Ubuntu
refpolicy package

SELinux breaks CUPS

Bug #216132 reported by irober02
6
Affects Status Importance Assigned to Milestone
refpolicy (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

I'm giving ubuntu-8.04-beta-server-amd64 a go on my new home server. It installed fine and is mostly running well. Sharing files and (hopefully) a printer via samba is the major task for the server.

I've installed SELinux (learning opportunity) and one outstanding problem is getting cups running.

When I (re)install cupsys and cupsys-client I get the following:

The following NEW packages will be installed:
cupsys cupsys-client
0 upgraded, 2 newly installed, 0 to remove and 6 not upgraded.
Need to get 0B/1970kB of archives.
After this operation, 10.5MB of additional disk space will be used.
Preconfiguring packages ...
Selecting previously deselected package cupsys.
(Reading database ... 30319 files and directories currently installed.)
Unpacking cupsys (from .../cupsys_1.3.7-1ubuntu2_amd64.deb) ...
Selecting previously deselected package cupsys-client.
Unpacking cupsys-client (from
.../cupsys-client_1.3.7-1ubuntu2_amd64.deb) ...
Setting up cupsys (1.3.7-1ubuntu2) ...
Unable to find apparmor_parser, installation problem?: Failed.
invoke-rc.d: initscript apparmor, action "force-reload" failed.
* Starting Common Unix Printing System: cupsd start-stop-daemon: Unable
to start /usr/sbin/cupsd: Permission denied (Permission denied)
invoke-rc.d: initscript cupsys, action "start" failed.
dpkg: error processing cupsys (--configure):
subprocess post-installation script returned error exit status 2
Setting up cupsys-client (1.3.7-1ubuntu2) ...

Errors were encountered while processing:
cupsys
E: Sub-process /usr/bin/dpkg returned an error code (1)

and syslog displays:

Apr 11 10:03:49 tunnelball kernel: [56186.723703] audit(1207874029.018:9): security_compute_sid: invalid context unconfined_u:system_r:cupsd_t for scontext=unconfined_u:unconfined_r:unconfined_t tcontext=system_ubject_r:cupsd_exec_t tclass=process

When I set SELinux to permissive cupsd starts and runs OK.

Revision history for this message
irober02 (ianwroberts) wrote :

SELinux (permissive) is also logging the following:

Apr 12 08:00:24 tunnelball kernel: [28254.997825] audit(1207953024.971:5): avc: denied { rename } for pid=4816 comm="cupsd" name="cupsd.conf" dev=sda1 ino=22283584 scontext=system_u:system_r:cupsd_t tcontext=unconfined_u:object_r:cupsd_etc_t tclass=file
Apr 12 08:01:23 tunnelball kernel: [28313.068128] audit(1207953083.071:7): avc: denied { transition } for pid=11727 comm="start-stop-daem" path="/usr/sbin/cupsd" dev=sda1 ino=7259018 scontext=unconfined_u:unconfined_r:unconfined_t tcontext=unconfined_u:system_r:cupsd_t tclass=process
Apr 12 08:01:23 tunnelball kernel: [28313.072977] audit(1207953083.071:8): avc: denied { search } for pid=11728 comm="cupsd" name="home" dev=sda1 ino=7618561 scontext=unconfined_u:system_r:cupsd_t tcontext=system_u:object_r:home_root_t tclass=dir
Apr 12 08:11:39 tunnelball kernel: [28929.415957] audit(1207953699.681:15): avc: denied { execute_no_trans } for pid=11890 comm="cupsd" path="/usr/lib/cups/backend/usb" dev=sda1 ino=7407276 scontext=unconfined_u:system_r:cupsd_t tcontext=system_u:object_r:lib_t tclass=file
Apr 12 11:29:18 tunnelball kernel: [40783.427491] audit(1207965558.751:38): avc: denied { execute_no_trans } for pid=12884 comm="cupsd" path="/usr/lib/cups/backend/usb" dev=sda1 ino=7407276 scontext=unconfined_u:system_r:cupsd_t tcontext=system_u:object_r:lib_t tclass=file

Revision history for this message
Kees Cook (kees) wrote :

This has been fixed in 0.0.20071214-0ubuntu3 (among other things), debdiff attached. Please approve for universe freeze exception. (Note that SELinux is not usable without this new version.)

Revision history for this message
Scott Kitterman (kitterman) wrote : Re: [Bug 216132] Re: SELinux breaks CUPS

Ack from motu-release. Please go ahead and upload.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package refpolicy - 0.0.20071214-0ubuntu3

---------------
refpolicy (0.0.20071214-0ubuntu3) hardy; urgency=low

  * debian/patches/cups.patch
  * debian/patches/files.patch
  * debian/patches/lpd.patch
    - Allow cups to use dhcp.
    - Allow most accesses necessary for cups-pdf.
    - Allow cups access to dbus when no dbus policy is loaded.
  * debian/patches/init.patch
  * debian/patches/ssh.patch
    - Allow init to change oom priority of sshd.
  * debian/patches/unconfined.patch
  * debian/patches/users.patch
    - Allowing unconfined_r system_r and access to run_init so that unconfined
      root user's can start/stop/restart services via init scripts
      (LP: #202983, #209773, #211305, #216132)

 -- Caleb Case <email address hidden> Tue, 25 Mar 2008 16:42:08 -0400

Changed in refpolicy:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.