[CentOS] Learning SELINUX management, help?
Ben Russo
ben at muppethouse.comFri Apr 20 17:08:56 UTC 2007
- Previous message: [CentOS] VMware
- Next message: [CentOS] Learning SELINUX management, help?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
OK, so setup CENTOS-5 on a laptop to learn about Xen stuff.
KDE Desktop, wanted to print the virt.108.com xen howto.
Needed to setup printer first.
Open KDE control center, go to printers.
Hear error sound, message says
"Unable to retrieve the printer list....
Connection to CUPS server failed. ..."
So I check to see that cups is running (it is).
I check /var/log/messages and see:
Apr 19 15:19:52 fox setroubleshoot: SELinux is preventing
/usr/sbin/cupsd (cupsd_t) "read write" access to socket:[15083]
(rpm_var_lib_t). For complete SELinux messages. run sealert -l
23689411-4e18-4009-b105-779c58b0503f
So, I run sealert (as indicated) and see the message about cups
(see below for output)
I checked in /usr/share/docs/selinux-policy-2.4.6/html
and find no references (using grub) for "cupsd_disable_trans"
I google on "cupsd_disable_trans" and find no references either.
How do I find out what this boolean object is or does?
Is there a description of it somewhere?
Is it dangerous to just run the command that sealert tells me to run?
[root at fox log]# sealert -l 23689411-4e18-4009-b105-779c58b0503f
Summary
SELinux is preventing /usr/sbin/cupsd (cupsd_t) "read write" access to
socket:[15083] (rpm_var_lib_t).
Detailed Description
SELinux denied access requested by /usr/sbin/cupsd. It is not
expected that
this access is required by /usr/sbin/cupsd and this access may
signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require
additional access.
Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this
package.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could
try to
restore the default system file context for socket:[15083],
restorecon -v
socket:[15083]. There is currently no automatic way to allow this
access.
Instead, you can generate a local policy module to allow this
access - see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can
disable SELinux protection entirely for the application. Disabling
SELinux
protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Changing the "cupsd_disable_trans" boolean to true will disable SELinux
protection this application: "setsebool -P cupsd_disable_trans=1."
The following command will allow this access:
setsebool -P cupsd_disable_trans=1
Additional Information
Source Context system_u:system_r:cupsd_t:SystemLow-SystemHigh
Target Context system_u:object_r:rpm_var_lib_t
Target Objects socket:[15083] [ file ]
Affected RPM Packages cups-1.2.4-11.5.1.el5 [application]
Policy RPM selinux-policy-2.4.6-30.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.disable_trans
Host Name fox
Platform Linux fox 2.6.18-8.el5xen #1 SMP Thu Mar 15
21:02:53 EDT 2007 i686 i686
Alert Count 1
Line Numbers
Raw Audit Messages
avc: denied { read, write } for comm="cupsd" dev=dm-0 egid=0 euid=0
exe="/usr/sbin/cupsd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="__db.000"
path="socket:[15083]" pid=5515
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
sgid=0 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=system_u:object_r:rpm_var_lib_t:s0 tty=tty1 uid=0
I checked in /usr/share/docs/selinux-policy-2.4.6/html
and find no references (using grub) for "cupsd_disable_trans"
How do I find out what this boolean object is or does?
Is there a description of it somewhere?
- Previous message: [CentOS] VMware
- Next message: [CentOS] Learning SELINUX management, help?
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the CentOS mailing list