selinux context for cups reverting

Latest response

After adding a printer to cups, via the web interface, I look to the /etc/cups/printers.conf file, but don't see my new printer. Nor do I see a new time stamp.

My /var/log/cups/error_log has the following:

E [14/Nov/2013:15:41:42 -0500] Unable to backup printers.conf - Permission denied
E [14/Nov/2013:15:41:42 -0500] Unable to save printers.conf - Permission denied
E [14/Nov/2013:15:41:42 -0500] Unable to restore printers.conf - Permission denied

After consulting "https://bugzilla.redhat.com/show_bug.cgi?id=421201", I restore the contexts and am able to add printers to /etc/cups/printers.conf:

[root@cupsserver ~]# restorecon -R -v /etc/cups
restorecon reset /etc/cups/printers.conf.tmp context unconfined_u:object_r:cupsd_etc_t:s0->unconfined_u:object_r:cupsd_rw_etc_t:s0
restorecon reset /etc/cups/cupsd.conf.20131105 context unconfined_u:object_r:cupsd_etc_t:s0->unconfined_u:object_r:cupsd_rw_etc_t:s0
restorecon reset /etc/cups/printers.conf.2013-11-12-15-04-36 context unconfined_u:object_r:cupsd_etc_t:s0->unconfined_u:object_r:cupsd_rw_etc_t:s0
restorecon reset /etc/cups/printers.conf context unconfined_u:object_r:cupsd_etc_t:s0->unconfined_u:object_r:cupsd_rw_etc_t:s0
[root@cupserver ~]#

I also check out /var/log/audit/audit.log

type=AVC msg=audit(1384445427.846:27744): avc: denied { read } for pid=11124 comm="cups-driverd" name="Kyocera_FS-4020DN.PPD" dev=dm-0 ino=41324 scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

type=SYSCALL msg=audit(1384445427.846:27744): arch=c000003e syscall=2 success=no exit=-13 a0=7fff345c1cb0 a1=0 a2=0 a3=7fff345bfb70 items=0 ppid=10795 pid=11124 auid=567 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=327 comm="cups-driverd" exe="/usr/lib/cups/daemon/cups-driverd" subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1384445427.846:27745): avc: denied { read } for pid=11124 comm="cups-driverd" name="Kyocera_FS-2020D.PPD" dev=dm-0 ino=41322 scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

type=SYSCALL msg=audit(1384445427.846:27745): arch=c000003e syscall=2 success=no exit=-13 a0=7fff345c1cb0 a1=0 a2=0 a3=7fff345bfb70 items=0 ppid=10795 pid=11124 auid=567 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=327 comm="cups-driverd" exe="/usr/lib/cups/daemon/cups-driverd" subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(1384445427.846:27746): avc: denied { read } for pid=11124 comm="cups-driverd" name="Kyocera_FS-3920DN.PPD" dev=dm-0 ino=41323 scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

However, after a few minutes, I find that I have the same problem where my new printers are not getting included in /etc/cups/printers.conf, and I must run "restorecon -R -v /etc/cups" again.

What could be causing my contexts to revert from

unconfined_u:object_r:cupsd_etc_t:s0 to

unconfined_u:object_r:cupsd_rw_etc_t:s0 ?

Responses