Dear Guys, I had working in run cups-pdf and it works with SELinux disables or relaxed, but ... cups-pdf don't works with SELinux "enforced".
Anyone who know better than me the "SELinux" architecture could help me with this problem?
I attach the audit.log latter in the conversation with cups-pdf developers.
Could anyone help saying what I need to configure in SELinux (and how) to allow cupspdf works with SELinux?
Regards
-------- Original Message -------- Subject: Problem with SELinux CONFIRMED Date: Mon, 30 Jan 2006 10:50:02 +0100 From: Samuel Díaz García samueld@sescam.jccm.es Reply-To: samueldg@arcoscom.com Organization: Servicio de Salud de Castilla - La Mancha To: Volker Christian Behr vrbehr@cip.physik.uni-wuerzburg.de CC: Remi Collet Remi@famillecollet.com References: 43D812D7.8030700@arcoscom.com 43D8750A.3020909@FamilleCollet.com 43D8906A.5050001@sescam.jccm.es 1138279161.29064.4.camel@merlin.physik.uni-wuerzburg.de 43D9F161.7090207@sescam.jccm.es 1138361808.15755.12.camel@merlin.physik.uni-wuerzburg.de 43DA5112.5080708@FamilleCollet.com 1138549747.2345.12.camel@taliesin.localnet
Volker, I confirm to you the problem. With SELinux enabled, we can reproduce the fail (cups-pdf.log):
Mon Jan 30 10:36:50 2006 [DEBUG] initialization finished (v2.0.4) Mon Jan 30 10:36:50 2006 [DEBUG] user identified (samueldg) Mon Jan 30 10:36:50 2006 [DEBUG] output directory name generated (/home/samueldg) Mon Jan 30 10:36:50 2006 [ERROR] failed to create directory (/home) Mon Jan 30 10:36:50 2006 [DEBUG] ERRNO: 17 Mon Jan 30 10:36:50 2006 [ERROR] failed to create user output directory (/home/samueldg) Mon Jan 30 10:36:50 2006 [DEBUG] ERRNO: 17 Mon Jan 30 10:37:34 2006 [DEBUG] switching to new gid (root) Mon Jan 30 10:37:34 2006 [DEBUG] initialization finished (v2.0.4) Mon Jan 30 10:37:34 2006 [DEBUG] user identified (samueldg) Mon Jan 30 10:37:34 2006 [DEBUG] output directory name generated (/home/samueldg) Mon Jan 30 10:37:34 2006 [ERROR] failed to create directory (/home) Mon Jan 30 10:37:34 2006 [DEBUG] ERRNO: 17 Mon Jan 30 10:37:34 2006 [ERROR] failed to create user output directory (/home/samueldg) Mon Jan 30 10:37:34 2006 [DEBUG] ERRNO: 17 Mon Jan 30 10:37:39 2006 [DEBUG] switching to new gid (root) Mon Jan 30 10:37:39 2006 [DEBUG] initialization finished (v2.0.4) Mon Jan 30 10:37:39 2006 [DEBUG] user identified (samueldg) Mon Jan 30 10:37:39 2006 [DEBUG] output directory name generated (/home/samueldg) Mon Jan 30 10:37:39 2006 [ERROR] failed to create directory (/home) Mon Jan 30 10:37:39 2006 [DEBUG] ERRNO: 17 Mon Jan 30 10:37:39 2006 [ERROR] failed to create user output directory (/home/samueldg) Mon Jan 30 10:37:39 2006 [DEBUG] ERRNO: 17
In audit.log : type=AVC msg=audit(1138613810.373:517): avc: denied { search } for pid=3823 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613810.373:517): arch=40000003 syscall=195 success=no exit=-13 a0=805ae98 a1=bfcf42cc a2=3e6ff4 a3=bfcf42cc items=1 pid=3823 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=CWD msg=audit(1138613810.373:517): cwd="/" type=PATH msg=audit(1138613810.373:517): item=0 name="/home/samueldg" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1138613810.373:518): avc: denied { search } for pid=3823 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613810.373:518): arch=40000003 syscall=195 success=no exit=-13 a0=805ae98 a1=bfcf323c a2=3e6ff4 a3=bfcf323c items=1 pid=3823 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=CWD msg=audit(1138613810.373:518): cwd="/" type=PATH msg=audit(1138613810.373:518): item=0 name="/home/samueldg" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1138613810.373:519): avc: denied { getattr } for pid=3823 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613810.373:519): arch=40000003 syscall=195 success=no exit=-13 a0=bfcf32d4 a1=bfcf21ac a2=3e6ff4 a3=bfcf21ac items=1 pid=3823 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=AVC_PATH msg=audit(1138613810.373:519): path="/home" type=CWD msg=audit(1138613810.373:519): cwd="/" type=PATH msg=audit(1138613810.373:519): item=0 name="/home" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 type=USER_AUTH msg=audit(1138613853.687:520): user pid=2762 uid=0 auid=4294967295 msg='PAM authentication: user=root exe="/usr/sbin/cupsd" (hostname=?, addr=?, terminal=? result=Success)' type=USER_ACCT msg=audit(1138613853.691:521): user pid=2762 uid=0 auid=4294967295 msg='PAM accounting: user=root exe="/usr/sbin/cupsd" (hostname=?, addr=?, terminal=? result=Success)' type=AVC msg=audit(1138613854.011:522): avc: denied { search } for pid=3833 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613854.011:522): arch=40000003 syscall=195 success=no exit=-13 a0=805ae98 a1=bfc6aeec a2=3e6ff4 a3=bfc6aeec items=1 pid=3833 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=CWD msg=audit(1138613854.011:522): cwd="/" type=PATH msg=audit(1138613854.011:522): item=0 name="/home/samueldg" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1138613854.011:523): avc: denied { search } for pid=3833 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613854.011:523): arch=40000003 syscall=195 success=no exit=-13 a0=805ae98 a1=bfc69e5c a2=3e6ff4 a3=bfc69e5c items=1 pid=3833 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=CWD msg=audit(1138613854.011:523): cwd="/" type=PATH msg=audit(1138613854.011:523): item=0 name="/home/samueldg" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1138613854.011:524): avc: denied { getattr } for pid=3833 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613854.011:524): arch=40000003 syscall=195 success=no exit=-13 a0=bfc69ef4 a1=bfc68dcc a2=3e6ff4 a3=bfc68dcc items=1 pid=3833 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=AVC_PATH msg=audit(1138613854.011:524): path="/home" type=CWD msg=audit(1138613854.011:524): cwd="/" type=PATH msg=audit(1138613854.011:524): item=0 name="/home" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 type=USER_AUTH msg=audit(1138613859.448:525): user pid=2762 uid=0 auid=4294967295 msg='PAM authentication: user=root exe="/usr/sbin/cupsd" (hostname=?, addr=?, terminal=? result=Success)' type=USER_ACCT msg=audit(1138613859.456:526): user pid=2762 uid=0 auid=4294967295 msg='PAM accounting: user=root exe="/usr/sbin/cupsd" (hostname=?, addr=?, terminal=? result=Success)' type=AVC msg=audit(1138613859.624:527): avc: denied { search } for pid=3842 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613859.624:527): arch=40000003 syscall=195 success=no exit=-13 a0=805ae98 a1=bfee620c a2=3e6ff4 a3=bfee620c items=1 pid=3842 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=CWD msg=audit(1138613859.624:527): cwd="/" type=PATH msg=audit(1138613859.624:527): item=0 name="/home/samueldg" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1138613859.624:528): avc: denied { search } for pid=3842 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613859.624:528): arch=40000003 syscall=195 success=no exit=-13 a0=805ae98 a1=bfee517c a2=3e6ff4 a3=bfee517c items=1 pid=3842 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=CWD msg=audit(1138613859.624:528): cwd="/" type=PATH msg=audit(1138613859.624:528): item=0 name="/home/samueldg" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1138613859.624:529): avc: denied { getattr } for pid=3842 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613859.624:529): arch=40000003 syscall=195 success=no exit=-13 a0=bfee5214 a1=bfee40ec a2=3e6ff4 a3=bfee40ec items=1 pid=3842 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=AVC_PATH msg=audit(1138613859.624:529): path="/home" type=CWD msg=audit(1138613859.624:529): cwd="/" type=PATH msg=audit(1138613859.624:529): item=0 name="/home" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 t
I'll try to find more info about SELinux, but appears that cups-pdf fails in 2 points: 1) SELinux don't allow cups-pdf browse directories. 2) SELinux don't allow cups-pdf get attributes info from files.
