Bug 573461

Summary: SELinux is preventing /lib/udev/udev-configure-printer "read write" access to device 016.
Product: [Fedora] Fedora Reporter: Florian Fischer <findingharrylime>
Component: udevAssignee: Harald Hoyer <harald>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dwalsh, findingharrylime, harald, jonathan, mgrepl, twaugh
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:83eddde5296f860af34fdfc9837d7342da01faf2d5f69ffd4cba786850618006
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-16 20:17:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Florian Fischer 2010-03-14 22:35:56 UTC 
Zusammenfassung:

SELinux is preventing /lib/udev/udev-configure-printer "read write" access to
device 016.

Detaillierte Beschreibung:

[udev-configure- hat einen toleranten Typ (cupsd_config_t). Dieser Zugriff wurde
nicht verweigert.]

SELinux has denied udev-configure- "read write" access to device 016. 016 is
mislabeled, this device has the default label of the /dev directory, which
should not happen. All Character and/or Block Devices should have a label. You
can attempt to change the label of the file using restorecon -v '016'. If this
device remains labeled device_t, then this is a bug in SELinux policy. Please
file a bg report. If you look at the other similar devices labels, ls -lZ
/dev/SIMILAR, and find a type that would work for 016, you can use chcon -t
SIMILAR_TYPE '016', If this fixes the problem, you can make this permanent by
executing semanage fcontext -a -t SIMILAR_TYPE '016' If the restorecon changes
the context, this indicates that the application that created the device,
created it without using SELinux APIs. If you can figure out which application
created the device, please file a bug report against this application.

Zugriff erlauben:

Attempt restorecon -v '016' or chcon -t SIMILAR_TYPE '016'

Zusätzliche Informationen:

Quellkontext                  system_u:system_r:cupsd_config_t:s0-s0:c0.c1023
Zielkontext                   system_u:object_r:device_t:s0
Zielobjekte                   016 [ chr_file ]
Quelle                        udev-configure-
Quellen-Pfad                  /lib/udev/udev-configure-printer
Port                          <Unbekannt>
Host                          (removed)
Quellen-RPM-Pakete            system-config-printer-udev-1.1.16-13.fc12
Ziel-RPM-Pakete               
RPM-Richtlinie                selinux-policy-3.6.32-99.fc12
SELinux aktiviert             True
Richtlinienversion            targeted
Enforcing-Modus               Enforcing
Plugin-Name                   device
Hostname                      (removed)
Plattform                     Linux (removed)
                              2.6.32.9-67.fc12.x86_64 #1 SMP Sat Feb 27 09:26:40
                              UTC 2010 x86_64 x86_64
Anzahl der Alarme             1
Zuerst gesehen                Sa 13 Mär 2010 17:07:55 CET
Zuletzt gesehen               Sa 13 Mär 2010 17:07:55 CET
Lokale ID                     7d80c3b4-7594-4abe-846f-c9a89d94b1eb
Zeilennummern                 

Raw-Audit-Meldungen           

node=(removed) type=AVC msg=audit(1268496475.819:33605): avc:  denied  { read write } for  pid=4500 comm="udev-configure-" name="016" dev=devtmpfs ino=50908 scontext=system_u:system_r:cupsd_config_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file

node=(removed) type=SYSCALL msg=audit(1268496475.819:33605): arch=c000003e syscall=2 success=yes exit=4294967424 a0=7fff1ee400f0 a1=2 a2=7fff1ee40104 a3=fffffffd items=0 ppid=1 pid=4500 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udev-configure-" exe="/lib/udev/udev-configure-printer" subj=system_u:system_r:cupsd_config_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  device,udev-configure-,cupsd_config_t,device_t,chr_file,read,write
audit2allow suggests:

#============= cupsd_config_t ==============
allow cupsd_config_t device_t:chr_file { read write };
Comment 1 Daniel Walsh 2010-03-16 14:11:15 UTC 
This looks like udev did not label this device correctly.

I would figure this is a usb devices.  

Could you make sure your machine is labelled correctly

fixfiles restore

Were you using system-config-printer when this happened?
Comment 2 Florian Fischer 2010-03-16 14:32:31 UTC 
Ok I just relabeled the system. Still have to see if that helped.
Yes this is a printer connected via USB (Canon ip4700)
I was not using system-config-printer - at least not to my knowledge (just trying to print a page). In fact, printing did work after I dealt with the SElinux Message. But it just keeps poping up everytime I try to print something.
Comment 3 Daniel Walsh 2010-03-16 16:40:22 UTC 
The kernel is not giving us a path. 

Could you execute 

find /dev -name 016 -printf "%p %Z\n"
Comment 4 Florian Fischer 2010-03-16 16:56:51 UTC 
Ok I just did but that device does not seem to exist.
It just doesen't output anything at all.
Comment 5 Florian Fischer 2010-03-16 17:04:34 UTC 
I justed printed a couple of pages from within various applications with no problmes at all. Maybe relabeling did the trick.
Comment 6 Tim Waugh 2010-03-16 17:08:25 UTC 
udev-configure-printer is run when a printer is connected or disconnected.  It's not to do with printing anything.
Comment 7 Florian Fischer 2010-03-16 17:12:52 UTC 
Hmm ok, I'm using the printer on a laptop so it's only connected when I have printjobs to do. So far without problems.
Comment 8 Tim Waugh 2010-03-16 17:17:55 UTC 
So to be sure, disconnect it, and then reconnect it.
Comment 9 Florian Fischer 2010-03-16 17:20:52 UTC 
"Works" just fine. I guess this can be closed.