/usr/share - self inflicted issue

Craig White craigwhite at azapple.com
Thu Jan 26 15:46:03 UTC 2006


On Thu, 2006-01-26 at 10:34 -0500, Stephen Smalley wrote:
> On Thu, 2006-01-26 at 08:23 -0700, Craig White wrote:
> > On Thu, 2006-01-26 at 10:14 -0500, Stephen Smalley wrote:
> > > On Thu, 2006-01-26 at 10:12 -0500, Stephen Smalley wrote:
> > > > One obvious possibility is that the cups policy might not allow access
> > > > to search /home, thereby preventing it from reaching /home/share
> > > > and /home/share/cups.  So you would have to add a local.te file that
> > > > allows such access.
> > > 
> > > If the above isn't clear, see the EXAMPLE section of the man page for
> > > audit2allow.
> > ----
> > on RHEL - I was able to install selinux-targeted-policy-sources and that
> > gave me the resources to create the local.te file.
> > 
> > on FC-4, I execute 'yum install selinux-targeted-policy-sources' and it
> > can't find it. What is the package called in FC-4?
> 
> That's selinux-policy-targeted-sources.  Should be the same on RHEL.
> 
> As a heads up, the policy*sources packages go away in FC5; the new
> modular policy support eliminates the need for base policy sources to
> perform local additions, so policy sources are only in the .src.rpm in
> FC5.
----
Arrgh

E [26/Jan/2006:08:40:36 -0700] LoadPPDs: Unable to open PPD directory
"/usr/share/cups/model": Permission denied

this is after...

cd /etc/selinux/targeted/src/policy
/usr/bin/audit2allow -i < /var/log/audit/audit.log \
>> domains/misc/local.te

which resulted in this...
# cat domains/misc/local.te
# Local customization of existing policy should be done in this file.
# If you are creating brand new policy for a new "target" domain, you
# need to create a type enforcement (.te) file in domains/program
# and a file context (.fc) file in file_context/program.

allow canna_t usr_t:lnk_file read;
allow cupsd_config_t unconfined_t:fifo_file write;
allow cupsd_config_t user_home_t:file read;
allow cupsd_config_t usr_t:lnk_file read;
allow cupsd_t home_root_t:dir search;
allow hald_t usr_t:lnk_file read;
allow restorecon_t usr_t:lnk_file read;
allow unlabeled_t fs_t:filesystem associate;

and then...
# make reload
# fixfiles -R cups restore
# service cups restart

;-(

Craig




More information about the selinux mailing list