/usr/share - self inflicted issue [SOLVED]

Craig White craigwhite at azapple.com
Thu Jan 26 16:19:15 UTC 2006 

On Thu, 2006-01-26 at 11:12 -0500, Stephen Smalley wrote:
> On Thu, 2006-01-26 at 08:46 -0700, Craig White wrote:
> > E [26/Jan/2006:08:40:36 -0700] LoadPPDs: Unable to open PPD directory
> > "/usr/share/cups/model": Permission denied
> > 
> > this is after...
> > 
> > cd /etc/selinux/targeted/src/policy
> > /usr/bin/audit2allow -i < /var/log/audit/audit.log \
> > >> domains/misc/local.te
> > 
> > which resulted in this...
> > # cat domains/misc/local.te
> > # Local customization of existing policy should be done in this file.
> > # If you are creating brand new policy for a new "target" domain, you
> > # need to create a type enforcement (.te) file in domains/program
> > # and a file context (.fc) file in file_context/program.
> > 
> > allow canna_t usr_t:lnk_file read;
> > allow cupsd_config_t unconfined_t:fifo_file write;
> > allow cupsd_config_t user_home_t:file read;
> > allow cupsd_config_t usr_t:lnk_file read;
> > allow cupsd_t home_root_t:dir search;
> > allow hald_t usr_t:lnk_file read;
> > allow restorecon_t usr_t:lnk_file read;
> > allow unlabeled_t fs_t:filesystem associate;
> 
> That last one is particularly suspect; what audit message contained
> unlabeled_t?
> 
> > and then...
> > # make reload
> > # fixfiles -R cups restore
> 
> That shouldn't have been necessary, as you didn't change the
> file_contexts again.  Only need to relabel upon changing file_contexts,
> not policy changes.
> 
> > # service cups restart
> 
> Check those audit messages again for anything new.  It may be that it
> got further but ran into another denial later on.
----
you guys are awesome - I think it took both yours and Paul's suggestions
to make it work. I am writing this up in case anyone travels down my
path of self-inflicted wounds.

The symlinked directory seemed to cause the problem - the steps I took
to fix it are:

removed the symlinked directory...
# rm /usr/share

mounted it via the bind method Paul suggested...
# mount --bind /home/share /usr/share

create the contexts for the new location per Steven's suggestion
# sed -n -e "/\/usr\/share/s/\/usr\/share\//\/home\/share\//p" \
/etc/selinux/targeted/contexts/files/file_contexts \
> /etc/selinux/targeted/contexts/files/file_contexts.local

also (not sure that this was necessary)
# cd /etc/selinux/targeted/src/policy
# /usr/bin/audit2allow -i < /var/log/audit/audit.log \
>> domains/misc/local.te
# make reload

then fix the contexts for the entire tree...
# restorecon -R /usr/share

restart cups daemon
# service cups restart

and I am printing again...Thanks to both of you...you guys are awesome.

Craig

More information about the fedora-selinux-list mailing list