cups wants to write to /usr/lib/python2.4/.../printconf_tui.pyo, etc

Tom London selinux at gmail.com
Sat Dec 4 18:48:54 UTC 2004


Running strict/enforcing, latest Rawhide.

When logging in, cups, running in cupsd_config_t
wants to write /usr/lib/python/site-packages/printconf_tui.pyo,
and /usr/share/printconf/util/printconf_tui.pyo.
Strict and Permissive avc's shown below.

Two things:
  1. Didn't these files get moved to /var under an
earlier bugzilla?
  2. Can we add a 'dontaudit' to cups.te for this:
dontaudit cupsd_config_t lib_t:dir write;
dontaudit cupsd_config_t usr_t:dir write;

   tom

Strict avcs:
Dec  4 10:20:41 fedora kernel: audit(1102184441.369:0): avc:  denied 
{ write } for  pid=2844 exe=/usr/bin/python name=util dev=hda2
ino=4309019 scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:object_r:usr_t tclass=dir
Dec  4 10:20:41 fedora kernel: audit(1102184441.619:0): avc:  denied 
{ write } for  pid=2844 exe=/usr/bin/python name=site-packages
dev=hda2 ino=4525331 scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:object_r:lib_t tclass=dir

Permissive avc:
Dec  4 10:35:08 fedora kernel: audit(1102185308.369:0): avc:  denied 
{ write } for  pid=3591 exe=/usr/bin/python name=util dev=hda2
ino=4309019 scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:object_r:usr_t tclass=dir
Dec  4 10:35:08 fedora kernel: audit(1102185308.370:0): avc:  denied 
{ remove_name } for  pid=3591 exe=/usr/bin/python
name=printconf_tui.pyo dev=hda2 ino=4309180
scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:object_r:usr_t tclass=dir
Dec  4 10:35:08 fedora kernel: audit(1102185308.370:0): avc:  denied 
{ unlink } for  pid=3591 exe=/usr/bin/python name=printconf_tui.pyo
dev=hda2 ino=4309180 scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:object_r:printconf_t tclass=file
Dec  4 10:35:08 fedora kernel: audit(1102185308.606:0): avc:  denied 
{ add_name } for  pid=3591 exe=/usr/bin/python name=printconf_tui.pyo
scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:object_r:usr_t tclass=dir
Dec  4 10:35:08 fedora kernel: audit(1102185308.606:0): avc:  denied 
{ create } for  pid=3591 exe=/usr/bin/python name=printconf_tui.pyo
scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:object_r:usr_t tclass=file
Dec  4 10:35:08 fedora kernel: audit(1102185308.606:0): avc:  denied 
{ write } for  pid=3591 exe=/usr/bin/python
path=/usr/share/printconf/util/printconf_tui.pyo dev=hda2 ino=4309025
scontext=system_u:system_r:cupsd_config_t
tcontext=system_u:object_r:usr_t tclass=file

-- 
Tom London




More information about the fedora-selinux-list mailing list