Bug 791356 - SELinux is preventing /usr/sbin/cupsd from 'write' accesses on the None /etc/cups/subscriptions.conf.O.
Summary: SELinux is preventing /usr/sbin/cupsd from 'write' accesses on the None /etc/...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 17
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:1debbac278e74f984ae4e84ffe9...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-02-16 20:21 UTC by Adam Williamson
Modified: 2012-03-21 18:53 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.10.0-104.fc17
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-03-21 18:53:45 UTC
Type: ---


Attachments (Terms of Use)

Description Adam Williamson 2012-02-16 20:21:06 UTC
libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.3.0-0.rc3.git4.1.1.fc17.x86_64
reason:         SELinux is preventing /usr/sbin/cupsd from 'write' accesses on the None /etc/cups/subscriptions.conf.O.
time:           Thu 16 Feb 2012 12:20:57 PM PST

description:
:SELinux is preventing /usr/sbin/cupsd from 'write' accesses on the None /etc/cups/subscriptions.conf.O.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that cupsd should be allowed write access on the subscriptions.conf.O <Unknown> by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep cupsd /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
:Target Context                system_u:object_r:cupsd_etc_t:s0
:Target Objects                /etc/cups/subscriptions.conf.O [ None ]
:Source                        cupsd
:Source Path                   /usr/sbin/cupsd
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           cups-1.5.2-1.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-88.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed)
:                              3.3.0-0.rc3.git4.1.1.fc17.x86_64 #1 SMP Tue Feb 14
:                              02:44:04 UTC 2012 x86_64 x86_64
:Alert Count                   5
:First Seen                    Tue 14 Feb 2012 07:06:53 PM PST
:Last Seen                     Wed 15 Feb 2012 03:34:49 PM PST
:Local ID                      a9a1721c-e4ac-47b1-b3a4-0b2448cd928a
:
:Raw Audit Messages
:type=AVC msg=audit(1329348889.129:109): avc:  denied  { write } for  pid=1576 comm="cupsd" name="subscriptions.conf.O" dev="dm-2" ino=3213 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cupsd_etc_t:s0 tclass=filenode=(removed) type=SYSCALL msg=audit(1329348889.129:109): arch=c000003e syscall=2 success=no exit=-13 a0=7fff4f3416b0 a1=81 a2=7fff4f3416ce a3=400 items=0 ppid=1 pid=1576 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cupsd" exe="/usr/sbin/cupsd" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
:
:
:Hash: cupsd,cupsd_t,cupsd_etc_t,None,write
:
:audit2allow
:
:
:audit2allow -R
:
:

Comment 1 Miroslav Grepl 2012-02-20 16:23:24 UTC
When is this file created?

/etc/cups/subscriptions.conf.O

Comment 2 Daniel Walsh 2012-02-20 19:36:21 UTC
I added file_name_transition rules for this, although I had a typo.

I would figure this is being created in an initrc or by a program a user is running.

Comment 3 Tim Waugh 2012-02-21 10:33:32 UTC
cupsd creates *.O when modifying files in /etc/cups.

Comment 4 Daniel Walsh 2012-02-21 13:54:49 UTC
Is it created by the init script.  SELinux should blocked it from creating the file as cupds_etc_t.  Or does an an admin command running cups create the file?

Comment 5 Tim Waugh 2012-02-22 16:14:50 UTC
This file (subscriptions.conf) can be modified by cups as part of normal operation, e.g. user logging in at the console.  It just means that a client has connected and is asking for updates about a particular set of events (e.g. job changes, printer changes, etc).

Comment 6 Daniel Walsh 2012-02-22 20:46:44 UTC
Anyways it should be fixed in selinux-policy-3.10.0-91.fc17.noarch

Comment 7 Fedora Update System 2012-03-19 17:54:52 UTC
selinux-policy-3.10.0-103.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-103.fc17

Comment 8 Fedora Update System 2012-03-20 06:07:55 UTC
Package selinux-policy-3.10.0-104.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-104.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-4248/selinux-policy-3.10.0-104.fc17
then log in and leave karma (feedback).

Comment 9 Fedora Update System 2012-03-21 18:53:45 UTC
selinux-policy-3.10.0-104.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.