT
No, I tend not to modify the policy on this particular machine, well except for the occasional setting of new working directories httpd_sys_content_t or httpd_sys_script_exec_t as appropriate . . . 

The printer in question does come and go, as it is USB connected.  Restoring the context, cupsd_rw_etc_t, did correct the issue.  I will watch more the context on these directories and files more closely as updates are applied via yum update.
Comment 4 Daniel Walsh 2009-05-29 08:00:36 EDT
Yes I guess plug the printer in and out and see if the context of the file gets screwed up.

Note You need to log in before you can comment on or make changes to this bug.