cups-pdf && SELinux problem running

Samuel Díaz García samueldg at arcoscom.com
Mon Jan 30 20:43:52 UTC 2006 

¿Any help/link/forum?

Thanks

Samuel Díaz García wrote:
> Dear Guys, I had working in run cups-pdf and it works with SELinux 
> disables or relaxed, but ... cups-pdf don't works with SELinux "enforced".
> 
> Anyone who know better than me the "SELinux" architecture could help me 
> with this problem?
> 
> I attach the audit.log latter in the conversation with cups-pdf developers.
> 
> Could anyone help saying what I need to configure in SELinux (and how) 
> to allow cupspdf works with SELinux?
> 
> Regards
> 
> -------- Original Message --------
> Subject: Problem with SELinux CONFIRMED
> Date: Mon, 30 Jan 2006 10:50:02 +0100
> From: Samuel Díaz García <samueld at sescam.jccm.es>
> Reply-To: samueldg at arcoscom.com
> Organization: Servicio de Salud de Castilla - La Mancha
> To: Volker Christian Behr <vrbehr at cip.physik.uni-wuerzburg.de>
> CC: Remi Collet <Remi at famillecollet.com>
> References: <43D812D7.8030700 at arcoscom.com>     
> <43D8750A.3020909 at FamilleCollet.com>  
> <43D8906A.5050001 at sescam.jccm.es>     
> <1138279161.29064.4.camel at merlin.physik.uni-wuerzburg.de>     
> <43D9F161.7090207 at sescam.jccm.es>     
> <1138361808.15755.12.camel at merlin.physik.uni-wuerzburg.de>     
> <43DA5112.5080708 at FamilleCollet.com> 
> <1138549747.2345.12.camel at taliesin.localnet>
> 
> Volker, I confirm to you the problem.
> With SELinux enabled, we can reproduce the fail (cups-pdf.log):
> 
> Mon Jan 30 10:36:50 2006  [DEBUG] initialization finished (v2.0.4)
> Mon Jan 30 10:36:50 2006  [DEBUG] user identified (samueldg)
> Mon Jan 30 10:36:50 2006  [DEBUG] output directory name generated 
> (/home/samueldg)
> Mon Jan 30 10:36:50 2006  [ERROR] failed to create directory (/home)
> Mon Jan 30 10:36:50 2006  [DEBUG] ERRNO: 17
> Mon Jan 30 10:36:50 2006  [ERROR] failed to create user output directory
> (/home/samueldg)
> Mon Jan 30 10:36:50 2006  [DEBUG] ERRNO: 17
> Mon Jan 30 10:37:34 2006  [DEBUG] switching to new gid (root)
> Mon Jan 30 10:37:34 2006  [DEBUG] initialization finished (v2.0.4)
> Mon Jan 30 10:37:34 2006  [DEBUG] user identified (samueldg)
> Mon Jan 30 10:37:34 2006  [DEBUG] output directory name generated 
> (/home/samueldg)
> Mon Jan 30 10:37:34 2006  [ERROR] failed to create directory (/home)
> Mon Jan 30 10:37:34 2006  [DEBUG] ERRNO: 17
> Mon Jan 30 10:37:34 2006  [ERROR] failed to create user output directory
> (/home/samueldg)
> Mon Jan 30 10:37:34 2006  [DEBUG] ERRNO: 17
> Mon Jan 30 10:37:39 2006  [DEBUG] switching to new gid (root)
> Mon Jan 30 10:37:39 2006  [DEBUG] initialization finished (v2.0.4)
> Mon Jan 30 10:37:39 2006  [DEBUG] user identified (samueldg)
> Mon Jan 30 10:37:39 2006  [DEBUG] output directory name generated 
> (/home/samueldg)
> Mon Jan 30 10:37:39 2006  [ERROR] failed to create directory (/home)
> Mon Jan 30 10:37:39 2006  [DEBUG] ERRNO: 17
> Mon Jan 30 10:37:39 2006  [ERROR] failed to create user output directory
> (/home/samueldg)
> Mon Jan 30 10:37:39 2006  [DEBUG] ERRNO: 17
> 
> In audit.log :
> type=AVC msg=audit(1138613810.373:517): avc:  denied  { search } for  
> pid=3823
> comm="cups-pdf" name="home" dev=sda4 ino=5586913
> scontext=system_u:system_r:cupsd_t 
> tcontext=system_u:object_r:home_root_t tclass=dir
> type=SYSCALL msg=audit(1138613810.373:517): arch=40000003 syscall=195 
> success=no
> exit=-13 a0=805ae98 a1=bfcf42cc a2=3e6ff4 a3=bfcf42cc items=1 pid=3823
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
> type=CWD msg=audit(1138613810.373:517):  cwd="/"
> type=PATH msg=audit(1138613810.373:517): item=0 name="/home/samueldg" 
> flags=1
> inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
> type=AVC msg=audit(1138613810.373:518): avc:  denied  { search } for  
> pid=3823
> comm="cups-pdf" name="home" dev=sda4 ino=5586913
> scontext=system_u:system_r:cupsd_t 
> tcontext=system_u:object_r:home_root_t tclass=dir
> type=SYSCALL msg=audit(1138613810.373:518): arch=40000003 syscall=195 
> success=no
> exit=-13 a0=805ae98 a1=bfcf323c a2=3e6ff4 a3=bfcf323c items=1 pid=3823
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
