Bug 426052

Summary: SELinux is preventing /sbin/modprobe (insmod_t) "sys_nice" to <Unknown> (insmod_t)
Product: [Fedora] Fedora Reporter: Scott Griffin <grifs71>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: low    
Version: 7   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-03 16:04:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
I have attached the SELinux Troubleshoot message. none

Description Scott Griffin 2007-12-18 01:09:46 UTC 
Description of problem:
I am unable to print (regular user) to my HP LaserJet 2100 due to the following
error message:
SELinux is preventing /sbin/modprobe (insmod_t) "sys_nice" to <Unknown> (insmod_t)


Version-Release number of selected component (if applicable):
Fedora7 SELINUX=enforcing SELINUXTYPE=targeted
selinux-policy-2.6.4-61.fc7

How reproducible:
Set SELinux to Enforcing and targeted, try to print using the printer drivers
part of the yum repos downloaded with Fedora 7. SELinux Troubleshoot browser
appears and it will deny any attempts to print. 

Steps to Reproduce:
1. SELinux = Enabled
2. Targeted 
3. Unable to print, access denied.
  
Actual results:
Raw Audit Messages            

avc: denied { sys_nice } for comm="modprobe" egid=0 euid=0 exe="/sbin/modprobe"
exit=0 fsgid=0 fsuid=0 gid=0 items=0 pid=5825
scontext=system_u:system_r:insmod_t:s0 sgid=0 subj=system_u:system_r:insmod_t:s0
suid=0 tclass=capability tcontext=system_u:system_r:insmod_t:s0 tty=(none) uid=0

Expected results:
Should be able to print, I want to leave SELinux enabled and targeted on my
systems or if a Boolean value can be given as a work around maybe?

Additional info: 
Please contact me at grifs71 if you need any further information. 

Thanks,
Scott Griffin
Comment 1 Scott Griffin 2007-12-18 01:09:46 UTC 
Created attachment 289836 [details]
I have attached the SELinux Troubleshoot message.
Comment 2 Scott Griffin 2007-12-18 01:14:07 UTC 
I had seen another error like this one, however I have the latest SELinux-Policy
installed.

I have to set SELinux to permissive to print, and I do not want to lower my
security setting.

Any help would be appreciated.

Thanks
Scott Griffin
Comment 3 Daniel Walsh 2007-12-18 14:20:29 UTC 
This is strange since this has been allowed for quite a while. 

Could you reinstall selinux-policy-2.6.4-61 and make sure you get no errors.

What does the output of 
# sesearch --allow | grep insmod | grep sys_nice
show?

(setools package)
Comment 4 Scott Griffin 2007-12-19 00:42:20 UTC 
I do not have a command 'sesearch' I get an error or do I need to install a package?

Thanks,
Scott
Comment 5 Daniel Walsh 2007-12-19 17:08:14 UTC 
yum install setools
Comment 6 Scott Griffin 2007-12-31 01:28:40 UTC 
I am sorry for the delay I have installed the setools and will be investigating.


Scott Griffin