CentOS - Apr 2007 - Learning SELINUX management, help?

OK, so setup CENTOS-5 on a laptop to learn about Xen stuff.
KDE Desktop, wanted to print the virt.108.com  xen howto.
Needed to setup printer first.
Open KDE control center, go to printers.
Hear error sound, message says

	"Unable to retrieve the printer list....
           Connection to CUPS server failed. ..."

So I check to see that cups is running (it is).
I check /var/log/messages and see:

Apr 19 15:19:52 fox setroubleshoot:      SELinux is preventing 
/usr/sbin/cupsd (cupsd_t) "read write" access to socket:[15083] 
(rpm_var_lib_t).      For complete SELinux messages. run sealert -l 
23689411-4e18-4009-b105-779c58b0503f


So, I run sealert (as indicated) and see the message about cups
(see below for output)

I checked in /usr/share/docs/selinux-policy-2.4.6/html
and find no references (using grub) for "cupsd_disable_trans"
I google on "cupsd_disable_trans" and find no references either.

How do I find out what this boolean object is or does?
Is there a description of it somewhere?
Is it dangerous to just run the command that sealert tells me to run?




[root at fox log]# sealert -l 23689411-4e18-4009-b105-779c58b0503f
Summary
     SELinux is preventing /usr/sbin/cupsd (cupsd_t) "read write"
access to
     socket:[15083] (rpm_var_lib_t).

Detailed Description
     SELinux denied access requested by /usr/sbin/cupsd. It is not 
expected that
     this access is required by /usr/sbin/cupsd and this access may 
signal an
     intrusion attempt. It is also possible that the specific version or
     configuration of the application is causing it to require 
additional access.
     Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi 
against this
     package.

Allowing Access
     Sometimes labeling problems can cause SELinux denials.  You could 
try to
     restore the default system file context for socket:[15083], 
restorecon -v
     socket:[15083]. There is currently no automatic way to allow this 
access.
     Instead, you can generate a local policy module to allow this 
access - see
     http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can
     disable SELinux protection entirely for the application. Disabling 
SELinux
     protection is not recommended. Please file a
     http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
     Changing the "cupsd_disable_trans" boolean to true will disable
SELinux
     protection this application: "setsebool -P
cupsd_disable_trans=1."

     The following command will allow this access:
     setsebool -P cupsd_disable_trans=1

Additional Information

Source Context                system_u:system_r:cupsd_t:SystemLow-SystemHigh
Target Context                system_u:object_r:rpm_var_lib_t
Target Objects                socket:[15083] [ file ]
Affected RPM Packages         cups-1.2.4-11.5.1.el5 [application]
Policy RPM                    selinux-policy-2.4.6-30.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.disable_trans
Host Name                     fox
Platform                      Linux fox 2.6.18-8.el5xen #1 SMP Thu Mar 15
                               21:02:53 EDT 2007 i686 i686
Alert Count                   1
Line Numbers

Raw Audit Messages

avc: denied { read, write } for comm="cupsd" dev=dm-0 egid=0 euid=0
exe="/usr/sbin/cupsd" exit=0 fsgid=0 fsuid=0 gid=0 items=0
name="__db.000"
path="socket:[15083]" pid=5515 
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
sgid=0 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=system_u:object_r:rpm_var_lib_t:s0 tty=tty1 uid=0



I checked in /usr/share/docs/selinux-policy-2.4.6/html
and find no references (using grub) for "cupsd_disable_trans"

How do I find out what this boolean object is or does?
Is there a description of it somewhere?

> I checked in /usr/share/docs/selinux-policy-2.4.6/html
> and find no references (using grub) for "cupsd_disable_trans"
>
> How do I find out what this boolean object is or does?
> Is there a description of it somewhere?
I think setting <anything>_disable_trans to on/true/1 means your  
disabling selinux for that daemon. Somebody please correct me if I'm  
wrong on this.

On 2007-04-20, Ben Russo <ben at muppethouse.com>
wrote:
>
> I checked in /usr/share/docs/selinux-policy-2.4.6/html
> and find no references (using grub) for "cupsd_disable_trans"
> I google on "cupsd_disable_trans" and find no references either.
All the *_disable_trans booleans means that the service will
no transition from the selinux unconfined domain, to a restricted
selinux domain (in cups's case cupsd_t). So your system will not
be protected from this service if you set the *disable_trans.
>
> How do I find out what this boolean object is or does?
> Is there a description of it somewhere?
> Is it dangerous to just run the command that sealert tells me to run?
I find that the advices sealert gives are quite often bad advice.
They will fix your problem, but you should really evaluate if you're
not opening up too much by following the advice. Here sealert is
suggesting turning off selinux-protection of cups.. 

> avc: denied { read, write } for comm="cupsd" dev=dm-0 egid=0
euid=0
> exe="/usr/sbin/cupsd" exit=0 fsgid=0 fsuid=0 gid=0 items=0
name="__db.000"
> path="socket:[15083]" pid=5515 
> scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
> sgid=0 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=0 tclass=file
> tcontext=system_u:object_r:rpm_var_lib_t:s0 tty=tty1 uid=0
This seems very strange.. All the labels above seems correct to me, but why
would cupsd need to access (/var/lib/rpm/) "__db.000" ?? 



   -jf