I'll google a bit to find more info about solve this problem and say you (perhaps a miniFAQ about cups-pdf and SELinux will be usefull for some users).
I don't think the problem were (with 2.0.4 at least) with cups-pdf, but think that a little reference in web page about configuring with SELinux would be a good idea.
As I said, I'll try find more information in the www.
Regards and many thanks for your support (Volker and Remi).
Volker Christian Behr wrote:
Hi Samuel and Remi!
On Fri, 2006-01-27 at 17:57, Remi Collet wrote:
Volker Christian Behr a écrit :
By now I am pretty sure this has to do with SELinux since this issue appears only on FC4-platforms.
Yes and i've already ask Samuel to try with SElinux disabled (and with last FC4 updates) One other user of my RPM has encounter the same error (but i've not keep the email)
This would be the most interesing result: does CUPS-PDF work it SELinux is disabled - especially does the directory creation work?
if (stat(dirname, &fstatus) || !S_ISDIR(fstatus.st_mode)) {
The above line tests whether the given directory name is a dir: !S_ISDIR(fstatus.st_mode) If the directory exists this loop should never be entered....
Yes. But i think than you need read acces on the parent dir to use stat. So it could be useful to verify the errno 17
This is possible since I do not have any testing platforms with SELinux available. Remi, do you have SELinux enabled?
I checked on my system and since directory creation is done with full root privileges I always have read access on all (local) directories. So
- again - I think this is SELinux blocking some functionality.
Thank to you, Samuel, for the offer to log onto your system to test there but since I never used SELinux before I think I am going to install a FC4 on my computer so I can play around with it a little more to see how to get CUPS-PDF to work smoothly with it (this will take some time).
I looking forward to the result without SELinux - it would be great if this was the only issue since then the is just one issue to be solved :-)
Cheers,
Volker
¿Any help/link/forum?
Thanks
Samuel Díaz García wrote:
Dear Guys, I had working in run cups-pdf and it works with SELinux disables or relaxed, but ... cups-pdf don't works with SELinux "enforced".
Anyone who know better than me the "SELinux" architecture could help me with this problem?
I attach the audit.log latter in the conversation with cups-pdf developers.
Could anyone help saying what I need to configure in SELinux (and how) to allow cupspdf works with SELinux?
Regards
-------- Original Message -------- Subject: Problem with SELinux CONFIRMED Date: Mon, 30 Jan 2006 10:50:02 +0100 From: Samuel Díaz García samueld@sescam.jccm.es Reply-To: samueldg@arcoscom.com Organization: Servicio de Salud de Castilla - La Mancha To: Volker Christian Behr vrbehr@cip.physik.uni-wuerzburg.de CC: Remi Collet Remi@famillecollet.com References: 43D812D7.8030700@arcoscom.com 43D8750A.3020909@FamilleCollet.com 43D8906A.5050001@sescam.jccm.es 1138279161.29064.4.camel@merlin.physik.uni-wuerzburg.de 43D9F161.7090207@sescam.jccm.es 1138361808.15755.12.camel@merlin.physik.uni-wuerzburg.de 43DA5112.5080708@FamilleCollet.com 1138549747.2345.12.camel@taliesin.localnet
Volker, I confirm to you the problem. With SELinux enabled, we can reproduce the fail (cups-pdf.log):
Mon Jan 30 10:36:50 2006 [DEBUG] initialization finished (v2.0.4) Mon Jan 30 10:36:50 2006 [DEBUG] user identified (samueldg) Mon Jan 30 10:36:50 2006 [DEBUG] output directory name generated (/home/samueldg) Mon Jan 30 10:36:50 2006 [ERROR] failed to create directory (/home) Mon Jan 30 10:36:50 2006 [DEBUG] ERRNO: 17 Mon Jan 30 10:36:50 2006 [ERROR] failed to create user output directory (/home/samueldg) Mon Jan 30 10:36:50 2006 [DEBUG] ERRNO: 17 Mon Jan 30 10:37:34 2006 [DEBUG] switching to new gid (root) Mon Jan 30 10:37:34 2006 [DEBUG] initialization finished (v2.0.4) Mon Jan 30 10:37:34 2006 [DEBUG] user identified (samueldg) Mon Jan 30 10:37:34 2006 [DEBUG] output directory name generated (/home/samueldg) Mon Jan 30 10:37:34 2006 [ERROR] failed to create directory (/home) Mon Jan 30 10:37:34 2006 [DEBUG] ERRNO: 17 Mon Jan 30 10:37:34 2006 [ERROR] failed to create user output directory (/home/samueldg) Mon Jan 30 10:37:34 2006 [DEBUG] ERRNO: 17 Mon Jan 30 10:37:39 2006 [DEBUG] switching to new gid (root) Mon Jan 30 10:37:39 2006 [DEBUG] initialization finished (v2.0.4) Mon Jan 30 10:37:39 2006 [DEBUG] user identified (samueldg) Mon Jan 30 10:37:39 2006 [DEBUG] output directory name generated (/home/samueldg) Mon Jan 30 10:37:39 2006 [ERROR] failed to create directory (/home) Mon Jan 30 10:37:39 2006 [DEBUG] ERRNO: 17 Mon Jan 30 10:37:39 2006 [ERROR] failed to create user output directory (/home/samueldg) Mon Jan 30 10:37:39 2006 [DEBUG] ERRNO: 17
In audit.log : type=AVC msg=audit(1138613810.373:517): avc: denied { search } for pid=3823 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613810.373:517): arch=40000003 syscall=195 success=no exit=-13 a0=805ae98 a1=bfcf42cc a2=3e6ff4 a3=bfcf42cc items=1 pid=3823 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=CWD msg=audit(1138613810.373:517): cwd="/" type=PATH msg=audit(1138613810.373:517): item=0 name="/home/samueldg" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1138613810.373:518): avc: denied { search } for pid=3823 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613810.373:518): arch=40000003 syscall=195 success=no exit=-13 a0=805ae98 a1=bfcf323c a2=3e6ff4 a3=bfcf323c items=1 pid=3823 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=CWD msg=audit(1138613810.373:518): cwd="/" type=PATH msg=audit(1138613810.373:518): item=0 name="/home/samueldg" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1138613810.373:519): avc: denied { getattr } for pid=3823 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613810.373:519): arch=40000003 syscall=195 success=no exit=-13 a0=bfcf32d4 a1=bfcf21ac a2=3e6ff4 a3=bfcf21ac items=1 pid=3823 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=AVC_PATH msg=audit(1138613810.373:519): path="/home" type=CWD msg=audit(1138613810.373:519): cwd="/" type=PATH msg=audit(1138613810.373:519): item=0 name="/home" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 type=USER_AUTH msg=audit(1138613853.687:520): user pid=2762 uid=0 auid=4294967295 msg='PAM authentication: user=root