On Mon, 2006-01-30 at 21:43 +0100, Samuel Díaz García wrote:
> ¿Any help/link/forum?
>
> Thanks
>
> Samuel Díaz García wrote:
> > Dear Guys, I had working in run cups-pdf and it works with SELinux
> > disables or relaxed, but ... cups-pdf don't works with SELinux "enforced".
> >
> > Anyone who know better than me the "SELinux" architecture could help me
> > with this problem?
> >
> > I attach the audit.log latter in the conversation with cups-pdf developers.
> >
> > Could anyone help saying what I need to configure in SELinux (and how)
> > to allow cupspdf works with SELinux?
Stupid question, but have you fed the audit.log to "audit2why" for an
explanation? I did a quicky and it appears you don't have any TE allow
rules set up.
> >
> > Regards
> >
> > -------- Original Message --------
> > Subject: Problem with SELinux CONFIRMED
> > Date: Mon, 30 Jan 2006 10:50:02 +0100
> > From: Samuel Díaz García <samueld@xxxxxxxxxxxxxx>
> > Reply-To: samueldg@xxxxxxxxxxxx
> > Organization: Servicio de Salud de Castilla - La Mancha
> > To: Volker Christian Behr <vrbehr@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
> > CC: Remi Collet <Remi@xxxxxxxxxxxxxxxxx>
> > References: <43D812D7.8030700@xxxxxxxxxxxx>
> > <43D8750A.3020909@xxxxxxxxxxxxxxxxx>
> > <43D8906A.5050001@xxxxxxxxxxxxxx>
> > <1138279161.29064.4.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
> > <43D9F161.7090207@xxxxxxxxxxxxxx>
> > <1138361808.15755.12.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
> > <43DA5112.5080708@xxxxxxxxxxxxxxxxx>
> > <1138549747.2345.12.camel@xxxxxxxxxxxxxxxxx>
> >
> > Volker, I confirm to you the problem.
> > With SELinux enabled, we can reproduce the fail (cups-pdf.log):
> >
> > Mon Jan 30 10:36:50 2006 [DEBUG] initialization finished (v2.0.4)
> > Mon Jan 30 10:36:50 2006 [DEBUG] user identified (samueldg)
> > Mon Jan 30 10:36:50 2006 [DEBUG] output directory name generated
> > (/home/samueldg)
> > Mon Jan 30 10:36:50 2006 [ERROR] failed to create directory (/home)
> > Mon Jan 30 10:36:50 2006 [DEBUG] ERRNO: 17
> > Mon Jan 30 10:36:50 2006 [ERROR] failed to create user output directory
> > (/home/samueldg)
> > Mon Jan 30 10:36:50 2006 [DEBUG] ERRNO: 17
> > Mon Jan 30 10:37:34 2006 [DEBUG] switching to new gid (root)
> > Mon Jan 30 10:37:34 2006 [DEBUG] initialization finished (v2.0.4)
> > Mon Jan 30 10:37:34 2006 [DEBUG] user identified (samueldg)
> > Mon Jan 30 10:37:34 2006 [DEBUG] output directory name generated
> > (/home/samueldg)
> > Mon Jan 30 10:37:34 2006 [ERROR] failed to create directory (/home)
> > Mon Jan 30 10:37:34 2006 [DEBUG] ERRNO: 17
> > Mon Jan 30 10:37:34 2006 [ERROR] failed to create user output directory
> > (/home/samueldg)
> > Mon Jan 30 10:37:34 2006 [DEBUG] ERRNO: 17
> > Mon Jan 30 10:37:39 2006 [DEBUG] switching to new gid (root)
> > Mon Jan 30 10:37:39 2006 [DEBUG] initialization finished (v2.0.4)
> > Mon Jan 30 10:37:39 2006 [DEBUG] user identified (samueldg)
> > Mon Jan 30 10:37:39 2006 [DEBUG] output directory name generated
> > (/home/samueldg)
> > Mon Jan 30 10:37:39 2006 [ERROR] failed to create directory (/home)
> > Mon Jan 30 10:37:39 2006 [DEBUG] ERRNO: 17
> > Mon Jan 30 10:37:39 2006 [ERROR] failed to create user output directory
> > (/home/samueldg)
> > Mon Jan 30 10:37:39 2006 [DEBUG] ERRNO: 17
> >
> > In audit.log :
> > type=AVC msg=audit(1138613810.373:517): avc: denied { search } for
> > pid=3823
> > comm="cups-pdf" name="home" dev=sda4 ino=5586913
> > scontext=system_u:system_r:cupsd_t
> > tcontext=system_u:object_r:home_root_t tclass=dir
> > type=SYSCALL msg=audit(1138613810.373:517): arch=40000003 syscall=195
