796634 – cups-pdf problems in F17 if SELINUX=enforcing

Bug 796634 - cups-pdf problems in F17 if SELINUX=enforcing

Summary: cups-pdf problems in F17 if SELINUX=enforcing

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	cups-pdf
Sub Component:
Version:	17
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Remi Collet
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-02-23 11:14 UTC by Joachim Backes
Modified:	2012-02-24 09:01 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-02-24 09:01:38 UTC
Type:	---
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Joachim Backes 2012-02-23 11:14:47 UTC

Description of problem:

The standard SELINUX is set to SELINUX=enforcing in F17.
Running cups-lpd in F17. I edited /etc/cups/cups-pdf.conf by setting
"Out ${DESKTOP}/PDF". But that did not work: No printing output to the pdf printer landed in ~/Desktop/PDF. 

But after setting SELINUX=permissive (in /etc/selinux/config), all pdf printing appears in ~/Desktop/PDF is desired.

The access right of ~/Desktop/PDF are: drwxrwxr-x

Version-Release number of selected component (if applicable):
cups-pdf-2.6.1-1.fc17.x86_64

How reproducible:
always

Steps to Reproduce:
1. Print some stuff to the PDF printer
2.
3.
  
Actual results:
Nothing appears in the directory given by Out ${DESKTOP}/PDF (in etc/cups/cups-pdf.conf)

Expected results:


Additional info:

Comment 1 Joachim Backes 2012-02-23 11:17:03 UTC

(In reply to comment #0)
> Description of problem:
> 
> The standard SELINUX is set to SELINUX=enforcing in F17.
> Running cups-lpd in F17. I edited /etc/cups/cups-pdf.conf by setting
> "Out ${DESKTOP}/PDF". But that did not work: No printing output to the pdf
> printer landed in ~/Desktop/PDF. 
> 
> But after setting SELINUX=permissive (in /etc/selinux/config), all pdf printing
> appears in ~/Desktop/PDF is desired.
> 
> The access right of ~/Desktop/PDF are: drwxrwxr-x
> 
> Version-Release number of selected component (if applicable):
> cups-pdf-2.6.1-1.fc17.x86_64
> 
> How reproducible:
> always
> 
> Steps to Reproduce:
> 1. Print some stuff to the PDF printer
> 2.
> 3.
> 
> Actual results:
> Nothing appears in the directory given by Out ${DESKTOP}/PDF (in
> etc/cups/cups-pdf.conf)
> 
> Expected results:
> 
> 
> Additional info:

Sorry, typo: I meant "Running cups-pdf in F17" (and not "Running cups-lpd in F17")

Comment 2 Remi Collet 2012-02-23 18:51:00 UTC

Please check the audit.log to get the full avc denied message.

And :
ls -Zld $HOME/Desktop
ls -Zld $HOME/Desktop/PDF

Comment 3 Joachim Backes 2012-02-23 20:58:16 UTC

(In reply to comment #2)
> Please check the audit.log to get the full avc denied message.

grep cups audit.log.1|grep -i pdf|grep -i avc
type=AVC msg=audit(1329920737.647:1317): avc:  denied  { write } for  pid=24774 comm="gs" name="PDF" dev="sda7" ino=3020848 scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir
type=AVC msg=audit(1329921055.419:1336): avc:  denied  { write } for  pid=26693 comm="gs" name="PDF" dev="sda7" ino=3020848 scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir
type=AVC msg=audit(1329921249.835:1345): avc:  denied  { write } for  pid=26747 comm="gs" name="PDF" dev="sda7" ino=3020848 scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir
type=AVC msg=audit(1329921406.685:1352): avc:  denied  { write } for  pid=26812 comm="gs" name="PDF" dev="sda7" ino=3020848 scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir
type=AVC msg=audit(1329921592.491:1378): avc:  denied  { write } for  pid=26940 comm="cups-pdf" name="backes" dev="sda7" ino=2883586 scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir
type=AVC msg=audit(1329921709.160:1379): avc:  denied  { write } for  pid=26995 comm="cups-pdf" name="backes" dev="sda7" ino=2883586 scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir
type=AVC msg=audit(1329921713.254:1380): avc:  denied  { write } for  pid=27003 comm="cups-pdf" name="backes" dev="sda7" ino=2883586 scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir
type=AVC msg=audit(1329922116.962:1405): avc:  denied  { write } for  pid=27208 comm="gs" name="PDF" dev="sda7" ino=3020848 scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=dir

> 
> And :
> ls -Zld $HOME/Desktop
drwxr-xr-x. 5 system_u:object_r:user_home_t:s0 backes backes 4096 Feb 23 14:29 /home/backes/Desktop

> ls -Zld $HOME/Desktop/PDF
drwxrwxr-x. 2 system_u:object_r:default_t:s0   backes backes 4096 Feb 23 11:27 /home/backes/Desktop/PDF

Comment 4 Remi Collet 2012-02-24 06:20:13 UTC

So, type for PDF directory is not ok.

Please change it to user_home_t (with chcon or restorecon)

Comment 5 Joachim Backes 2012-02-24 09:01:38 UTC

(In reply to comment #4)
> So, type for PDF directory is not ok.
> 
> Please change it to user_home_t (with chcon or restorecon)

Thanks, works for me!

Note You need to log in before you can comment on or make changes to this bug.