[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: cups failed last week, now amanda



On Wednesday 10 December 2008, Craig White wrote:
>On Wed, 2008-12-10 at 21:24 -0500, Gene Heskett wrote:
[...]
>> (brought to you by Amanda 2.6.2alpha-20081208)
>>
>> So that is fixed.  I wonder if cups is too?  No, selinux, which is back to
>> enforcing now, is denying cups any access to lp3.
>>
>> Nope, even after manually copying one of the 3 identical HL2140.ppd files
>> into /etc/cups/printers/lp3.ppd, it prints blank sheets of paper, and
>> logs, when I try to change the default paper size to letter from A4:
>>
>> E [10/Dec/2008:21:12:25 -0500] CUPS-Add-Modify-Printer: Unauthorized
>>
>> And I've run thru the delete/add at localhost:631 until I have run out of
>> options, even going so far as to set the perms identical, no change in the
>> error messages.
>>
>> Your turn.
>
>----
>I just checked on my system and evidently, adding alias net-pf-10 off to
>modprobe.conf doesn't do squat any more because I too have ipv6
>addresses...don't know how long that's been going on but I have updated
>this system from like Fedora Core 4 or 5 continuously up and now I'm
>F10. I'm sort of at a loss on how to disable ipv6 but I would imagine it
>wouldn't take long to google.
>
>'manually copying' config files for cups seems to be wrong - it might
>cause selinux problems. I generally copy ppd files
>to /usr/share/cups/model and they will stay there forever and cups reads
>that folder when you set up printers and offers all PPD's that reside
>there.

I have them there, but they are not .gz'd, and cups doesn't show them to me, I 
have to browse to find it, there of course, but then cups throws that error, 
I think when its trying to construct /etc/cups/printers/lp3.  I have deleted 
the printer, cups can't delete it so I go behind it and do with with mc or 
rm.  Now this time, cups has created an /etc/cups/ppd/lp3.ppd from the 
HL2140.ppd file, and the change to a default paper size was apparently done 
cuz thats what its set to right now.  So that is different from previous.

A test page doesn't show an error, but spits out blank paper.  The printers 
own test page works as expected.

I just fired up Kompare, and HL2140.ppd and lp3.ppd are identical except for 
the A4 becoming 'letter'.  And setting /etc/cups/cupsd.conf for debug2 output 
still says it worked, but I get a blank sheet of paper for the cups test 
image.  That BTW, is a lot of progress, its the first paper its fed in 2 
weeks.

Where else besides there in cups.conf can I turn on a lot of debugging so I 
can see what might be wrong?

>selinux errors are very specific about what they're denying and
>why...you might want to look at audit.log or dmesg to get a clue or even
>better yet, install the setroubleshoot stuff which makes things a lot
>easier

Setroubleshoot says:
++++++++++++
SELinux is preventing cupsd (cupsd_t) "execute" to ./lp3 (cupsd_rw_etc_t)

Sometimes labeling problems can cause SELinux denials. You could try to 
restore the default system file context for ./lp3,

restorecon -v './lp3'
---------------
a restorecon -v './lp3.ppd' did not change the context of the file.
---------------
Source Context:  system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context:  system_u:object_r:cupsd_rw_etc_t:s0
Target Objects:  ./lp3 [ file ]
Source:  cupsd
Source Path:  /usr/sbin/cupsd
Port:  <Unknown>
Host:  coyote.coyote.den
Source RPM Packages:  cups-1.3.9-2.fc8
Policy RPM:  selinux-policy-3.0.8-127.fc8
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  catchall_file
Host Name:  coyote.coyote.den
Platform:  Linux coyote.coyote.den 2.6.28-rc6 #4 SMP PREEMPT Mon Dec 1 
10:15:04 EST 2008 i686 athlon
Alert Count:  5
First Seen:  Fri 28 Nov 2008 11:46:07 AM EST
Last Seen:  Wed 10 Dec 2008 08:57:42 PM EST
Local ID:  949d16f5-c192-4bab-97a7-461c6970b67c
Raw Audit Messages :

host=coyote.coyote.den type=AVC msg=audit(1228960662.917:137): avc: denied { 
execute } for pid=4863 comm="cupsd" name="lp3" dev=sda3 ino=104400248 
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file 

host=coyote.coyote.den type=SYSCALL msg=audit(1228960662.917:137): 
arch=40000003 syscall=33 success=no exit=-13 a0=bf9c70c6 a1=1 a2=b7fcbff4 
a3=b7fcca3c items=0 ppid=4862 pid=4863 auid=0 uid=0 gid=0 euid=0 suid=0 
fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="cupsd" 
exe="/usr/sbin/cupsd" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 
key=(null)
+++++++++++++

It was just relabeled when I rebooted.
Context for lp3.ppd is;

 [root coyote ppd]# ls -l --context
-rw-r--r--  root root system_u:object_r:cupsd_rw_etc_t:s0 Cups-PDF.ppd
-rw-r--r--  root root system_u:object_r:cupsd_rw_etc_t:s0 EPSON_Stylus_C82.ppd
-rw-r--r--  root root system_u:object_r:cupsd_rw_etc_t:s0 lp0.ppd
-rw-r--r--  root root system_u:object_r:cupsd_rw_etc_t:s0 lp1.ppd
-rw-r--r--  root root system_u:object_r:cupsd_rw_etc_t:s0 lp2.ppd
-rw-r--r--  root root system_u:object_r:cupsd_rw_etc_t:s0 lp3.ppd

So thats not it.  A 'locate lp3' returns:

/etc/cups/ppd/lp3.ppd

and some winhlp3 hits that aren't germain.

I see that /usr/share/setroubleshoot/plugins has a file for damned near 
everything but cups, am I missing something AGAIN?  But no cups specific 
stuff in the cups or selinux related packages in /var/cache/yum, I just 
looked.

Bugzilla time?

Your turn and thanks Craig.

>Craig



-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Lavish spending can be disastrous.  Don't buy any lavishes for a while.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]