> > success=no
> > exit=-13 a0=805ae98 a1=bfcf42cc a2=3e6ff4 a3=bfcf42cc items=1 pid=3823
> > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> > comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
> > type=CWD msg=audit(1138613810.373:517): cwd="/"
> > type=PATH msg=audit(1138613810.373:517): item=0 name="/home/samueldg"
> > flags=1
> > inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
> > type=AVC msg=audit(1138613810.373:518): avc: denied { search } for
> > pid=3823
> > comm="cups-pdf" name="home" dev=sda4 ino=5586913
> > scontext=system_u:system_r:cupsd_t
> > tcontext=system_u:object_r:home_root_t tclass=dir
> > type=SYSCALL msg=audit(1138613810.373:518): arch=40000003 syscall=195
> > success=no
> > exit=-13 a0=805ae98 a1=bfcf323c a2=3e6ff4 a3=bfcf323c items=1 pid=3823
> > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> > comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
> > type=CWD msg=audit(1138613810.373:518): cwd="/"
> > type=PATH msg=audit(1138613810.373:518): item=0 name="/home/samueldg"
> > flags=1
> > inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
> > type=AVC msg=audit(1138613810.373:519): avc: denied { getattr } for
> > pid=3823
> > comm="cups-pdf" name="home" dev=sda4 ino=5586913
> > scontext=system_u:system_r:cupsd_t
> > tcontext=system_u:object_r:home_root_t tclass=dir
> > type=SYSCALL msg=audit(1138613810.373:519): arch=40000003 syscall=195
> > success=no
> > exit=-13 a0=bfcf32d4 a1=bfcf21ac a2=3e6ff4 a3=bfcf21ac items=1 pid=3823
> > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> > comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
> > type=AVC_PATH msg=audit(1138613810.373:519): path="/home"
> > type=CWD msg=audit(1138613810.373:519): cwd="/"
> > type=PATH msg=audit(1138613810.373:519): item=0 name="/home" flags=1
> > inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
> > type=USER_AUTH msg=audit(1138613853.687:520): user pid=2762 uid=0
> > auid=4294967295 msg='PAM authentication: user=root exe="/usr/sbin/cupsd"
> > (hostname=?, addr=?, terminal=? result=Success)'
> > type=USER_ACCT msg=audit(1138613853.691:521): user pid=2762 uid=0
> > auid=4294967295 msg='PAM accounting: user=root exe="/usr/sbin/cupsd"
> > (hostname=?, addr=?, terminal=? result=Success)'
> > type=AVC msg=audit(1138613854.011:522): avc: denied { search } for
> > pid=3833
> > comm="cups-pdf" name="home" dev=sda4 ino=5586913
> > scontext=system_u:system_r:cupsd_t
> > tcontext=system_u:object_r:home_root_t tclass=dir
> > type=SYSCALL msg=audit(1138613854.011:522): arch=40000003 syscall=195
> > success=no
> > exit=-13 a0=805ae98 a1=bfc6aeec a2=3e6ff4 a3=bfc6aeec items=1 pid=3833
> > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> > comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
> > type=CWD msg=audit(1138613854.011:522): cwd="/"
> > type=PATH msg=audit(1138613854.011:522): item=0 name="/home/samueldg"
> > flags=1
> > inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
> > type=AVC msg=audit(1138613854.011:523): avc: denied { search } for
> > pid=3833
> > comm="cups-pdf" name="home" dev=sda4 ino=5586913
> > scontext=system_u:system_r:cupsd_t
> > tcontext=system_u:object_r:home_root_t tclass=dir
> > type=SYSCALL msg=audit(1138613854.011:523): arch=40000003 syscall=195
> > success=no
> > exit=-13 a0=805ae98 a1=bfc69e5c a2=3e6ff4 a3=bfc69e5c items=1 pid=3833
> > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> > comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
> > type=CWD msg=audit(1138613854.011:523): cwd="/"
> > type=PATH msg=audit(1138613854.011:523): item=0 name="/home/samueldg"
