Dear Guys, I had working in run cups-pdf and it works with SELinux
disables or relaxed, but ... cups-pdf don't works with SELinux "enforced".
Anyone who know better than me the "SELinux" architecture could help me
with this problem?
I attach the audit.log latter in the conversation with cups-pdf developers.
Could anyone help saying what I need to configure in SELinux (and how)
to allow cupspdf works with SELinux?
Regards
-------- Original Message --------
Subject: Problem with SELinux CONFIRMED
Date: Mon, 30 Jan 2006 10:50:02 +0100
From: Samuel Díaz García <samueld@xxxxxxxxxxxxxx>
Reply-To: samueldg@xxxxxxxxxxxx
Organization: Servicio de Salud de Castilla - La Mancha
To: Volker Christian Behr <vrbehr@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
CC: Remi Collet <Remi@xxxxxxxxxxxxxxxxx>
References: <43D812D7.8030700@xxxxxxxxxxxx>
<43D8750A.3020909@xxxxxxxxxxxxxxxxx>
<43D8906A.5050001@xxxxxxxxxxxxxx>
<1138279161.29064.4.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
<43D9F161.7090207@xxxxxxxxxxxxxx>
<1138361808.15755.12.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
<43DA5112.5080708@xxxxxxxxxxxxxxxxx>
<1138549747.2345.12.camel@xxxxxxxxxxxxxxxxx>
Volker, I confirm to you the problem.
With SELinux enabled, we can reproduce the fail (cups-pdf.log):
Mon Jan 30 10:36:50 2006 [DEBUG] initialization finished (v2.0.4)
Mon Jan 30 10:36:50 2006 [DEBUG] user identified (samueldg)
Mon Jan 30 10:36:50 2006 [DEBUG] output directory name generated
(/home/samueldg)
Mon Jan 30 10:36:50 2006 [ERROR] failed to create directory (/home)
Mon Jan 30 10:36:50 2006 [DEBUG] ERRNO: 17
Mon Jan 30 10:36:50 2006 [ERROR] failed to create user output directory
(/home/samueldg)
Mon Jan 30 10:36:50 2006 [DEBUG] ERRNO: 17
Mon Jan 30 10:37:34 2006 [DEBUG] switching to new gid (root)
Mon Jan 30 10:37:34 2006 [DEBUG] initialization finished (v2.0.4)
Mon Jan 30 10:37:34 2006 [DEBUG] user identified (samueldg)
Mon Jan 30 10:37:34 2006 [DEBUG] output directory name generated
(/home/samueldg)
Mon Jan 30 10:37:34 2006 [ERROR] failed to create directory (/home)
Mon Jan 30 10:37:34 2006 [DEBUG] ERRNO: 17
Mon Jan 30 10:37:34 2006 [ERROR] failed to create user output directory
(/home/samueldg)
Mon Jan 30 10:37:34 2006 [DEBUG] ERRNO: 17
Mon Jan 30 10:37:39 2006 [DEBUG] switching to new gid (root)
Mon Jan 30 10:37:39 2006 [DEBUG] initialization finished (v2.0.4)
Mon Jan 30 10:37:39 2006 [DEBUG] user identified (samueldg)
Mon Jan 30 10:37:39 2006 [DEBUG] output directory name generated
(/home/samueldg)
Mon Jan 30 10:37:39 2006 [ERROR] failed to create directory (/home)
Mon Jan 30 10:37:39 2006 [DEBUG] ERRNO: 17
Mon Jan 30 10:37:39 2006 [ERROR] failed to create user output directory
(/home/samueldg)
Mon Jan 30 10:37:39 2006 [DEBUG] ERRNO: 17
In audit.log :
type=AVC msg=audit(1138613810.373:517): avc: denied { search } for
pid=3823
comm="cups-pdf" name="home" dev=sda4 ino=5586913
scontext=system_u:system_r:cupsd_t
tcontext=system_u:object_r:home_root_t tclass=dir
type=SYSCALL msg=audit(1138613810.373:517): arch=40000003 syscall=195
success=no
exit=-13 a0=805ae98 a1=bfcf42cc a2=3e6ff4 a3=bfcf42cc items=1 pid=3823
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
type=CWD msg=audit(1138613810.373:517): cwd="/"
type=PATH msg=audit(1138613810.373:517): item=0 name="/home/samueldg"
flags=1
inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1138613810.373:518): avc: denied { search } for
pid=3823
comm="cups-pdf" name="home" dev=sda4 ino=5586913
scontext=system_u:system_r:cupsd_t
tcontext=system_u:object_r:home_root_t tclass=dir
type=SYSCALL msg=audit(1138613810.373:518): arch=40000003 syscall=195
success=no
exit=-13 a0=805ae98 a1=bfcf323c a2=3e6ff4 a3=bfcf323c items=1 pid=3823
