cups-pdf && SELinux problem running

Samuel Díaz García samueldg at arcoscom.com
Mon Jan 30 10:09:15 UTC 2006 

Dear Guys, I had working in run cups-pdf and it works with SELinux disables or 
relaxed, but ... cups-pdf don't works with SELinux "enforced".

Anyone who know better than me the "SELinux" architecture could help me with 
this problem?

I attach the audit.log latter in the conversation with cups-pdf developers.

Could anyone help saying what I need to configure in SELinux (and how) to allow 
cupspdf works with SELinux?

Regards

-------- Original Message --------
Subject: Problem with SELinux CONFIRMED
Date: Mon, 30 Jan 2006 10:50:02 +0100
From: Samuel Díaz García <samueld at sescam.jccm.es>
Reply-To: samueldg at arcoscom.com
Organization: Servicio de Salud de Castilla - La Mancha
To: Volker Christian Behr <vrbehr at cip.physik.uni-wuerzburg.de>
CC: Remi Collet <Remi at famillecollet.com>
References: <43D812D7.8030700 at arcoscom.com>	 
<43D8750A.3020909 at FamilleCollet.com>  <43D8906A.5050001 at sescam.jccm.es>	 
<1138279161.29064.4.camel at merlin.physik.uni-wuerzburg.de>	 
<43D9F161.7090207 at sescam.jccm.es>	 
<1138361808.15755.12.camel at merlin.physik.uni-wuerzburg.de>	 
<43DA5112.5080708 at FamilleCollet.com> <1138549747.2345.12.camel at taliesin.localnet>

Volker, I confirm to you the problem.
With SELinux enabled, we can reproduce the fail (cups-pdf.log):

Mon Jan 30 10:36:50 2006  [DEBUG] initialization finished (v2.0.4)
Mon Jan 30 10:36:50 2006  [DEBUG] user identified (samueldg)
Mon Jan 30 10:36:50 2006  [DEBUG] output directory name generated (/home/samueldg)
Mon Jan 30 10:36:50 2006  [ERROR] failed to create directory (/home)
Mon Jan 30 10:36:50 2006  [DEBUG] ERRNO: 17
Mon Jan 30 10:36:50 2006  [ERROR] failed to create user output directory
(/home/samueldg)
Mon Jan 30 10:36:50 2006  [DEBUG] ERRNO: 17
Mon Jan 30 10:37:34 2006  [DEBUG] switching to new gid (root)
Mon Jan 30 10:37:34 2006  [DEBUG] initialization finished (v2.0.4)
Mon Jan 30 10:37:34 2006  [DEBUG] user identified (samueldg)
Mon Jan 30 10:37:34 2006  [DEBUG] output directory name generated (/home/samueldg)
Mon Jan 30 10:37:34 2006  [ERROR] failed to create directory (/home)
Mon Jan 30 10:37:34 2006  [DEBUG] ERRNO: 17
Mon Jan 30 10:37:34 2006  [ERROR] failed to create user output directory
(/home/samueldg)
Mon Jan 30 10:37:34 2006  [DEBUG] ERRNO: 17
Mon Jan 30 10:37:39 2006  [DEBUG] switching to new gid (root)
Mon Jan 30 10:37:39 2006  [DEBUG] initialization finished (v2.0.4)
Mon Jan 30 10:37:39 2006  [DEBUG] user identified (samueldg)
Mon Jan 30 10:37:39 2006  [DEBUG] output directory name generated (/home/samueldg)
Mon Jan 30 10:37:39 2006  [ERROR] failed to create directory (/home)
Mon Jan 30 10:37:39 2006  [DEBUG] ERRNO: 17
Mon Jan 30 10:37:39 2006  [ERROR] failed to create user output directory
(/home/samueldg)
Mon Jan 30 10:37:39 2006  [DEBUG] ERRNO: 17