exe="/usr/sbin/cupsd" (hostname=?, addr=?, terminal=? result=Success)' type=USER_ACCT msg=audit(1138613853.691:521): user pid=2762 uid=0 auid=4294967295 msg='PAM accounting: user=root exe="/usr/sbin/cupsd" (hostname=?, addr=?, terminal=? result=Success)' type=AVC msg=audit(1138613854.011:522): avc: denied { search } for pid=3833 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613854.011:522): arch=40000003 syscall=195 success=no exit=-13 a0=805ae98 a1=bfc6aeec a2=3e6ff4 a3=bfc6aeec items=1 pid=3833 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=CWD msg=audit(1138613854.011:522): cwd="/" type=PATH msg=audit(1138613854.011:522): item=0 name="/home/samueldg" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1138613854.011:523): avc: denied { search } for pid=3833 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613854.011:523): arch=40000003 syscall=195 success=no exit=-13 a0=805ae98 a1=bfc69e5c a2=3e6ff4 a3=bfc69e5c items=1 pid=3833 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=CWD msg=audit(1138613854.011:523): cwd="/" type=PATH msg=audit(1138613854.011:523): item=0 name="/home/samueldg" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1138613854.011:524): avc: denied { getattr } for pid=3833 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613854.011:524): arch=40000003 syscall=195 success=no exit=-13 a0=bfc69ef4 a1=bfc68dcc a2=3e6ff4 a3=bfc68dcc items=1 pid=3833 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=AVC_PATH msg=audit(1138613854.011:524): path="/home" type=CWD msg=audit(1138613854.011:524): cwd="/" type=PATH msg=audit(1138613854.011:524): item=0 name="/home" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 type=USER_AUTH msg=audit(1138613859.448:525): user pid=2762 uid=0 auid=4294967295 msg='PAM authentication: user=root exe="/usr/sbin/cupsd" (hostname=?, addr=?, terminal=? result=Success)' type=USER_ACCT msg=audit(1138613859.456:526): user pid=2762 uid=0 auid=4294967295 msg='PAM accounting: user=root exe="/usr/sbin/cupsd" (hostname=?, addr=?, terminal=? result=Success)' type=AVC msg=audit(1138613859.624:527): avc: denied { search } for pid=3842 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613859.624:527): arch=40000003 syscall=195 success=no exit=-13 a0=805ae98 a1=bfee620c a2=3e6ff4 a3=bfee620c items=1 pid=3842 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=CWD msg=audit(1138613859.624:527): cwd="/" type=PATH msg=audit(1138613859.624:527): item=0 name="/home/samueldg" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1138613859.624:528): avc: denied { search } for pid=3842 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613859.624:528): arch=40000003 syscall=195 success=no exit=-13 a0=805ae98 a1=bfee517c a2=3e6ff4 a3=bfee517c items=1 pid=3842 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=CWD msg=audit(1138613859.624:528): cwd="/" type=PATH msg=audit(1138613859.624:528): item=0 name="/home/samueldg" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1138613859.624:529): avc: denied { getattr } for pid=3842 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613859.624:529): arch=40000003 syscall=195 success=no exit=-13 a0=bfee5214 a1=bfee40ec a2=3e6ff4 a3=bfee40ec items=1 pid=3842 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=AVC_PATH msg=audit(1138613859.624:529): path="/home" type=CWD msg=audit(1138613859.624:529): cwd="/" type=PATH msg=audit(1138613859.624:529): item=0 name="/home" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 t
I'll try to find more info about SELinux, but appears that cups-pdf fails in 2 points:
- SELinux don't allow cups-pdf browse directories.
- SELinux don't allow cups-pdf get attributes info from files.
I'll google a bit to find more info about solve this problem and say you (perhaps a miniFAQ about cups-pdf and SELinux will be usefull for some users).
I don't think the problem were (with 2.0.4 at least) with cups-pdf, but think that a little reference in web page about configuring with SELinux would be a good idea.
As I said, I'll try find more information in the www.
Regards and many thanks for your support (Volker and Remi).
Volker Christian Behr wrote:
Hi Samuel and Remi!
On Fri, 2006-01-27 at 17:57, Remi Collet wrote:
Volker Christian Behr a écrit :
By now I am pretty sure this has to do with SELinux since this issue appears only on FC4-platforms.
Yes and i've already ask Samuel to try with SElinux disabled (and with last FC4 updates) One other user of my RPM has encounter the same error (but i've not keep the email)
This would be the most interesing result: does CUPS-PDF work it SELinux is disabled - especially does the directory creation work?
if (stat(dirname, &fstatus) || !S_ISDIR(fstatus.st_mode)) {
The above line tests whether the given directory name is a dir: !S_ISDIR(fstatus.st_mode) If the directory exists this loop should never be entered....
Yes. But i think than you need read acces on the parent dir to use stat. So it could be useful to verify the errno 17
This is possible since I do not have any testing platforms with SELinux available. Remi, do you have SELinux enabled?
I checked on my system and since directory creation is done with full root privileges I always have read access on all (local) directories. So
- again - I think this is SELinux blocking some functionality.
Thank to you, Samuel, for the offer to log onto your system to test there but since I never used SELinux before I think I am going to install a FC4 on my computer so I can play around with it a little more to see how to get CUPS-PDF to work smoothly with it (this will take some time).
I looking forward to the result without SELinux - it would be great if this was the only issue since then the is just one issue to be solved :-)
Cheers,
Volker
On Mon, 2006-01-30 at 21:43 +0100, Samuel Díaz García wrote:
¿Any help/link/forum?
Thanks
Samuel Díaz García wrote:
Dear Guys, I had working in run cups-pdf and it works with SELinux disables or relaxed, but ... cups-pdf don't works with SELinux "enforced".
Anyone who know better than me the "SELinux" architecture could help me with this problem?
I attach the audit.log latter in the conversation with cups-pdf developers.
Could anyone help saying what I need to configure in SELinux (and how) to allow cupspdf works with SELinux?
Stupid question, but have you fed the audit.log to "audit2why" for an explanation? I did a quicky and it appears you don't have any TE allow rules set up.