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
type=CWD msg=audit(1138613810.373:518): cwd="/"
type=PATH msg=audit(1138613810.373:518): item=0 name="/home/samueldg"
flags=1
inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1138613810.373:519): avc: denied { getattr } for
pid=3823
comm="cups-pdf" name="home" dev=sda4 ino=5586913
scontext=system_u:system_r:cupsd_t
tcontext=system_u:object_r:home_root_t tclass=dir
type=SYSCALL msg=audit(1138613810.373:519): arch=40000003 syscall=195
success=no
exit=-13 a0=bfcf32d4 a1=bfcf21ac a2=3e6ff4 a3=bfcf21ac items=1 pid=3823
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
type=AVC_PATH msg=audit(1138613810.373:519): path="/home"
type=CWD msg=audit(1138613810.373:519): cwd="/"
type=PATH msg=audit(1138613810.373:519): item=0 name="/home" flags=1
inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
type=USER_AUTH msg=audit(1138613853.687:520): user pid=2762 uid=0
auid=4294967295 msg='PAM authentication: user=root exe="/usr/sbin/cupsd"
(hostname=?, addr=?, terminal=? result=Success)'
type=USER_ACCT msg=audit(1138613853.691:521): user pid=2762 uid=0
auid=4294967295 msg='PAM accounting: user=root exe="/usr/sbin/cupsd"
(hostname=?, addr=?, terminal=? result=Success)'
type=AVC msg=audit(1138613854.011:522): avc: denied { search } for
pid=3833
comm="cups-pdf" name="home" dev=sda4 ino=5586913
scontext=system_u:system_r:cupsd_t
tcontext=system_u:object_r:home_root_t tclass=dir
type=SYSCALL msg=audit(1138613854.011:522): arch=40000003 syscall=195
success=no
exit=-13 a0=805ae98 a1=bfc6aeec a2=3e6ff4 a3=bfc6aeec items=1 pid=3833
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
type=CWD msg=audit(1138613854.011:522): cwd="/"
type=PATH msg=audit(1138613854.011:522): item=0 name="/home/samueldg"
flags=1
inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1138613854.011:523): avc: denied { search } for
pid=3833
comm="cups-pdf" name="home" dev=sda4 ino=5586913
scontext=system_u:system_r:cupsd_t
tcontext=system_u:object_r:home_root_t tclass=dir
type=SYSCALL msg=audit(1138613854.011:523): arch=40000003 syscall=195
success=no
exit=-13 a0=805ae98 a1=bfc69e5c a2=3e6ff4 a3=bfc69e5c items=1 pid=3833
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
type=CWD msg=audit(1138613854.011:523): cwd="/"
type=PATH msg=audit(1138613854.011:523): item=0 name="/home/samueldg"
flags=1
inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1138613854.011:524): avc: denied { getattr } for
pid=3833
comm="cups-pdf" name="home" dev=sda4 ino=5586913
scontext=system_u:system_r:cupsd_t
tcontext=system_u:object_r:home_root_t tclass=dir
type=SYSCALL msg=audit(1138613854.011:524): arch=40000003 syscall=195
success=no
exit=-13 a0=bfc69ef4 a1=bfc68dcc a2=3e6ff4 a3=bfc68dcc items=1 pid=3833
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
type=AVC_PATH msg=audit(1138613854.011:524): path="/home"
type=CWD msg=audit(1138613854.011:524): cwd="/"
type=PATH msg=audit(1138613854.011:524): item=0 name="/home" flags=1
inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
type=USER_AUTH msg=audit(1138613859.448:525): user pid=2762 uid=0
auid=4294967295 msg='PAM authentication: user=root exe="/usr/sbin/cupsd"
(hostname=?, addr=?, terminal=? result=Success)'
type=USER_ACCT msg=audit(1138613859.456:526): user pid=2762 uid=0
auid=4294967295 msg='PAM accounting: user=root exe="/usr/sbin/cupsd"
(hostname=?, addr=?, terminal=? result=Success)'
type=AVC msg=audit(1138613859.624:527): avc: denied { search } for
pid=3842
comm="cups-pdf" name="home" dev=sda4 ino=5586913
scontext=system_u:system_r:cupsd_t
tcontext=system_u:object_r:home_root_t tclass=dir
type=SYSCALL msg=audit(1138613859.624:527): arch=40000003 syscall=195
success=no
exit=-13 a0=805ae98 a1=bfee620c a2=3e6ff4 a3=bfee620c items=1 pid=3842