In audit.log :
type=AVC msg=audit(1138613810.373:517): avc:  denied  { search } for  pid=3823
comm="cups-pdf" name="home" dev=sda4 ino=5586913
scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir
type=SYSCALL msg=audit(1138613810.373:517): arch=40000003 syscall=195 success=no
exit=-13 a0=805ae98 a1=bfcf42cc a2=3e6ff4 a3=bfcf42cc items=1 pid=3823
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
type=CWD msg=audit(1138613810.373:517):  cwd="/"
type=PATH msg=audit(1138613810.373:517): item=0 name="/home/samueldg" flags=1
inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1138613810.373:518): avc:  denied  { search } for  pid=3823
comm="cups-pdf" name="home" dev=sda4 ino=5586913
scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir
type=SYSCALL msg=audit(1138613810.373:518): arch=40000003 syscall=195 success=no
exit=-13 a0=805ae98 a1=bfcf323c a2=3e6ff4 a3=bfcf323c items=1 pid=3823
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
type=CWD msg=audit(1138613810.373:518):  cwd="/"
type=PATH msg=audit(1138613810.373:518): item=0 name="/home/samueldg" flags=1
inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1138613810.373:519): avc:  denied  { getattr } for  pid=3823
comm="cups-pdf" name="home" dev=sda4 ino=5586913
scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir
type=SYSCALL msg=audit(1138613810.373:519): arch=40000003 syscall=195 success=no
exit=-13 a0=bfcf32d4 a1=bfcf21ac a2=3e6ff4 a3=bfcf21ac items=1 pid=3823
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
type=AVC_PATH msg=audit(1138613810.373:519):  path="/home"
type=CWD msg=audit(1138613810.373:519):  cwd="/"
type=PATH msg=audit(1138613810.373:519): item=0 name="/home" flags=1
inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
type=USER_AUTH msg=audit(1138613853.687:520): user pid=2762 uid=0
auid=4294967295 msg='PAM authentication: user=root exe="/usr/sbin/cupsd"
(hostname=?, addr=?, terminal=? result=Success)'
type=USER_ACCT msg=audit(1138613853.691:521): user pid=2762 uid=0
auid=4294967295 msg='PAM accounting: user=root exe="/usr/sbin/cupsd"
(hostname=?, addr=?, terminal=? result=Success)'
type=AVC msg=audit(1138613854.011:522): avc:  denied  { search } for  pid=3833
comm="cups-pdf" name="home" dev=sda4 ino=5586913
scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir
type=SYSCALL msg=audit(1138613854.011:522): arch=40000003 syscall=195 success=no
exit=-13 a0=805ae98 a1=bfc6aeec a2=3e6ff4 a3=bfc6aeec items=1 pid=3833
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
type=CWD msg=audit(1138613854.011:522):  cwd="/"
type=PATH msg=audit(1138613854.011:522): item=0 name="/home/samueldg" flags=1
inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1138613854.011:523): avc:  denied  { search } for  pid=3833
comm="cups-pdf" name="home" dev=sda4 ino=5586913
scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir
type=SYSCALL msg=audit(1138613854.011:523): arch=40000003 syscall=195 success=no
exit=-13 a0=805ae98 a1=bfc69e5c a2=3e6ff4 a3=bfc69e5c items=1 pid=3833
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
type=CWD msg=audit(1138613854.011:523):  cwd="/"
type=PATH msg=audit(1138613854.011:523): item=0 name="/home/samueldg" flags=1
inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1138613854.011:524): avc:  denied  { getattr } for  pid=3833
comm="cups-pdf" name="home" dev=sda4 ino=5586913
scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir
type=SYSCALL msg=audit(1138613854.011:524): arch=40000003 syscall=195 success=no
exit=-13 a0=bfc69ef4 a1=bfc68dcc a2=3e6ff4 a3=bfc68dcc items=1 pid=3833
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
type=AVC_PATH msg=audit(1138613854.011:524):  path="/home"
type=CWD msg=audit(1138613854.011:524):  cwd="/"
type=PATH msg=audit(1138613854.011:524): item=0 name="/home" flags=1
inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
type=USER_AUTH msg=audit(1138613859.448:525): user pid=2762 uid=0
auid=4294967295 msg='PAM authentication: user=root exe="/usr/sbin/cupsd"
(hostname=?, addr=?, terminal=? result=Success)'
type=USER_ACCT msg=audit(1138613859.456:526): user pid=2762 uid=0
auid=4294967295 msg='PAM accounting: user=root exe="/usr/sbin/cupsd"
(hostname=?, addr=?, terminal=? result=Success)'
type=AVC msg=audit(1138613859.624:527): avc:  denied  { search } for  pid=3842
comm="cups-pdf" name="home" dev=sda4 ino=5586913
scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir
type=SYSCALL msg=audit(1138613859.624:527): arch=40000003 syscall=195 success=no
exit=-13 a0=805ae98 a1=bfee620c a2=3e6ff4 a3=bfee620c items=1 pid=3842
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
type=CWD msg=audit(1138613859.624:527):  cwd="/"
type=PATH msg=audit(1138613859.624:527): item=0 name="/home/samueldg" flags=1
inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1138613859.624:528): avc:  denied  { search } for  pid=3842
comm="cups-pdf" name="home" dev=sda4 ino=5586913
scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir
type=SYSCALL msg=audit(1138613859.624:528): arch=40000003 syscall=195 success=no
exit=-13 a0=805ae98 a1=bfee517c a2=3e6ff4 a3=bfee517c items=1 pid=3842
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
type=CWD msg=audit(1138613859.624:528):  cwd="/"
type=PATH msg=audit(1138613859.624:528): item=0 name="/home/samueldg" flags=1
inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1138613859.624:529): avc:  denied  { getattr } for  pid=3842
comm="cups-pdf" name="home" dev=sda4 ino=5586913
scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir
type=SYSCALL msg=audit(1138613859.624:529): arch=40000003 syscall=195 success=no
exit=-13 a0=bfee5214 a1=bfee40ec a2=3e6ff4 a3=bfee40ec items=1 pid=3842
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"
type=AVC_PATH msg=audit(1138613859.624:529):  path="/home"
type=CWD msg=audit(1138613859.624:529):  cwd="/"
type=PATH msg=audit(1138613859.624:529): item=0 name="/home" flags=1
inode=5586913 dev=08:04 mode=040755 ouid=0 ogid=0 rdev=00:00
t

