Bug 5565 - SELinux error in printer step of tl-setup
Summary: SELinux error in printer step of tl-setup
Status: CLOSED DUPLICATE of bug 3846
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Server Installer (show other bugs)
Version: 4.3.0
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.5.0
Assignee: Henrik Andersson
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-06-04 09:10 CEST by Karl Mikaelsson
Modified: 2015-08-14 09:23 CEST (History)
1 user (show)

See Also:
Acceptance Criteria:


Attachments

Description Karl Mikaelsson cendio 2015-06-04 09:10:19 CEST
Upgrading a late ThinLinc 4.3.0post install to 4.4.0rc5 on a RHEL 7 server, I got this SELinux error when tl-setup was adding the printer queues. It didn't stop tl-setup from completing, and there was no errors reported in tl-setup.

Complete error messages from setroubleshootd:

> SELinux is preventing /usr/bin/python2.7 from unlink access on the file /opt/thinlinc/modules/thinlinc/vsm/lowxmlrpc.pyc.
>
> *****  Plugin catchall_labels (83.8 confidence) suggests   *******************
> 
> If you want to allow python2.7 to have unlink access on the lowxmlrpc.pyc file
> Then du behöver ändra etiketten på /opt/thinlinc/modules/thinlinc/vsm/lowxmlrpc.pyc
> Do
> # semanage fcontext -a -t FILTYP '/opt/thinlinc/modules/thinlinc/vsm/lowxmlrpc.pyc'
> där FILTYP är en av följande: cupsd_interface_t, cupsd_lock_t, cupsd_log_t, cupsd_rw_etc_t,
>  cupsd_tmp_t, cupsd_var_lib_t, cupsd_var_run_t, krb5_host_rcache_t, print_spool_t. 
> Kör sedan: 
> restorecon -v '/opt/thinlinc/modules/thinlinc/vsm/lowxmlrpc.pyc'
>
>
> *****  Plugin catchall (17.1 confidence) suggests   **************************
>
> If du tror att python2.7 borde tillåtas åtkomsten unlink till lowxmlrpc.pyc file som standard.
> Then du bör rapportera detta som ett fel.
> Du kan generera en lokal policymodul för att tillåta denna åtkomst.
> Do
> tillåt denna åtkomst för tillfället genom att köra:
> # grep python-thinlinc /var/log/audit/audit.log | audit2allow -M minpol
> # semodule -i minpol.pp
> 
> Additional Information:
> Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
> Target Context                system_u:object_r:usr_t:s0
> Target Objects                /opt/thinlinc/modules/thinlinc/vsm/lowxmlrpc.pyc [ file ]
> Source                        python-thinlinc
> Source Path                   /usr/bin/python2.7
> Port                          <Unknown>
> Host                          dhcp-253-247.lkpg.cendio.se
> Source RPM Packages           python-2.7.5-16.el7.x86_64
> Target RPM Packages           thinlinc-vsm-4.4.0-4775.x86_64
> Policy RPM                    selinux-policy-3.13.1-23.el7_1.7.noarch
> Selinux Enabled               True
> Policy Type                   targeted
> Enforcing Mode                Enforcing
> Host Name                     dhcp-253-247.lkpg.cendio.se
> Platform                      Linux dhcp-253-247.lkpg.cendio.se 3.10.0-229.4.2.el7.x86_64 #1 SMP Fri Apr 24 15:26:38 EDT 2015 x86_64 x86_64
> Alert Count                   29
> First Seen                    2015-05-21 10:42:23 CEST
> Last Seen                     2015-06-04 09:00:45 CEST
> Local ID                      5c391b78-cc9b-4eea-aafe-e90149df28b6
> 
> Raw Audit Messages
> type=AVC msg=audit(1433401245.508:3087): avc:  denied  { unlink } for 
>   pid=49866 comm="python-thinlinc" name="lowxmlrpc.pyc" dev="dm-0"
>   ino=101634113 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
>   tcontext=system_u:object_r:usr_t:s0 tclass=file
> 
> 
> type=SYSCALL msg=audit(1433401245.508:3087): arch=x86_64 syscall=unlink success=no
>   exit=EACCES a0=1d0f930 a1=1c780 a2=81a4 a3=7f71111cd5d0 items=0 ppid=49852 pid=49866
>   auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none)
>   ses=4294967295 comm=python-thinlinc exe=/usr/bin/python2.7
>   subj=system_u:system_r:cupsd_t:s0 s0:c0.c1023 key=(null)
> 
> Hash: python-thinlinc,cupsd_t,usr_t,file,unlink
Comment 1 Pierre Ossman cendio 2015-06-09 13:41:12 CEST

*** This bug has been marked as a duplicate of bug 3846 ***

Note You need to log in before you can comment on or make changes to this bug.