Regards
-------- Original Message -------- Subject: Problem with SELinux CONFIRMED Date: Mon, 30 Jan 2006 10:50:02 +0100 From: Samuel Díaz García samueld@sescam.jccm.es Reply-To: samueldg@arcoscom.com Organization: Servicio de Salud de Castilla - La Mancha To: Volker Christian Behr vrbehr@cip.physik.uni-wuerzburg.de CC: Remi Collet Remi@famillecollet.com References: 43D812D7.8030700@arcoscom.com 43D8750A.3020909@FamilleCollet.com 43D8906A.5050001@sescam.jccm.es 1138279161.29064.4.camel@merlin.physik.uni-wuerzburg.de 43D9F161.7090207@sescam.jccm.es 1138361808.15755.12.camel@merlin.physik.uni-wuerzburg.de 43DA5112.5080708@FamilleCollet.com 1138549747.2345.12.camel@taliesin.localnet
Volker, I confirm to you the problem. With SELinux enabled, we can reproduce the fail (cups-pdf.log):
Mon Jan 30 10:36:50 2006 [DEBUG] initialization finished (v2.0.4) Mon Jan 30 10:36:50 2006 [DEBUG] user identified (samueldg) Mon Jan 30 10:36:50 2006 [DEBUG] output directory name generated (/home/samueldg) Mon Jan 30 10:36:50 2006 [ERROR] failed to create directory (/home) Mon Jan 30 10:36:50 2006 [DEBUG] ERRNO: 17 Mon Jan 30 10:36:50 2006 [ERROR] failed to create user output directory (/home/samueldg) Mon Jan 30 10:36:50 2006 [DEBUG] ERRNO: 17 Mon Jan 30 10:37:34 2006 [DEBUG] switching to new gid (root) Mon Jan 30 10:37:34 2006 [DEBUG] initialization finished (v2.0.4) Mon Jan 30 10:37:34 2006 [DEBUG] user identified (samueldg) Mon Jan 30 10:37:34 2006 [DEBUG] output directory name generated (/home/samueldg) Mon Jan 30 10:37:34 2006 [ERROR] failed to create directory (/home) Mon Jan 30 10:37:34 2006 [DEBUG] ERRNO: 17 Mon Jan 30 10:37:34 2006 [ERROR] failed to create user output directory (/home/samueldg) Mon Jan 30 10:37:34 2006 [DEBUG] ERRNO: 17 Mon Jan 30 10:37:39 2006 [DEBUG] switching to new gid (root) Mon Jan 30 10:37:39 2006 [DEBUG] initialization finished (v2.0.4) Mon Jan 30 10:37:39 2006 [DEBUG] user identified (samueldg) Mon Jan 30 10:37:39 2006 [DEBUG] output directory name generated (/home/samueldg) Mon Jan 30 10:37:39 2006 [ERROR] failed to create directory (/home) Mon Jan 30 10:37:39 2006 [DEBUG] ERRNO: 17 Mon Jan 30 10:37:39 2006 [ERROR] failed to create user output directory (/home/samueldg) Mon Jan 30 10:37:39 2006 [DEBUG] ERRNO: 17
In audit.log : type=AVC msg=audit(1138613810.373:517): avc: denied { search } for pid=3823 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613810.373:517): arch=40000003 syscall=195 success=no exit=-13 a0=805ae98 a1=bfcf42cc a2=3e6ff4 a3=bfcf42cc items=1 pid=3823 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=CWD msg=audit(1138613810.373:517): cwd="/" type=PATH msg=audit(1138613810.373:517): item=0 name="/home/samueldg" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1138613810.373:518): avc: denied { search } for pid=3823 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613810.373:518): arch=40000003 syscall=195 success=no exit=-13 a0=805ae98 a1=bfcf323c a2=3e6ff4 a3=bfcf323c items=1 pid=3823 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=CWD msg=audit(1138613810.373:518): cwd="/" type=PATH msg=audit(1138613810.373:518): item=0 name="/home/samueldg" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1138613810.373:519): avc: denied { getattr } for pid=3823 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613810.373:519): arch=40000003 syscall=195 success=no exit=-13 a0=bfcf32d4 a1=bfcf21ac a2=3e6ff4 a3=bfcf21ac items=1 pid=3823 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=AVC_PATH msg=audit(1138613810.373:519): path="/home" type=CWD msg=audit(1138613810.373:519): cwd="/" type=PATH msg=audit(1138613810.373:519): item=0 name="/home" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 type=USER_AUTH msg=audit(1138613853.687:520): user pid=2762 uid=0 auid=4294967295 msg='PAM authentication: user=root exe="/usr/sbin/cupsd" (hostname=?, addr=?, terminal=? result=Success)' type=USER_ACCT msg=audit(1138613853.691:521): user pid=2762 uid=0 auid=4294967295 msg='PAM accounting: user=root exe="/usr/sbin/cupsd" (hostname=?, addr=?, terminal=? result=Success)' type=AVC msg=audit(1138613854.011:522): avc: denied { search } for pid=3833 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613854.011:522): arch=40000003 syscall=195 success=no exit=-13 a0=805ae98 a1=bfc6aeec a2=3e6ff4 a3=bfc6aeec items=1 pid=3833 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=CWD msg=audit(1138613854.011:522): cwd="/" type=PATH msg=audit(1138613854.011:522): item=0 name="/home/samueldg" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1138613854.011:523): avc: denied { search } for pid=3833 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613854.011:523): arch=40000003 syscall=195 success=no exit=-13 a0=805ae98 a1=bfc69e5c a2=3e6ff4 a3=bfc69e5c items=1 pid=3833 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=CWD msg=audit(1138613854.011:523): cwd="/" type=PATH msg=audit(1138613854.011:523): item=0 name="/home/samueldg" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1138613854.011:524): avc: denied { getattr } for pid=3833 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613854.011:524): arch=40000003 syscall=195 success=no exit=-13 a0=bfc69ef4 a1=bfc68dcc a2=3e6ff4 a3=bfc68dcc items=1 pid=3833 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=AVC_PATH msg=audit(1138613854.011:524): path="/home" type=CWD msg=audit(1138613854.011:524): cwd="/" type=PATH msg=audit(1138613854.011:524): item=0 name="/home" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 type=USER_AUTH msg=audit(1138613859.448:525): user pid=2762 uid=0 auid=4294967295 msg='PAM authentication: user=root exe="/usr/sbin/cupsd" (hostname=?, addr=?, terminal=? result=Success)' type=USER_ACCT msg=audit(1138613859.456:526): user pid=2762 uid=0 auid=4294967295 msg='PAM accounting: user=root exe="/usr/sbin/cupsd" (hostname=?, addr=?, terminal=? result=Success)' type=AVC msg=audit(1138613859.624:527): avc: denied { search } for pid=3842 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613859.624:527): arch=40000003 syscall=195 success=no exit=-13 a0=805ae98 a1=bfee620c a2=3e6ff4 a3=bfee620c items=1 pid=3842 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=CWD msg=audit(1138613859.624:527): cwd="/" type=PATH msg=audit(1138613859.624:527): item=0 name="/home/samueldg" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1138613859.624:528): avc: denied { search } for pid=3842 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613859.624:528): arch=40000003 syscall=195 success=no exit=-13 a0=805ae98 a1=bfee517c a2=3e6ff4 a3=bfee517c items=1 pid=3842 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=CWD msg=audit(1138613859.624:528): cwd="/" type=PATH msg=audit(1138613859.624:528): item=0 name="/home/samueldg" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1138613859.624:529): avc: denied { getattr } for pid=3842 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613859.624:529): arch=40000003 syscall=195 success=no exit=-13 a0=bfee5214 a1=bfee40ec a2=3e6ff4 a3=bfee40ec items=1 pid=3842 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=AVC_PATH msg=audit(1138613859.624:529): path="/home" type=CWD msg=audit(1138613859.624:529): cwd="/" type=PATH msg=audit(1138613859.624:529): item=0 name="/home" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 t
I'll try to find more info about SELinux, but appears that cups-pdf fails in 2 points:
- SELinux don't allow cups-pdf browse directories.
