/usr/share - self inflicted issue

Stephen Smalley sds at tycho.nsa.gov
Thu Jan 26 16:27:26 UTC 2006


On Thu, 2006-01-26 at 11:12 -0500, Stephen Smalley wrote:
> On Thu, 2006-01-26 at 08:46 -0700, Craig White wrote:
> > E [26/Jan/2006:08:40:36 -0700] LoadPPDs: Unable to open PPD directory
> > "/usr/share/cups/model": Permission denied
> > 
> > this is after...
> > 
> > cd /etc/selinux/targeted/src/policy
> > /usr/bin/audit2allow -i < /var/log/audit/audit.log \
> > >> domains/misc/local.te
> > 
> > which resulted in this...
> > # cat domains/misc/local.te
> > # Local customization of existing policy should be done in this file.
> > # If you are creating brand new policy for a new "target" domain, you
> > # need to create a type enforcement (.te) file in domains/program
> > # and a file context (.fc) file in file_context/program.
> > 
> > allow canna_t usr_t:lnk_file read;
> > allow cupsd_config_t unconfined_t:fifo_file write;
> > allow cupsd_config_t user_home_t:file read;
> > allow cupsd_config_t usr_t:lnk_file read;
> > allow cupsd_t home_root_t:dir search;
> > allow hald_t usr_t:lnk_file read;
> > allow restorecon_t usr_t:lnk_file read;
> > allow unlabeled_t fs_t:filesystem associate;
> 
> That last one is particularly suspect; what audit message contained
> unlabeled_t?
> 
> > and then...
> > # make reload
> > # fixfiles -R cups restore
> 
> That shouldn't have been necessary, as you didn't change the
> file_contexts again.  Only need to relabel upon changing file_contexts,
> not policy changes.
> 
> > # service cups restart
> 
> Check those audit messages again for anything new.  It may be that it
> got further but ran into another denial later on.

It is also possible that a denial is not being audited due to a
dontaudit rule in the policy (to silence noisy audit messages that
happen due to unnecessary access attempts by applications and library
functions).  Check to make sure that the policy includes allow rules for
cupsd_t for all of the types on the path to that directory.  You can
also build a policy with _no_ dontaudit rules via make clean enableaudit
load, but this will generate a _lot_ of audit messages, many of which
are not of interest (and then a subsequent make clean load will fix it
back up again).

-- 
Stephen Smalley
National Security Agency




More information about the fedora-selinux-list mailing list