> > flags=1
> > inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
> > type=AVC msg=audit(1138613854.011:524): avc: denied { getattr } for
> > pid=3833
> > comm="cups-pdf" name="home" dev=sda4 ino=5586913
> > scontext=system_u:system_r:cupsd_t
> > tcontext=system_u:object_r:home_root_t tclass=dir
> > type=SYSCALL msg=audit(1138613854.011:524): arch=40000003 syscall=195
> > success=no
> > exit=-13 a0=bfc69ef4 a1=bfc68dcc a2=3e6ff4 a3=bfc68dcc items=1 pid=3833
> > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> > comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
> > type=AVC_PATH msg=audit(1138613854.011:524): path="/home"
> > type=CWD msg=audit(1138613854.011:524): cwd="/"
> > type=PATH msg=audit(1138613854.011:524): item=0 name="/home" flags=1
> > inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
> > type=USER_AUTH msg=audit(1138613859.448:525): user pid=2762 uid=0
> > auid=4294967295 msg='PAM authentication: user=root exe="/usr/sbin/cupsd"
> > (hostname=?, addr=?, terminal=? result=Success)'
> > type=USER_ACCT msg=audit(1138613859.456:526): user pid=2762 uid=0
> > auid=4294967295 msg='PAM accounting: user=root exe="/usr/sbin/cupsd"
> > (hostname=?, addr=?, terminal=? result=Success)'
> > type=AVC msg=audit(1138613859.624:527): avc: denied { search } for
> > pid=3842
> > comm="cups-pdf" name="home" dev=sda4 ino=5586913
> > scontext=system_u:system_r:cupsd_t
> > tcontext=system_u:object_r:home_root_t tclass=dir
> > type=SYSCALL msg=audit(1138613859.624:527): arch=40000003 syscall=195
> > success=no
> > exit=-13 a0=805ae98 a1=bfee620c a2=3e6ff4 a3=bfee620c items=1 pid=3842
> > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> > comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
> > type=CWD msg=audit(1138613859.624:527): cwd="/"
> > type=PATH msg=audit(1138613859.624:527): item=0 name="/home/samueldg"
> > flags=1
> > inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
> > type=AVC msg=audit(1138613859.624:528): avc: denied { search } for
> > pid=3842
> > comm="cups-pdf" name="home" dev=sda4 ino=5586913
> > scontext=system_u:system_r:cupsd_t
> > tcontext=system_u:object_r:home_root_t tclass=dir
> > type=SYSCALL msg=audit(1138613859.624:528): arch=40000003 syscall=195
> > success=no
> > exit=-13 a0=805ae98 a1=bfee517c a2=3e6ff4 a3=bfee517c items=1 pid=3842
> > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> > comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
> > type=CWD msg=audit(1138613859.624:528): cwd="/"
> > type=PATH msg=audit(1138613859.624:528): item=0 name="/home/samueldg"
> > flags=1
> > inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
> > type=AVC msg=audit(1138613859.624:529): avc: denied { getattr } for
> > pid=3842
> > comm="cups-pdf" name="home" dev=sda4 ino=5586913
> > scontext=system_u:system_r:cupsd_t
> > tcontext=system_u:object_r:home_root_t tclass=dir
> > type=SYSCALL msg=audit(1138613859.624:529): arch=40000003 syscall=195
> > success=no
> > exit=-13 a0=bfee5214 a1=bfee40ec a2=3e6ff4 a3=bfee40ec items=1 pid=3842
> > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> > comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
> > type=AVC_PATH msg=audit(1138613859.624:529): path="/home"
> > type=CWD msg=audit(1138613859.624:529): cwd="/"
> > type=PATH msg=audit(1138613859.624:529): item=0 name="/home" flags=1
> > inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
> > t
> >
> > I'll try to find more info about SELinux, but appears that cups-pdf
> > fails in 2
> > points:
> > 1) SELinux don't allow cups-pdf browse directories.