- SELinux don't allow cups-pdf get attributes info from files.
I'll google a bit to find more info about solve this problem and say you (perhaps a miniFAQ about cups-pdf and SELinux will be usefull for some users).
I don't think the problem were (with 2.0.4 at least) with cups-pdf, but think that a little reference in web page about configuring with SELinux would be a good idea.
As I said, I'll try find more information in the www.
Regards and many thanks for your support (Volker and Remi).
Volker Christian Behr wrote:
Hi Samuel and Remi!
On Fri, 2006-01-27 at 17:57, Remi Collet wrote:
Volker Christian Behr a écrit :
By now I am pretty sure this has to do with SELinux since this issue appears only on FC4-platforms.
Yes and i've already ask Samuel to try with SElinux disabled (and with last FC4 updates) One other user of my RPM has encounter the same error (but i've not keep the email)
This would be the most interesing result: does CUPS-PDF work it SELinux is disabled - especially does the directory creation work?
if (stat(dirname, &fstatus) || !S_ISDIR(fstatus.st_mode)) {
The above line tests whether the given directory name is a dir: !S_ISDIR(fstatus.st_mode) If the directory exists this loop should never be entered....
Yes. But i think than you need read acces on the parent dir to use stat. So it could be useful to verify the errno 17
This is possible since I do not have any testing platforms with SELinux available. Remi, do you have SELinux enabled?
I checked on my system and since directory creation is done with full root privileges I always have read access on all (local) directories. So
- again - I think this is SELinux blocking some functionality.
Thank to you, Samuel, for the offer to log onto your system to test there but since I never used SELinux before I think I am going to install a FC4 on my computer so I can play around with it a little more to see how to get CUPS-PDF to work smoothly with it (this will take some time).
I looking forward to the result without SELinux - it would be great if this was the only issue since then the is just one issue to be solved :-)
Cheers,
Volker
-- Samuel Díaz García Director Gerente ArcosCom Wireless, S.L.L.
CIF: B11828068 c/ Romero Gago, 19 Arcos de la Frontera 11630 - Cadiz
mailto:samueldg@arcoscom.com msn: samueldg@arcoscom.com
Móvil: 651 93 72 48 Tlfn.: 956 70 13 15 Fax: 956 70 34 83
---------------------------------------------------------------------- - Rick Stevens, Senior Systems Engineer rstevens@vitalstream.com - - VitalStream, Inc. http://www.vitalstream.com - - - - "And on the seventh day, He exited from append mode." - ----------------------------------------------------------------------
That is the problem, where too many issues before I can run fine (disabling SELinux) and I had no knoledge about SELinux admin and tools.
That is why I ask here.
I think, using audit2why (as you say and is no a known by me tool) can help me about the "why". I truth with you, but ... I think I not only need the "why", I need the "how to solve" that "why" too.
And I leak that knowledge.
Thanks
Rick Stevens escribió:
On Mon, 2006-01-30 at 21:43 +0100, Samuel Díaz García wrote:
¿Any help/link/forum?
Thanks
Samuel Díaz García wrote:
Dear Guys, I had working in run cups-pdf and it works with SELinux disables or relaxed, but ... cups-pdf don't works with SELinux "enforced".
Anyone who know better than me the "SELinux" architecture could help me with this problem?
I attach the audit.log latter in the conversation with cups-pdf developers.
Could anyone help saying what I need to configure in SELinux (and how) to allow cupspdf works with SELinux?
Stupid question, but have you fed the audit.log to "audit2why" for an explanation? I did a quicky and it appears you don't have any TE allow rules set up.
Regards
-------- Original Message -------- Subject: Problem with SELinux CONFIRMED Date: Mon, 30 Jan 2006 10:50:02 +0100 From: Samuel Díaz García samueld@sescam.jccm.es Reply-To: samueldg@arcoscom.com Organization: Servicio de Salud de Castilla - La Mancha To: Volker Christian Behr vrbehr@cip.physik.uni-wuerzburg.de CC: Remi Collet Remi@famillecollet.com References: 43D812D7.8030700@arcoscom.com 43D8750A.3020909@FamilleCollet.com 43D8906A.5050001@sescam.jccm.es 1138279161.29064.4.camel@merlin.physik.uni-wuerzburg.de 43D9F161.7090207@sescam.jccm.es 1138361808.15755.12.camel@merlin.physik.uni-wuerzburg.de 43DA5112.5080708@FamilleCollet.com 1138549747.2345.12.camel@taliesin.localnet
Volker, I confirm to you the problem. With SELinux enabled, we can reproduce the fail (cups-pdf.log):
Mon Jan 30 10:36:50 2006 [DEBUG] initialization finished (v2.0.4) Mon Jan 30 10:36:50 2006 [DEBUG] user identified (samueldg) Mon Jan 30 10:36:50 2006 [DEBUG] output directory name generated (/home/samueldg) Mon Jan 30 10:36:50 2006 [ERROR] failed to create directory (/home) Mon Jan 30 10:36:50 2006 [DEBUG] ERRNO: 17 Mon Jan 30 10:36:50 2006 [ERROR] failed to create user output directory (/home/samueldg) Mon Jan 30 10:36:50 2006 [DEBUG] ERRNO: 17 Mon Jan 30 10:37:34 2006 [DEBUG] switching to new gid (root) Mon Jan 30 10:37:34 2006 [DEBUG] initialization finished (v2.0.4) Mon Jan 30 10:37:34 2006 [DEBUG] user identified (samueldg) Mon Jan 30 10:37:34 2006 [DEBUG] output directory name generated (/home/samueldg) Mon Jan 30 10:37:34 2006 [ERROR] failed to create directory (/home) Mon Jan 30 10:37:34 2006 [DEBUG] ERRNO: 17 Mon Jan 30 10:37:34 2006 [ERROR] failed to create user output directory (/home/samueldg) Mon Jan 30 10:37:34 2006 [DEBUG] ERRNO: 17 Mon Jan 30 10:37:39 2006 [DEBUG] switching to new gid (root) Mon Jan 30 10:37:39 2006 [DEBUG] initialization finished (v2.0.4) Mon Jan 30 10:37:39 2006 [DEBUG] user identified (samueldg) Mon Jan 30 10:37:39 2006 [DEBUG] output directory name generated (/home/samueldg) Mon Jan 30 10:37:39 2006 [ERROR] failed to create directory (/home) Mon Jan 30 10:37:39 2006 [DEBUG] ERRNO: 17 Mon Jan 30 10:37:39 2006 [ERROR] failed to create user output directory (/home/samueldg) Mon Jan 30 10:37:39 2006 [DEBUG] ERRNO: 17
In audit.log : type=AVC msg=audit(1138613810.373:517): avc: denied { search } for pid=3823 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613810.373:517): arch=40000003 syscall=195 success=no exit=-13 a0=805ae98 a1=bfcf42cc a2=3e6ff4 a3=bfcf42cc items=1 pid=3823 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=CWD msg=audit(1138613810.373:517): cwd="/" type=PATH msg=audit(1138613810.373:517): item=0 name="/home/samueldg" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1138613810.373:518): avc: denied { search } for pid=3823 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613810.373:518): arch=40000003 syscall=195 success=no exit=-13 a0=805ae98 a1=bfcf323c a2=3e6ff4 a3=bfcf323c items=1 pid=3823 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=CWD msg=audit(1138613810.373:518): cwd="/" type=PATH msg=audit(1138613810.373:518): item=0 name="/home/samueldg" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1138613810.373:519): avc: denied { getattr } for pid=3823 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613810.373:519): arch=40000003 syscall=195 success=no exit=-13 a0=bfcf32d4 a1=bfcf21ac a2=3e6ff4 a3=bfcf21ac items=1 pid=3823 