Bug 378671
|
Description
Michael Appleyard
2007-11-12 20:16:15 UTC
Created attachment 255721 [details]
Output from SETroubleshooter
This is the original Bugzilla report that helped me get it working: https://bugzilla.redhat.com/show_bug.cgi?id=214189 Fixed in selinux-policy-3.0.8-54.fc8 Created attachment 266401 [details]
SELinux is preventing mfp (cupsd_t) "create" to <Unknown> (cupsd_t).
Hi, I just received an update from selinux-policy-3.0.8-53.fc8 to selinux-policy-3.0.8-56.fc8 and I still cannot print, I've attached the output from SETroubleshoot. Could you put the machine in permissive mode and then run the print job. Then collect all of the avc messages and attach. Created attachment 279581 [details]
SELinux is preventing modprobe (cupsd_t) "getattr" to /lib/modules/2.6.23.1-49.fc8/kernel/drivers/char/lp.ko (modules_object_t).
Created attachment 279591 [details]
SELinux is preventing modprobe (cupsd_t) "lock" to /lib/modules/2.6.23.1-49.fc8/kernel/drivers/parport/parport.ko (modules_object_t).
Created attachment 279601 [details]
SELinux is preventing sh (cupsd_t) "read" to <Unknown> (insmod_exec_t).
Created attachment 279611 [details]
SELinux is preventing /sbin/modprobe (cupsd_t) "read" to <Unknown> (modules_object_t).
Created attachment 279621 [details]
SELinux is preventing modprobe (cupsd_t) "read" to <Unknown> (modules_dep_t).
Created attachment 279631 [details]
SELinux is preventing /sbin/rmmod (cupsd_t) "sys_nice" to <Unknown> (cupsd_t).
Created attachment 279641 [details]
SELinux is preventing mfp (cupsd_t) "sys_rawio" to <Unknown> (cupsd_t).
Created attachment 279651 [details]
SELinux is preventing /sbin/modprobe (cupsd_t) "write" to <Unknown> (modules_object_t).
Created attachment 279811 [details]
Policy module that should allow this to work.
Ok this looks like cups is loading a kernel module in order to print the job.
In order to compile and install this, You need to do the following
Extract attachment to a directory
# yum -y install selinux-policy-devel
# make -f /usr/share/selinux/devel/Makefile
# semodule -i mycups.pp
Try to print again.
Hi, I did that and it went fine, rebooted, but it still will not let me print. So I rebooted into passive mode, and only get one message, another instance of: https://bugzilla.redhat.com/attachment.cgi?id=279641 Ok I can add sys_rawio. You can add it yourself by executing # grep sys_raw /var/log/audit/audit.log | audit2allow >> mycups.te # make -f /usr/share/selinux/devel/Makefile # semodule -i mycups.pp Tim is there any reason for this tool to be loading kernel modules rather then just doing it in an init script. I really would prefer not to allow cups to modify the kernel. Created attachment 280191 [details]
mycups.te:5:ERROR 'syntax error' at token 'allow' on line 1014: allow cupsd_t self:capability sys_rawio;
It seems to fail at the make stage:
[root@lambert ~]# make -f /usr/share/selinux/devel/Makefile
Compiling targeted mycups module
/usr/bin/checkmodule: loading policy configuration from tmp/mycups.tmp
mycups.te:5:ERROR 'syntax error' at token 'allow' on line 1014:
allow cupsd_t self:capability sys_rawio;
#============= cupsd_t ==============
/usr/bin/checkmodule: error(s) encountered while parsing configuration
make: *** [tmp/mycups.mod] Error 1
I've attached tmp/mycups.tmp, in case you need it.
Thanks for all your help by the way.
That is strange. If you just do # grep sys_raw /var/log/audit/audit.log | audit2allow -M mycups1 # semodule -i mycupsi.pp Does that work? Please attach the mycups.te YES! That fixed it, thanks so much. Here's mycups.te anyway: #============= cupsd_t ============== allow cupsd_t self:capability sys_rawio; #============= cupsd_t ============== allow cupsd_t self:capability sys_rawio; Fixed in selinux-policy-3.0.8-68 Bulk closing all bugs in Fedora updates in the modified state. If you bug is not fixed, please reopen. |