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
type=CWD msg=audit(1138613859.624:527): cwd="/"
type=PATH msg=audit(1138613859.624:527): item=0 name="/home/samueldg"
flags=1
inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1138613859.624:528): avc: denied { search } for
pid=3842
comm="cups-pdf" name="home" dev=sda4 ino=5586913
scontext=system_u:system_r:cupsd_t
tcontext=system_u:object_r:home_root_t tclass=dir
type=SYSCALL msg=audit(1138613859.624:528): arch=40000003 syscall=195
success=no
exit=-13 a0=805ae98 a1=bfee517c a2=3e6ff4 a3=bfee517c items=1 pid=3842
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
type=CWD msg=audit(1138613859.624:528): cwd="/"
type=PATH msg=audit(1138613859.624:528): item=0 name="/home/samueldg"
flags=1
inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1138613859.624:529): avc: denied { getattr } for
pid=3842
comm="cups-pdf" name="home" dev=sda4 ino=5586913
scontext=system_u:system_r:cupsd_t
tcontext=system_u:object_r:home_root_t tclass=dir
type=SYSCALL msg=audit(1138613859.624:529): arch=40000003 syscall=195
success=no
exit=-13 a0=bfee5214 a1=bfee40ec a2=3e6ff4 a3=bfee40ec items=1 pid=3842
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
type=AVC_PATH msg=audit(1138613859.624:529): path="/home"
type=CWD msg=audit(1138613859.624:529): cwd="/"
type=PATH msg=audit(1138613859.624:529): item=0 name="/home" flags=1
inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
t
I'll try to find more info about SELinux, but appears that cups-pdf
fails in 2
points:
1) SELinux don't allow cups-pdf browse directories.
2) SELinux don't allow cups-pdf get attributes info from files.
I'll google a bit to find more info about solve this problem and say you
(perhaps a miniFAQ about cups-pdf and SELinux will be usefull for some
users).
I don't think the problem were (with 2.0.4 at least) with cups-pdf, but
think
that a little reference in web page about configuring with SELinux would
be a
good idea.
As I said, I'll try find more information in the www.
Regards and many thanks for your support (Volker and Remi).
Volker Christian Behr wrote:
Hi Samuel and Remi!
On Fri, 2006-01-27 at 17:57, Remi Collet wrote:
Volker Christian Behr a écrit :
By now I am pretty sure this has to do with SELinux since this issue
appears only on FC4-platforms.
Yes and i've already ask Samuel to try with SElinux disabled (and with
last FC4 updates)
One other user of my RPM has encounter the same error (but i've not
keep the email)
This would be the most interesing result: does CUPS-PDF work it SELinux
is disabled - especially does the directory creation work?
if (stat(dirname, &fstatus) || !S_ISDIR(fstatus.st_mode)) {
The above line tests whether the given directory name is a dir:
!S_ISDIR(fstatus.st_mode)
If the directory exists this loop should never be entered....
Yes. But i think than you need read acces on the parent dir to use
stat.
So it could be useful to verify the errno 17
This is possible since I do not have any testing platforms with
SELinux
available. Remi, do you have SELinux enabled?
I checked on my system and since directory creation is done with full
root privileges I always have read access on all (local) directories. So
- again - I think this is SELinux blocking some functionality.
Thank to you, Samuel, for the offer to log onto your system to test
there but since I never used SELinux before I think I am going to
install a FC4 on my computer so I can play around with it a little more
to see how to get CUPS-PDF to work smoothly with it (this will take some
time).
I looking forward to the result without SELinux - it would be great if
this was the only issue since then the is just one issue to be solved
:-)
Cheers,
Volker
