libreport version: 2.0.8 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.3.0-0.rc3.git4.1.1.fc17.x86_64 reason: SELinux is preventing /usr/sbin/cupsd from 'write' accesses on the None /etc/cups/subscriptions.conf.O. time: Thu 16 Feb 2012 12:20:57 PM PST description: :SELinux is preventing /usr/sbin/cupsd from 'write' accesses on the None /etc/cups/subscriptions.conf.O. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that cupsd should be allowed write access on the subscriptions.conf.O <Unknown> by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep cupsd /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023 :Target Context system_u:object_r:cupsd_etc_t:s0 :Target Objects /etc/cups/subscriptions.conf.O [ None ] :Source cupsd :Source Path /usr/sbin/cupsd :Port <Unknown> :Host (removed) :Source RPM Packages cups-1.5.2-1.fc17.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-88.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) : 3.3.0-0.rc3.git4.1.1.fc17.x86_64 #1 SMP Tue Feb 14 : 02:44:04 UTC 2012 x86_64 x86_64 :Alert Count 5 :First Seen Tue 14 Feb 2012 07:06:53 PM PST :Last Seen Wed 15 Feb 2012 03:34:49 PM PST :Local ID a9a1721c-e4ac-47b1-b3a4-0b2448cd928a : :Raw Audit Messages :type=AVC msg=audit(1329348889.129:109): avc: denied { write } for pid=1576 comm="cupsd" name="subscriptions.conf.O" dev="dm-2" ino=3213 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cupsd_etc_t:s0 tclass=filenode=(removed) type=SYSCALL msg=audit(1329348889.129:109): arch=c000003e syscall=2 success=no exit=-13 a0=7fff4f3416b0 a1=81 a2=7fff4f3416ce a3=400 items=0 ppid=1 pid=1576 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cupsd" exe="/usr/sbin/cupsd" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) : : :Hash: cupsd,cupsd_t,cupsd_etc_t,None,write : :audit2allow : : :audit2allow -R : :
When is this file created? /etc/cups/subscriptions.conf.O
I added file_name_transition rules for this, although I had a typo. I would figure this is being created in an initrc or by a program a user is running.
cupsd creates *.O when modifying files in /etc/cups.
Is it created by the init script. SELinux should blocked it from creating the file as cupds_etc_t. Or does an an admin command running cups create the file?
This file (subscriptions.conf) can be modified by cups as part of normal operation, e.g. user logging in at the console. It just means that a client has connected and is asking for updates about a particular set of events (e.g. job changes, printer changes, etc).
Anyways it should be fixed in selinux-policy-3.10.0-91.fc17.noarch
selinux-policy-3.10.0-103.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-103.fc17
Package selinux-policy-3.10.0-104.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-104.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-4248/selinux-policy-3.10.0-104.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-104.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.