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=AVC_PATH msg=audit(1138613810.373:519): path="/home" type=CWD msg=audit(1138613810.373:519): cwd="/" type=PATH msg=audit(1138613810.373:519): item=0 name="/home" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 type=USER_AUTH msg=audit(1138613853.687:520): user pid=2762 uid=0 auid=4294967295 msg='PAM authentication: user=root exe="/usr/sbin/cupsd" (hostname=?, addr=?, terminal=? result=Success)' type=USER_ACCT msg=audit(1138613853.691:521): user pid=2762 uid=0 auid=4294967295 msg='PAM accounting: user=root exe="/usr/sbin/cupsd" (hostname=?, addr=?, terminal=? result=Success)' type=AVC msg=audit(1138613854.011:522): avc: denied { search } for pid=3833 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613854.011:522): arch=40000003 syscall=195 success=no exit=-13 a0=805ae98 a1=bfc6aeec a2=3e6ff4 a3=bfc6aeec items=1 pid=3833 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=CWD msg=audit(1138613854.011:522): cwd="/" type=PATH msg=audit(1138613854.011:522): item=0 name="/home/samueldg" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1138613854.011:523): avc: denied { search } for pid=3833 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613854.011:523): arch=40000003 syscall=195 success=no exit=-13 a0=805ae98 a1=bfc69e5c a2=3e6ff4 a3=bfc69e5c items=1 pid=3833 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=CWD msg=audit(1138613854.011:523): cwd="/" type=PATH msg=audit(1138613854.011:523): item=0 name="/home/samueldg" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1138613854.011:524): avc: denied { getattr } for pid=3833 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613854.011:524): arch=40000003 syscall=195 success=no exit=-13 a0=bfc69ef4 a1=bfc68dcc a2=3e6ff4 a3=bfc68dcc items=1 pid=3833 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=AVC_PATH msg=audit(1138613854.011:524): path="/home" type=CWD msg=audit(1138613854.011:524): cwd="/" type=PATH msg=audit(1138613854.011:524): item=0 name="/home" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 type=USER_AUTH msg=audit(1138613859.448:525): user pid=2762 uid=0 auid=4294967295 msg='PAM authentication: user=root exe="/usr/sbin/cupsd" (hostname=?, addr=?, terminal=? result=Success)' type=USER_ACCT msg=audit(1138613859.456:526): user pid=2762 uid=0 auid=4294967295 msg='PAM accounting: user=root exe="/usr/sbin/cupsd" (hostname=?, addr=?, terminal=? result=Success)' type=AVC msg=audit(1138613859.624:527): avc: denied { search } for pid=3842 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613859.624:527): arch=40000003 syscall=195 success=no exit=-13 a0=805ae98 a1=bfee620c a2=3e6ff4 a3=bfee620c items=1 pid=3842 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=CWD msg=audit(1138613859.624:527): cwd="/" type=PATH msg=audit(1138613859.624:527): item=0 name="/home/samueldg" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1138613859.624:528): avc: denied { search } for pid=3842 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613859.624:528): arch=40000003 syscall=195 success=no exit=-13 a0=805ae98 a1=bfee517c a2=3e6ff4 a3=bfee517c items=1 pid=3842 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=CWD msg=audit(1138613859.624:528): cwd="/" type=PATH msg=audit(1138613859.624:528): item=0 name="/home/samueldg" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1138613859.624:529): avc: denied { getattr } for pid=3842 comm="cups-pdf" name="home" dev=sda4 ino=5586913 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir type=SYSCALL msg=audit(1138613859.624:529): arch=40000003 syscall=195 success=no exit=-13 a0=bfee5214 a1=bfee40ec a2=3e6ff4 a3=bfee40ec items=1 pid=3842 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" type=AVC_PATH msg=audit(1138613859.624:529): path="/home" type=CWD msg=audit(1138613859.624:529): cwd="/" type=PATH msg=audit(1138613859.624:529): item=0 name="/home" flags=1 inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00 t
I'll try to find more info about SELinux, but appears that cups-pdf fails in 2 points:
- SELinux don't allow cups-pdf browse directories.
- SELinux don't allow cups-pdf get attributes info from files.
I'll google a bit to find more info about solve this problem and say you (perhaps a miniFAQ about cups-pdf and SELinux will be usefull for some users).
I don't think the problem were (with 2.0.4 at least) with cups-pdf, but think that a little reference in web page about configuring with SELinux would be a good idea.
As I said, I'll try find more information in the www.
Regards and many thanks for your support (Volker and Remi).
Volker Christian Behr wrote:
Hi Samuel and Remi!
On Fri, 2006-01-27 at 17:57, Remi Collet wrote:
Volker Christian Behr a écrit :
By now I am pretty sure this has to do with SELinux since this issue appears only on FC4-platforms.
Yes and i've already ask Samuel to try with SElinux disabled (and with last FC4 updates) One other user of my RPM has encounter the same error (but i've not keep the email)
This would be the most interesing result: does CUPS-PDF work it SELinux is disabled - especially does the directory creation work?
> if (stat(dirname, &fstatus) || !S_ISDIR(fstatus.st_mode)) { >
The above line tests whether the given directory name is a dir: !S_ISDIR(fstatus.st_mode) If the directory exists this loop should never be entered....
Yes. But i think than you need read acces on the parent dir to use stat. So it could be useful to verify the errno 17
This is possible since I do not have any testing platforms with SELinux available. Remi, do you have SELinux enabled?
I checked on my system and since directory creation is done with full root privileges I always have read access on all (local) directories. So
- again - I think this is SELinux blocking some functionality.
Thank to you, Samuel, for the offer to log onto your system to test there but since I never used SELinux before I think I am going to install a FC4 on my computer so I can play around with it a little more to see how to get CUPS-PDF to work smoothly with it (this will take some time).
I looking forward to the result without SELinux - it would be great if this was the only issue since then the is just one issue to be solved :-)
Cheers,
Volker
-- Samuel Díaz García Director Gerente ArcosCom Wireless, S.L.L.
CIF: B11828068 c/ Romero Gago, 19 Arcos de la Frontera 11630 - Cadiz
mailto:samueldg@arcoscom.com msn: samueldg@arcoscom.com
Móvil: 651 93 72 48 Tlfn.: 956 70 13 15 Fax: 956 70 34 83
- Rick Stevens, Senior Systems Engineer rstevens@vitalstream.com -
- VitalStream, Inc. http://www.vitalstream.com -
-"And on the seventh day, He exited from append mode." -
Samuel Díaz García wrote:
Dear Guys, I had working in run cups-pdf and it works with SELinux disables or relaxed, but ... cups-pdf don't works with SELinux "enforced".
Anyone who know better than me the "SELinux" architecture could help me with this problem?
I attach the audit.log latter in the conversation with cups-pdf developers.
Could anyone help saying what I need to configure in SELinux (and how) to allow cupspdf works with SELinux?
Regards
Ok what is cups trying to do? Does it want to write the users home directory?
Cups is usually prevented from touching userspace.
