On Thu, 2006-01-26 at 11:12 -0500, Stephen Smalley wrote: > On Thu, 2006-01-26 at 08:46 -0700, Craig White wrote: > > E [26/Jan/2006:08:40:36 -0700] LoadPPDs: Unable to open PPD directory > > "/usr/share/cups/model": Permission denied > > > > this is after... > > > > cd /etc/selinux/targeted/src/policy > > /usr/bin/audit2allow -i < /var/log/audit/audit.log \ > > >> domains/misc/local.te > > > > which resulted in this... > > # cat domains/misc/local.te > > # Local customization of existing policy should be done in this file. > > # If you are creating brand new policy for a new "target" domain, you > > # need to create a type enforcement (.te) file in domains/program > > # and a file context (.fc) file in file_context/program. > > > > allow canna_t usr_t:lnk_file read; > > allow cupsd_config_t unconfined_t:fifo_file write; > > allow cupsd_config_t user_home_t:file read; > > allow cupsd_config_t usr_t:lnk_file read; > > allow cupsd_t home_root_t:dir search; > > allow hald_t usr_t:lnk_file read; > > allow restorecon_t usr_t:lnk_file read; > > allow unlabeled_t fs_t:filesystem associate; > > That last one is particularly suspect; what audit message contained > unlabeled_t? > > > and then... > > # make reload > > # fixfiles -R cups restore > > That shouldn't have been necessary, as you didn't change the > file_contexts again. Only need to relabel upon changing file_contexts, > not policy changes. > > > # service cups restart > > Check those audit messages again for anything new. It may be that it > got further but ran into another denial later on. ---- you guys are awesome - I think it took both yours and Paul's suggestions to make it work. I am writing this up in case anyone travels down my path of self-inflicted wounds. The symlinked directory seemed to cause the problem - the steps I took to fix it are: removed the symlinked directory... # rm /usr/share mounted it via the bind method Paul suggested... # mount --bind /home/share /usr/share create the contexts for the new location per Steven's suggestion # sed -n -e "/\/usr\/share/s/\/usr\/share\//\/home\/share\//p" \ /etc/selinux/targeted/contexts/files/file_contexts \ > /etc/selinux/targeted/contexts/files/file_contexts.local also (not sure that this was necessary) # cd /etc/selinux/targeted/src/policy # /usr/bin/audit2allow -i < /var/log/audit/audit.log \ >> domains/misc/local.te # make reload then fix the contexts for the entire tree... # restorecon -R /usr/share restart cups daemon # service cups restart and I am printing again...Thanks to both of you...you guys are awesome. Craig -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