> > 2) SELinux don't allow cups-pdf get attributes info from files.
> >
> > I'll google a bit to find more info about solve this problem and say you
> > (perhaps a miniFAQ about cups-pdf and SELinux will be usefull for some
> > users).
> >
> > I don't think the problem were (with 2.0.4 at least) with cups-pdf, but
> > think
> > that a little reference in web page about configuring with SELinux would
> > be a
> > good idea.
> >
> > As I said, I'll try find more information in the www.
> >
> > Regards and many thanks for your support (Volker and Remi).
> >
> > Volker Christian Behr wrote:
> >> Hi Samuel and Remi!
> >>
> >> On Fri, 2006-01-27 at 17:57, Remi Collet wrote:
> >>
> >>> Volker Christian Behr a écrit :
> >>>> By now I am pretty sure this has to do with SELinux since this issue
> >>>> appears only on FC4-platforms.
> >>>>
> >>>>
> >>>
> >>> Yes and i've already ask Samuel to try with SElinux disabled (and with
> >>> last FC4 updates)
> >>> One other user of my RPM has encounter the same error (but i've not
> >>> keep the email)
> >>
> >>
> >> This would be the most interesing result: does CUPS-PDF work it SELinux
> >> is disabled - especially does the directory creation work?
> >>
> >>
> >>>>> if (stat(dirname, &fstatus) || !S_ISDIR(fstatus.st_mode)) {
> >>>>>
> >>>>
> >>>> The above line tests whether the given directory name is a dir:
> >>>> !S_ISDIR(fstatus.st_mode)
> >>>> If the directory exists this loop should never be entered....
> >>>>
> >>>
> >>> Yes. But i think than you need read acces on the parent dir to use
> >>> stat.
> >>> So it could be useful to verify the errno 17
> >>>
> >>>> This is possible since I do not have any testing platforms with
> >>>> SELinux
> >>>> available. Remi, do you have SELinux enabled?
> >>>>
> >>
> >>
> >> I checked on my system and since directory creation is done with full
> >> root privileges I always have read access on all (local) directories. So
> >> - again - I think this is SELinux blocking some functionality.
> >>
> >> Thank to you, Samuel, for the offer to log onto your system to test
> >> there but since I never used SELinux before I think I am going to
> >> install a FC4 on my computer so I can play around with it a little more
> >> to see how to get CUPS-PDF to work smoothly with it (this will take some
> >> time).
> >>
> >> I looking forward to the result without SELinux - it would be great if
> >> this was the only issue since then the is just one issue to be solved
> >> :-)
> >>
> >> Cheers,
> >>
> >> Volker
> >>
> >
> >
>
> --
> Samuel Díaz García
> Director Gerente
> ArcosCom Wireless, S.L.L.
>
> CIF: B11828068
> c/ Romero Gago, 19
> Arcos de la Frontera
> 11630 - Cadiz
>
> http://www.arcoscom.com
>
> mailto:samueldg@xxxxxxxxxxxx
> msn: samueldg@xxxxxxxxxxxx
>
> Móvil: 651 93 72 48
> Tlfn.: 956 70 13 15
> Fax: 956 70 34 83
>
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer rstevens@xxxxxxxxxxxxxxx -
- VitalStream, Inc. http://www.vitalstream.com -
- -
- "And on the seventh day, He exited from append mode." -
----------------------------------------------------------------------