Yes, cups-pdf is a "virtual printer" thar prints the ouput into pdf files. That pdf files are saved by cups-pdf into user's home directory.
As you said fine, I need to allow cups to write into that directories (including /root) or into a $HOME/cups-pdf-docs directory to disallow cups all control over $HOME directory.
If I remember well, cups is launched as root user (where a test I had done some days ago because were a "cups-pdf" prerrequisite - don't remember now).
How can I solve the issue with home directories?
If anybody knows how to, I would like to solve the problem in this form: 1) Allowing cups writing into home directories or especific subdirectory into $HOME. 2) Enablilng SELinux as restrictive I can (is my laptop and I want to learn a more about SELinux and apps issues.
Thanks
Daniel J Walsh escribió:
Samuel Díaz García wrote:
Dear Guys, I had working in run cups-pdf and it works with SELinux disables or relaxed, but ... cups-pdf don't works with SELinux "enforced".
Anyone who know better than me the "SELinux" architecture could help me with this problem?
I attach the audit.log latter in the conversation with cups-pdf developers.
Could anyone help saying what I need to configure in SELinux (and how) to allow cupspdf works with SELinux?
Regards
Ok what is cups trying to do? Does it want to write the users home directory? Cups is usually prevented from touching userspace.
Samuel Díaz García wrote:
Yes, cups-pdf is a "virtual printer" thar prints the ouput into pdf files. That pdf files are saved by cups-pdf into user's home directory.
As you said fine, I need to allow cups to write into that directories (including /root) or into a $HOME/cups-pdf-docs directory to disallow cups all control over $HOME directory.
If I remember well, cups is launched as root user (where a test I had done some days ago because were a "cups-pdf" prerrequisite - don't remember now).
How can I solve the issue with home directories?
If anybody knows how to, I would like to solve the problem in this form:
- Allowing cups writing into home directories or especific
subdirectory into $HOME. 2) Enablilng SELinux as restrictive I can (is my laptop and I want to learn a more about SELinux and apps issues.
As a start you might try:
# setsebool -P cupsd_disable_trans 1
This would turn off SELinux protection for the cups daemon, whilst leaving you able to have SELinux turned on for everything else.
An alternative that might be worth trying would be to change the context of any directories you want cups to be able to write to, something like:
# chcon -t print_spool_t $HOME/cups-pdf-doc
Not sure if that'll work though.
Paul.
Paul Howarth wrote:
Samuel Díaz García wrote:
Yes, cups-pdf is a "virtual printer" thar prints the ouput into pdf files. That pdf files are saved by cups-pdf into user's home directory.
As you said fine, I need to allow cups to write into that directories (including /root) or into a $HOME/cups-pdf-docs directory to disallow cups all control over $HOME directory.
If I remember well, cups is launched as root user (where a test I had done some days ago because were a "cups-pdf" prerrequisite - don't remember now).
How can I solve the issue with home directories?
If anybody knows how to, I would like to solve the problem in this form:
- Allowing cups writing into home directories or especific
subdirectory into $HOME. 2) Enablilng SELinux as restrictive I can (is my laptop and I want to learn a more about SELinux and apps issues.
As a start you might try:
# setsebool -P cupsd_disable_trans 1
This would turn off SELinux protection for the cups daemon, whilst leaving you able to have SELinux turned on for everything else.
An alternative that might be worth trying would be to change the context of any directories you want cups to be able to write to, something like:
# chcon -t print_spool_t $HOME/cups-pdf-doc
Not sure if that'll work though.
I kind of like that solution. See what avc messages you get and we could maybe add a boolean to allow searching of the users homedirs for this directory.
Paul.
Using your help, I had done this:
audit2why < /var/log/audit/audit.log | audit2allow
Whith this result:
allow auditd_t var_log_t:file { append getattr }; allow cardmgr_t apmd_t:file { getattr read }; allow cardmgr_t apmd_t:lnk_file read; allow cardmgr_t crond_t:file { getattr read }; allow cardmgr_t crond_t:lnk_file read; allow cardmgr_t inetd_t:file { getattr read }; allow cardmgr_t inetd_t:lnk_file read; allow cardmgr_t init_t:file { getattr read }; allow cardmgr_t init_t:lnk_file read; allow cardmgr_t initrc_t:file { getattr read }; allow cardmgr_t initrc_t:lnk_file read; allow cardmgr_t kernel_t:file { getattr read }; allow cardmgr_t kernel_t:lnk_file read; allow cardmgr_t src_t:dir search; allow cardmgr_t udev_t:file { getattr read }; allow cardmgr_t udev_t:lnk_file read; allow cardmgr_t unconfined_t:file { getattr read }; allow cardmgr_t unconfined_t:lnk_file read; allow cardmgr_t xserver_log_t:dir search; allow consoletype_t tmp_t:chr_file read; allow cupsd_config_t unconfined_t:fifo_file write; allow cupsd_t home_root_t:dir search; allow cupsd_t urandom_device_t:chr_file ioctl; allow cupsd_t user_home_dir_t:dir { add_name write }; allow cupsd_t user_home_dir_t:file { create getattr setattr write }; allow cupsd_t var_spool_t:dir { add_name remove_name write }; allow cupsd_t var_spool_t:file { create getattr read setattr unlink write }; allow dhcpc_t tmp_t:chr_file read; allow fsadm_t dosfs_t:file getattr; allow getty_t var_log_t:file { lock write }; allow hald_t mnt_t:dir { getattr read }; allow hald_t tty_device_t:chr_file ioctl; allow hald_t usr_t:file { execute execute_no_trans ioctl }; allow hald_t var_lib_nfs_t:dir search; allow httpd_t crond_t:fifo_file read; allow ifconfig_t tmp_t:chr_file read; allow ifconfig_t unconfined_t:fifo_file { read write }; allow updfstab_t dosfs_t:dir search; allow updfstab_t dosfs_t:file getattr;
The question now is:
¿Where need I put all this?
Thanks
Daniel J Walsh wrote:
Paul Howarth wrote:
Samuel Díaz García wrote:
Yes, cups-pdf is a "virtual printer" thar prints the ouput into pdf files. That pdf files are saved by cups-pdf into user's home directory.
As you said fine, I need to allow cups to write into that directories (including /root) or into a $HOME/cups-pdf-docs directory to disallow cups all control over $HOME directory.
If I remember well, cups is launched as root user (where a test I had done some days ago because were a "cups-pdf" prerrequisite - don't remember now).
How can I solve the issue with home directories?
If anybody knows how to, I would like to solve the problem in this form:
- Allowing cups writing into home directories or especific
subdirectory into $HOME. 2) Enablilng SELinux as restrictive I can (is my laptop and I want to learn a more about SELinux and apps issues.
As a start you might try:
# setsebool -P cupsd_disable_trans 1
This would turn off SELinux protection for the cups daemon, whilst leaving you able to have SELinux turned on for everything else.
An alternative that might be worth trying would be to change the context of any directories you want cups to be able to write to, something like:
# chcon -t print_spool_t $HOME/cups-pdf-doc
Not sure if that'll work though.
I kind of like that solution. See what avc messages you get and we could maybe add a boolean to allow searching of the users homedirs for this directory.
Paul.