I'll try to find more info about SELinux, but appears that cups-pdf fails in 2
points:
    1) SELinux don't allow cups-pdf browse directories.
    2) SELinux don't allow cups-pdf get attributes info from files.

I'll google a bit to find more info about solve this problem and say you
(perhaps a miniFAQ about cups-pdf and SELinux will be usefull for some users).

I don't think the problem were (with 2.0.4 at least) with cups-pdf, but think
that a little reference in web page about configuring with SELinux would be a
good idea.

As I said, I'll try find more information in the www.

Regards and many thanks for your support (Volker and Remi).

Volker Christian Behr wrote:
> Hi Samuel and Remi!
> 
> On Fri, 2006-01-27 at 17:57, Remi Collet wrote:
> 
>>Volker Christian Behr a écrit : 
>>
>>>By now I am pretty sure this has to do with SELinux since this issue
>>>appears only on FC4-platforms.
>>>
>>>  
>>
>>Yes and i've already ask Samuel to try with SElinux disabled (and with
>>last FC4 updates)
>>One other user of my RPM has encounter the same error (but i've not
>>keep the email)
> 
> 
> This would be the most interesing result: does CUPS-PDF work it SELinux
> is disabled - especially does the directory creation work?
> 
> 
>>>>   if (stat(dirname, &fstatus) || !S_ISDIR(fstatus.st_mode)) {
>>>>    
>>>
>>>The above line tests whether the given directory name is a dir:
>>>!S_ISDIR(fstatus.st_mode)
>>>If the directory exists this loop should never be entered....
>>>  
>>
>>Yes. But i think than you need read acces on the parent dir to use
>>stat.
>>So it could be useful to verify the errno 17
>>
>>>This is possible since I do not have any testing platforms with
>>>SELinux
>>>available. Remi, do you have SELinux enabled?
>>>  
> 
> 
> I checked on my system and since directory creation is done with full
> root privileges I always have read access on all (local) directories. So
> - again - I think this is SELinux blocking some functionality.
> 
> Thank to you, Samuel, for the offer to log onto your system to test
> there but since I never used SELinux before I think I am going to
> install a FC4 on my computer so I can play around with it a little more
> to see how to get CUPS-PDF to work smoothly with it (this will take some
> time).
> 
> I looking forward to the result without SELinux - it would be great if
> this was the only issue since then the is just one issue to be solved
> :-)
> 
> Cheers,
> 
> Volker
> 


-- 
    Samuel Díaz García
     Director Gerente
ArcosCom Wireless, S.L.L.

CIF: B11828068
c/ Romero Gago, 19
Arcos de la Frontera
11630 - Cadiz

http://www.arcoscom.com

mailto:samueldg at arcoscom.com
msn: samueldg at arcoscom.com

Móvil: 651 93 72 48
Tlfn.: 956 70 13 15
Fax:   956 70 34 83

More information about the fedora-list mailing list