> type=CWD msg=audit(1138613810.373:518):  cwd="/"
> type=PATH msg=audit(1138613810.373:518): item=0 name="/home/samueldg" 
> flags=1
> inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
> type=AVC msg=audit(1138613810.373:519): avc:  denied  { getattr } for  
> pid=3823
> comm="cups-pdf" name="home" dev=sda4 ino=5586913
> scontext=system_u:system_r:cupsd_t 
> tcontext=system_u:object_r:home_root_t tclass=dir
> type=SYSCALL msg=audit(1138613810.373:519): arch=40000003 syscall=195 
> success=no
> exit=-13 a0=bfcf32d4 a1=bfcf21ac a2=3e6ff4 a3=bfcf21ac items=1 pid=3823
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
> type=AVC_PATH msg=audit(1138613810.373:519):  path="/home"
> type=CWD msg=audit(1138613810.373:519):  cwd="/"
> type=PATH msg=audit(1138613810.373:519): item=0 name="/home" flags=1
> inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
> type=USER_AUTH msg=audit(1138613853.687:520): user pid=2762 uid=0
> auid=4294967295 msg='PAM authentication: user=root exe="/usr/sbin/cupsd"
> (hostname=?, addr=?, terminal=? result=Success)'
> type=USER_ACCT msg=audit(1138613853.691:521): user pid=2762 uid=0
> auid=4294967295 msg='PAM accounting: user=root exe="/usr/sbin/cupsd"
> (hostname=?, addr=?, terminal=? result=Success)'
> type=AVC msg=audit(1138613854.011:522): avc:  denied  { search } for  
> pid=3833
> comm="cups-pdf" name="home" dev=sda4 ino=5586913
> scontext=system_u:system_r:cupsd_t 
> tcontext=system_u:object_r:home_root_t tclass=dir
> type=SYSCALL msg=audit(1138613854.011:522): arch=40000003 syscall=195 
> success=no
> exit=-13 a0=805ae98 a1=bfc6aeec a2=3e6ff4 a3=bfc6aeec items=1 pid=3833
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
> type=CWD msg=audit(1138613854.011:522):  cwd="/"
> type=PATH msg=audit(1138613854.011:522): item=0 name="/home/samueldg" 
> flags=1
> inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
> type=AVC msg=audit(1138613854.011:523): avc:  denied  { search } for  
> pid=3833
> comm="cups-pdf" name="home" dev=sda4 ino=5586913
> scontext=system_u:system_r:cupsd_t 
> tcontext=system_u:object_r:home_root_t tclass=dir
> type=SYSCALL msg=audit(1138613854.011:523): arch=40000003 syscall=195 
> success=no
> exit=-13 a0=805ae98 a1=bfc69e5c a2=3e6ff4 a3=bfc69e5c items=1 pid=3833
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
> type=CWD msg=audit(1138613854.011:523):  cwd="/"
> type=PATH msg=audit(1138613854.011:523): item=0 name="/home/samueldg" 
> flags=1
> inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
> type=AVC msg=audit(1138613854.011:524): avc:  denied  { getattr } for  
> pid=3833
> comm="cups-pdf" name="home" dev=sda4 ino=5586913
> scontext=system_u:system_r:cupsd_t 
> tcontext=system_u:object_r:home_root_t tclass=dir
> type=SYSCALL msg=audit(1138613854.011:524): arch=40000003 syscall=195 
> success=no
> exit=-13 a0=bfc69ef4 a1=bfc68dcc a2=3e6ff4 a3=bfc68dcc items=1 pid=3833
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
> type=AVC_PATH msg=audit(1138613854.011:524):  path="/home"
> type=CWD msg=audit(1138613854.011:524):  cwd="/"
> type=PATH msg=audit(1138613854.011:524): item=0 name="/home" flags=1
> inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
> type=USER_AUTH msg=audit(1138613859.448:525): user pid=2762 uid=0
> auid=4294967295 msg='PAM authentication: user=root exe="/usr/sbin/cupsd"
> (hostname=?, addr=?, terminal=? result=Success)'
> type=USER_ACCT msg=audit(1138613859.456:526): user pid=2762 uid=0
> auid=4294967295 msg='PAM accounting: user=root exe="/usr/sbin/cupsd"
> (hostname=?, addr=?, terminal=? result=Success)'
> type=AVC msg=audit(1138613859.624:527): avc:  denied  { search } for  
> pid=3842
> comm="cups-pdf" name="home" dev=sda4 ino=5586913
> scontext=system_u:system_r:cupsd_t 
> tcontext=system_u:object_r:home_root_t tclass=dir
> type=SYSCALL msg=audit(1138613859.624:527): arch=40000003 syscall=195 
> success=no
> exit=-13 a0=805ae98 a1=bfee620c a2=3e6ff4 a3=bfee620c items=1 pid=3842
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
> type=CWD msg=audit(1138613859.624:527):  cwd="/"
> type=PATH msg=audit(1138613859.624:527): item=0 name="/home/samueldg" 
> flags=1
> inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
