Bug 509686

Summary: SELinux prevents installation of Samsung CLX3170-FN Printer filters using Samsung Unified Linux Driver installer
Product: [Fedora] Fedora Reporter: Tim Butterworth <tim.m.butterworth>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: dwalsh, jkubin, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-08-21 21:39:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tim Butterworth 2009-07-05 04:26:21 UTC 
Summary
SE Linux is not allowing Samsung CLX-3170-FN Unified Linux Driver installer to install the CUPS filter .

Reproduction
Download and install Samsung Unified Linux Driver for CLX-3170FN
http://www.samsung.com/us/support/download/supportDown.do?group=&type=&subtype=&model_nm=CLX-3170FN&language=&cate_type=all&dType=D&mType=DR&vType=&prd_ia_cd=06010100&disp_nm=CLX-3170FN&model_cd=&menu=download
setroubleshoot browser Information

Summary:

SELinux is preventing the cupsd from using potentially mislabeled files
(rastertosamsungsplc).

Detailed Description:

SELinux has denied cupsd access to potentially mislabeled file(s)
(rastertosamsungsplc). This means that SELinux will not allow cupsd to use these
files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.

Allowing Access:

If you want cupsd to access this files, you need to relabel them using
restorecon -v 'rastertosamsungsplc'. You might want to relabel the entire
directory using restorecon -R -v ''.

Additional Information:

Source Context                unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                rastertosamsungsplc [ file ]
Source                        cupsd
Source Path                   /usr/sbin/cupsd
Port                          <Unknown>
Host                          server.example.com
Source RPM Packages           cups-1.4-0.b2.18.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-53.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     server.example.com
Platform                      Linux server.example.com 2.6.29.5-191.fc11.x86_64
                              #1 SMP Tue Jun 16 23:23:21 EDT 2009 x86_64 x86_64
Alert Count                   3
First Seen                    Sun 05 Jul 2009 12:44:23 PM KST
Last Seen                     Sun 05 Jul 2009 12:44:25 PM KST
Local ID                      e29e362e-28f8-467d-84bf-9af1388a189d
Line Numbers                  

Raw Audit Messages            

node=server.example.com type=AVC msg=audit(1246765465.342:34): avc:  denied  { execute } for  pid=5215 comm="cupsd" name="rastertosamsungsplc" dev=dm-0 ino=236029 scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

node=server.example.com type=SYSCALL msg=audit(1246765465.342:34): arch=c000003e syscall=21 success=no exit=-13 a0=7fffe7f99050 a1=1 a2=7fffe7f9907a a3=ffffffed items=0 ppid=1 pid=5215 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="cupsd" exe="/usr/sbin/cupsd" subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2009-07-06 18:29:59 UTC 
Where is rastertosamsungsplc installed?  This is a mislabeled file.  It has the label of a users homedir on it.  You need to find these files and run restorecon on them.

restorecon -R -v /usr

Might fix the problem.