Bug 704828 - SELinux is preventing /usr/sbin/cupsd from 'write' accesses on the fichier /etc/cups/ppd/Babayaga.ppd.
Summary: SELinux is preventing /usr/sbin/cupsd from 'write' accesses on the fichier /e...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:54d60680aa8...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-05-15 10:48 UTC by Nicolas Mailhot
Modified: 2011-05-23 11:56 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-16 05:51:17 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Mailhot 2011-05-15 10:48:42 UTC 
SELinux is preventing /usr/sbin/cupsd from 'write' accesses on the fichier /etc/cups/ppd/Babayaga.ppd.

*****  Plugin restorecon (99.5 confidence) suggests  *************************

If you want to fix the label. 
/etc/cups/ppd/Babayaga.ppd default label should be cupsd_rw_etc_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /etc/cups/ppd/Babayaga.ppd

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If you believe that cupsd should be allowed write access on the Babayaga.ppd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep cupsd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:tmp_t:s0
Target Objects                /etc/cups/ppd/Babayaga.ppd [ file ]
Source                        cupsd
Source Path                   /usr/sbin/cupsd
Port                          <Inconnu>
Host                          (removed)
Source RPM Packages           cups-1.4.6-15.fc16
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-23.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 2.6.39-0.rc6.git0.0.fc16.x86_64 #1
                              SMP Wed May 4 16:02:13 UTC 2011 x86_64 x86_64
Alert Count                   2
First Seen                    mar. 10 mai 2011 17:38:26 CEST
Last Seen                     mar. 10 mai 2011 17:39:18 CEST
Local ID                      358f2da2-deab-414c-989a-3d2e443490be

Raw Audit Messages
type=AVC msg=audit(1305041958.945:24211): avc:  denied  { write } for  pid=1702 comm="cupsd" name="Babayaga.ppd" dev=dm-1 ino=420 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=file


type=SYSCALL msg=audit(1305041958.945:24211): arch=x86_64 syscall=open success=yes exit=ESPIPE a0=7fff5b3a91b6 a1=1 a2=1b6 a3=0 items=0 ppid=1 pid=1702 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cupsd exe=/usr/sbin/cupsd subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)

Hash: cupsd,cupsd_t,tmp_t,file,write

audit2allow

#============= cupsd_t ==============
allow cupsd_t tmp_t:file write;

audit2allow -R

#============= cupsd_t ==============
allow cupsd_t tmp_t:file write;
Comment 1 Miroslav Grepl 2011-05-16 05:51:17 UTC 
*****  Plugin restorecon (99.5 confidence) suggests  *************************

If you want to fix the label. 
/etc/cups/ppd/Babayaga.ppd default label should be cupsd_rw_etc_t.
Then you can run restorecon.
Do

# /sbin/restorecon -v /etc/cups/ppd/Babayaga.ppd


Please run this command which will fix a label. You moved the file to /etc/cups/ppd which caused this issue.
Comment 2 Nicolas Mailhot 2011-05-16 11:51:02 UTC 
(In reply to comment #1)

> Please run this command which will fix a label. You moved the file to
> /etc/cups/ppd which caused this issue.

Not really, it seems any time you try to modify a printer cups creates a new misklabelled file (this file has been there for ages and relabeled multiple times)
Comment 3 Daniel Walsh 2011-05-17 08:22:10 UTC 
Nicolas what process is creating "Babayaga.ppd"?  Since it is being created with a label of tmp_t, I assume it is created by  a domain that is not allowed to create tmp_t, in permissive mode or an unconfined domain that does not have a transition rule for tmp.

unconfined_t creating a file in a directory labeled tmp_t would create user_tmp_t.
Comment 4 Daniel Walsh 2011-05-17 08:24:19 UTC 
After the file is created in a tmp dir it is being moved to /etc/cups/ppd
Comment 5 Nicolas Mailhot 2011-05-19 07:02:24 UTC 
It's created by the cups admin console when you modify the settings of a printer with the same name
Comment 6 Nicolas Mailhot 2011-05-19 07:04:17 UTC 
(don't know where printer settings are hidden in gnome 3, and anyway the cups admin app has always been necessary when the gnomy stuff failed for one reason or another; it's more complete)
Comment 7 Tim Waugh 2011-05-19 08:49:00 UTC 
Nicolas: what is the package name for the "cups admin console" you referred to in comment #5?  There are several applications which configure CUPS:
 * the CUPS web interface, at http://localhost:631/admin (provided by 'cups')
 * the GNOME 3 printing panel, account -> System Settings -> Printers (provided by 'control-center')
 * system-config-printer
Comment 8 Nicolas Mailhot 2011-05-23 11:56:55 UTC 
It's http://localhost:631/

I'll try to check the gnome3 stuff IIRC it used to be broken too by selinux, but the breakage tends to change from month to month
Note You need to log in before you can comment on or make changes to this bug.