OK, so setup CENTOS-5 on a laptop to learn about Xen stuff. KDE Desktop, wanted to print the virt.108.com xen howto. Needed to setup printer first. Open KDE control center, go to printers. Hear error sound, message says
"Unable to retrieve the printer list.... Connection to CUPS server failed. ..."
So I check to see that cups is running (it is). I check /var/log/messages and see:
Apr 19 15:19:52 fox setroubleshoot: SELinux is preventing /usr/sbin/cupsd (cupsd_t) "read write" access to socket:[15083] (rpm_var_lib_t). For complete SELinux messages. run sealert -l 23689411-4e18-4009-b105-779c58b0503f
So, I run sealert (as indicated) and see the message about cups (see below for output)
I checked in /usr/share/docs/selinux-policy-2.4.6/html and find no references (using grub) for "cupsd_disable_trans" I google on "cupsd_disable_trans" and find no references either.
How do I find out what this boolean object is or does? Is there a description of it somewhere? Is it dangerous to just run the command that sealert tells me to run?
[root@fox log]# sealert -l 23689411-4e18-4009-b105-779c58b0503f Summary SELinux is preventing /usr/sbin/cupsd (cupsd_t) "read write" access to socket:[15083] (rpm_var_lib_t).
Detailed Description SELinux denied access requested by /usr/sbin/cupsd. It is not expected that this access is required by /usr/sbin/cupsd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for socket:[15083], restorecon -v socket:[15083]. There is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can disable SELinux protection entirely for the application. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Changing the "cupsd_disable_trans" boolean to true will disable SELinux protection this application: "setsebool -P cupsd_disable_trans=1."
The following command will allow this access: setsebool -P cupsd_disable_trans=1
Additional Information
Source Context system_u:system_r:cupsd_t:SystemLow-SystemHigh Target Context system_u:object_r:rpm_var_lib_t Target Objects socket:[15083] [ file ] Affected RPM Packages cups-1.2.4-11.5.1.el5 [application] Policy RPM selinux-policy-2.4.6-30.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.disable_trans Host Name fox Platform Linux fox 2.6.18-8.el5xen #1 SMP Thu Mar 15 21:02:53 EDT 2007 i686 i686 Alert Count 1 Line Numbers
Raw Audit Messages
avc: denied { read, write } for comm="cupsd" dev=dm-0 egid=0 euid=0 exe="/usr/sbin/cupsd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="__db.000" path="socket:[15083]" pid=5515 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=0 tclass=file tcontext=system_u:object_r:rpm_var_lib_t:s0 tty=tty1 uid=0
I checked in /usr/share/docs/selinux-policy-2.4.6/html and find no references (using grub) for "cupsd_disable_trans"
How do I find out what this boolean object is or does? Is there a description of it somewhere?
I checked in /usr/share/docs/selinux-policy-2.4.6/html and find no references (using grub) for "cupsd_disable_trans"
How do I find out what this boolean object is or does? Is there a description of it somewhere?
I think setting <anything>_disable_trans to on/true/1 means your disabling selinux for that daemon. Somebody please correct me if I'm wrong on this.
On Fri, 20 Apr 2007, Dianne Yumul wrote:
I checked in /usr/share/docs/selinux-policy-2.4.6/html and find no references (using grub) for "cupsd_disable_trans"
How do I find out what this boolean object is or does? Is there a description of it somewhere?
I think setting <anything>_disable_trans to on/true/1 means your disabling selinux for that daemon. Somebody please correct me if I'm wrong on this.
Correct. Although there are some side effects. E.g., if syslogd_disable_trans=true, then /dev/log is created as device_t and not dev_log_t as the syslogd daemon did not transition correctly (and that causes all sorts of downstream problems with daemons allowed to access dev_log_t, but not device_t).
Steve Friedman
On 2007-04-20, Ben Russo ben@muppethouse.com wrote:
I checked in /usr/share/docs/selinux-policy-2.4.6/html and find no references (using grub) for "cupsd_disable_trans" I google on "cupsd_disable_trans" and find no references either.
All the *_disable_trans booleans means that the service will no transition from the selinux unconfined domain, to a restricted selinux domain (in cups's case cupsd_t). So your system will not be protected from this service if you set the *disable_trans.
How do I find out what this boolean object is or does? Is there a description of it somewhere? Is it dangerous to just run the command that sealert tells me to run?
I find that the advices sealert gives are quite often bad advice. They will fix your problem, but you should really evaluate if you're not opening up too much by following the advice. Here sealert is suggesting turning off selinux-protection of cups..
avc: denied { read, write } for comm="cupsd" dev=dm-0 egid=0 euid=0 exe="/usr/sbin/cupsd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="__db.000" path="socket:[15083]" pid=5515 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=0 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=0 tclass=file tcontext=system_u:object_r:rpm_var_lib_t:s0 tty=tty1 uid=0
This seems very strange.. All the labels above seems correct to me, but why would cupsd need to access (/var/lib/rpm/) "__db.000" ??
-jf
-
Ben Russo -
Dianne Yumul -
Jan-Frode Myklebust -
Steve Friedman