Samuel Díaz García wrote:
Using your help, I had done this:
audit2why < /var/log/audit/audit.log | audit2allow
Whith this result:
allow auditd_t var_log_t:file { append getattr }; allow cardmgr_t apmd_t:file { getattr read }; allow cardmgr_t apmd_t:lnk_file read; allow cardmgr_t crond_t:file { getattr read }; allow cardmgr_t crond_t:lnk_file read; allow cardmgr_t inetd_t:file { getattr read }; allow cardmgr_t inetd_t:lnk_file read; allow cardmgr_t init_t:file { getattr read }; allow cardmgr_t init_t:lnk_file read; allow cardmgr_t initrc_t:file { getattr read }; allow cardmgr_t initrc_t:lnk_file read; allow cardmgr_t kernel_t:file { getattr read }; allow cardmgr_t kernel_t:lnk_file read; allow cardmgr_t src_t:dir search; allow cardmgr_t udev_t:file { getattr read }; allow cardmgr_t udev_t:lnk_file read; allow cardmgr_t unconfined_t:file { getattr read }; allow cardmgr_t unconfined_t:lnk_file read; allow cardmgr_t xserver_log_t:dir search; allow consoletype_t tmp_t:chr_file read; allow cupsd_config_t unconfined_t:fifo_file write; allow cupsd_t home_root_t:dir search; allow cupsd_t urandom_device_t:chr_file ioctl; allow cupsd_t user_home_dir_t:dir { add_name write }; allow cupsd_t user_home_dir_t:file { create getattr setattr write }; allow cupsd_t var_spool_t:dir { add_name remove_name write }; allow cupsd_t var_spool_t:file { create getattr read setattr unlink write }; allow dhcpc_t tmp_t:chr_file read; allow fsadm_t dosfs_t:file getattr; allow getty_t var_log_t:file { lock write }; allow hald_t mnt_t:dir { getattr read }; allow hald_t tty_device_t:chr_file ioctl; allow hald_t usr_t:file { execute execute_no_trans ioctl }; allow hald_t var_lib_nfs_t:dir search; allow httpd_t crond_t:fifo_file read; allow ifconfig_t tmp_t:chr_file read; allow ifconfig_t unconfined_t:fifo_file { read write }; allow updfstab_t dosfs_t:dir search; allow updfstab_t dosfs_t:file getattr;
Could you attach your audit.log? Looks like you might have some labeling problem. Also what version of policy are you running? What platform?
The question now is:
¿Where need I put all this?
Thanks
Daniel J Walsh wrote:
Paul Howarth wrote:
Samuel Díaz García wrote:
Yes, cups-pdf is a "virtual printer" thar prints the ouput into pdf files. That pdf files are saved by cups-pdf into user's home directory.
As you said fine, I need to allow cups to write into that directories (including /root) or into a $HOME/cups-pdf-docs directory to disallow cups all control over $HOME directory.
If I remember well, cups is launched as root user (where a test I had done some days ago because were a "cups-pdf" prerrequisite - don't remember now).
How can I solve the issue with home directories?
If anybody knows how to, I would like to solve the problem in this form:
- Allowing cups writing into home directories or especific
subdirectory into $HOME. 2) Enablilng SELinux as restrictive I can (is my laptop and I want to learn a more about SELinux and apps issues.
As a start you might try:
# setsebool -P cupsd_disable_trans 1
This would turn off SELinux protection for the cups daemon, whilst leaving you able to have SELinux turned on for everything else.
An alternative that might be worth trying would be to change the context of any directories you want cups to be able to write to, something like:
# chcon -t print_spool_t $HOME/cups-pdf-doc
Not sure if that'll work though.
I kind of like that solution. See what avc messages you get and we could maybe add a boolean to allow searching of the users homedirs for this directory.
Paul.
Did you received the e-mail with all explanations and the attached .tar.gz file with the required log?
Thanks
Daniel J Walsh wrote:
Samuel Díaz García wrote:
Using your help, I had done this:
audit2why < /var/log/audit/audit.log | audit2allow
Whith this result:
allow auditd_t var_log_t:file { append getattr }; allow cardmgr_t apmd_t:file { getattr read }; allow cardmgr_t apmd_t:lnk_file read; allow cardmgr_t crond_t:file { getattr read }; allow cardmgr_t crond_t:lnk_file read; allow cardmgr_t inetd_t:file { getattr read }; allow cardmgr_t inetd_t:lnk_file read; allow cardmgr_t init_t:file { getattr read }; allow cardmgr_t init_t:lnk_file read; allow cardmgr_t initrc_t:file { getattr read }; allow cardmgr_t initrc_t:lnk_file read; allow cardmgr_t kernel_t:file { getattr read }; allow cardmgr_t kernel_t:lnk_file read; allow cardmgr_t src_t:dir search; allow cardmgr_t udev_t:file { getattr read }; allow cardmgr_t udev_t:lnk_file read; allow cardmgr_t unconfined_t:file { getattr read }; allow cardmgr_t unconfined_t:lnk_file read; allow cardmgr_t xserver_log_t:dir search; allow consoletype_t tmp_t:chr_file read; allow cupsd_config_t unconfined_t:fifo_file write; allow cupsd_t home_root_t:dir search; allow cupsd_t urandom_device_t:chr_file ioctl; allow cupsd_t user_home_dir_t:dir { add_name write }; allow cupsd_t user_home_dir_t:file { create getattr setattr write }; allow cupsd_t var_spool_t:dir { add_name remove_name write }; allow cupsd_t var_spool_t:file { create getattr read setattr unlink write }; allow dhcpc_t tmp_t:chr_file read; allow fsadm_t dosfs_t:file getattr; allow getty_t var_log_t:file { lock write }; allow hald_t mnt_t:dir { getattr read }; allow hald_t tty_device_t:chr_file ioctl; allow hald_t usr_t:file { execute execute_no_trans ioctl }; allow hald_t var_lib_nfs_t:dir search; allow httpd_t crond_t:fifo_file read; allow ifconfig_t tmp_t:chr_file read; allow ifconfig_t unconfined_t:fifo_file { read write }; allow updfstab_t dosfs_t:dir search; allow updfstab_t dosfs_t:file getattr;
Could you attach your audit.log? Looks like you might have some labeling problem. Also what version of policy are you running? What platform?
The question now is:
¿Where need I put all this?
Thanks
Daniel J Walsh wrote:
Paul Howarth wrote:
Samuel Díaz García wrote:
Yes, cups-pdf is a "virtual printer" thar prints the ouput into pdf files. That pdf files are saved by cups-pdf into user's home directory.
As you said fine, I need to allow cups to write into that directories (including /root) or into a $HOME/cups-pdf-docs directory to disallow cups all control over $HOME directory.
If I remember well, cups is launched as root user (where a test I had done some days ago because were a "cups-pdf" prerrequisite - don't remember now).
How can I solve the issue with home directories?
If anybody knows how to, I would like to solve the problem in this form:
- Allowing cups writing into home directories or especific
subdirectory into $HOME. 2) Enablilng SELinux as restrictive I can (is my laptop and I want to learn a more about SELinux and apps issues.
As a start you might try:
# setsebool -P cupsd_disable_trans 1
This would turn off SELinux protection for the cups daemon, whilst leaving you able to have SELinux turned on for everything else.
An alternative that might be worth trying would be to change the context of any directories you want cups to be able to write to, something like:
# chcon -t print_spool_t $HOME/cups-pdf-doc
Not sure if that'll work though.
I kind of like that solution. See what avc messages you get and we could maybe add a boolean to allow searching of the users homedirs for this directory.
Paul.