/usr/share - self inflicted issue
Stephen Smalley
sds at tycho.nsa.gov
Thu Jan 26 16:12:07 UTC 2006
On Thu, 2006-01-26 at 08:46 -0700, Craig White wrote:
> E [26/Jan/2006:08:40:36 -0700] LoadPPDs: Unable to open PPD directory
> "/usr/share/cups/model": Permission denied
>
> this is after...
>
> cd /etc/selinux/targeted/src/policy
> /usr/bin/audit2allow -i < /var/log/audit/audit.log \
> >> domains/misc/local.te
>
> which resulted in this...
> # cat domains/misc/local.te
> # Local customization of existing policy should be done in this file.
> # If you are creating brand new policy for a new "target" domain, you
> # need to create a type enforcement (.te) file in domains/program
> # and a file context (.fc) file in file_context/program.
>
> allow canna_t usr_t:lnk_file read;
> allow cupsd_config_t unconfined_t:fifo_file write;
> allow cupsd_config_t user_home_t:file read;
> allow cupsd_config_t usr_t:lnk_file read;
> allow cupsd_t home_root_t:dir search;
> allow hald_t usr_t:lnk_file read;
> allow restorecon_t usr_t:lnk_file read;
> allow unlabeled_t fs_t:filesystem associate;
That last one is particularly suspect; what audit message contained
unlabeled_t?
> and then...
> # make reload
> # fixfiles -R cups restore
That shouldn't have been necessary, as you didn't change the
file_contexts again. Only need to relabel upon changing file_contexts,
not policy changes.
> # service cups restart
Check those audit messages again for anything new. It may be that it
got further but ran into another denial later on.
--
Stephen Smalley
National Security Agency
More information about the selinux
mailing list