> type=AVC msg=audit(1138613859.624:528): avc:  denied  { search } for  
> pid=3842
> comm="cups-pdf" name="home" dev=sda4 ino=5586913
> scontext=system_u:system_r:cupsd_t 
> tcontext=system_u:object_r:home_root_t tclass=dir
> type=SYSCALL msg=audit(1138613859.624:528): arch=40000003 syscall=195 
> success=no
> exit=-13 a0=805ae98 a1=bfee517c a2=3e6ff4 a3=bfee517c items=1 pid=3842
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
> type=CWD msg=audit(1138613859.624:528):  cwd="/"
> type=PATH msg=audit(1138613859.624:528): item=0 name="/home/samueldg" 
> flags=1
> inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
> type=AVC msg=audit(1138613859.624:529): avc:  denied  { getattr } for  
> pid=3842
> comm="cups-pdf" name="home" dev=sda4 ino=5586913
> scontext=system_u:system_r:cupsd_t 
> tcontext=system_u:object_r:home_root_t tclass=dir
> type=SYSCALL msg=audit(1138613859.624:529): arch=40000003 syscall=195 
> success=no
> exit=-13 a0=bfee5214 a1=bfee40ec a2=3e6ff4 a3=bfee40ec items=1 pid=3842
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
> type=AVC_PATH msg=audit(1138613859.624:529):  path="/home"
> type=CWD msg=audit(1138613859.624:529):  cwd="/"
> type=PATH msg=audit(1138613859.624:529): item=0 name="/home" flags=1
> inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
> t
> 
> I'll try to find more info about SELinux, but appears that cups-pdf 
> fails in 2
> points:
>    1) SELinux don't allow cups-pdf browse directories.
>    2) SELinux don't allow cups-pdf get attributes info from files.
> 
> I'll google a bit to find more info about solve this problem and say you
> (perhaps a miniFAQ about cups-pdf and SELinux will be usefull for some 
> users).
> 
> I don't think the problem were (with 2.0.4 at least) with cups-pdf, but 
> think
> that a little reference in web page about configuring with SELinux would 
> be a
> good idea.
> 
> As I said, I'll try find more information in the www.
> 
> Regards and many thanks for your support (Volker and Remi).
> 
> Volker Christian Behr wrote:
>> Hi Samuel and Remi!
>>
>> On Fri, 2006-01-27 at 17:57, Remi Collet wrote:
>>
>>> Volker Christian Behr a écrit :
>>>> By now I am pretty sure this has to do with SELinux since this issue
>>>> appears only on FC4-platforms.
>>>>
>>>>  
>>>
>>> Yes and i've already ask Samuel to try with SElinux disabled (and with
>>> last FC4 updates)
>>> One other user of my RPM has encounter the same error (but i've not
>>> keep the email)
>>
>>
>> This would be the most interesing result: does CUPS-PDF work it SELinux
>> is disabled - especially does the directory creation work?
>>
>>
>>>>>   if (stat(dirname, &fstatus) || !S_ISDIR(fstatus.st_mode)) {
>>>>>    
>>>>
>>>> The above line tests whether the given directory name is a dir:
>>>> !S_ISDIR(fstatus.st_mode)
>>>> If the directory exists this loop should never be entered....
>>>>  
>>>
>>> Yes. But i think than you need read acces on the parent dir to use
>>> stat.
>>> So it could be useful to verify the errno 17
>>>
>>>> This is possible since I do not have any testing platforms with
>>>> SELinux
>>>> available. Remi, do you have SELinux enabled?
>>>>  
>>
>>
>> I checked on my system and since directory creation is done with full
>> root privileges I always have read access on all (local) directories. So
>> - again - I think this is SELinux blocking some functionality.
>>
>> Thank to you, Samuel, for the offer to log onto your system to test
>> there but since I never used SELinux before I think I am going to
>> install a FC4 on my computer so I can play around with it a little more
>> to see how to get CUPS-PDF to work smoothly with it (this will take some
>> time).
>>
>> I looking forward to the result without SELinux - it would be great if
>> this was the only issue since then the is just one issue to be solved
>> :-)
>>
>> Cheers,
>>
>> Volker
>>
> 
> 

-- 
    Samuel Díaz García
     Director Gerente
ArcosCom Wireless, S.L.L.

CIF: B11828068
c/ Romero Gago, 19
Arcos de la Frontera
11630 - Cadiz

http://www.arcoscom.com

mailto:samueldg at arcoscom.com
msn: samueldg at arcoscom.com

Móvil: 651 93 72 48
Tlfn.: 956 70 13 15
Fax:   956 70 34 83

More information about the fedora-list mailing list