| Summary: | SELinux is preventing /usr/lib/cups/daemon/cups-deviced from 'open' accesses on the file rastertosamsungspl. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Bob Gustafson <bobgus> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 15 | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:9b9616ad91d0fc99f24d8ec33b611cb8c9e0942c2a846acdd2fe8b1e65774472 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-12-07 08:10:42 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
I am just working through the installation of the printing capability for a Samsung ML-1865W printer. The Samsung universal driver was downloaded from the Samsung website and installed in accordance with some instructions found in the downloaded Samsung User Manual (1.04). Clearly the instructions do not anticipate a host machine with Selinux. Hopefully the commands given in the Selinux exception dialog will do the trick. Thanks guys for a Selinux system and the tools to manipulate it. Hmmm.. The Selinux exception occurred again, asking me to again do: allow this access for now by executing: grep cupsd /var/log/audit/audit.log | audit2allow -M mypol semodule -i mypol.pp ------ Perhaps there is an additional step before this policy is enabled? I believe you just need to execute the restorecon command on "rastertosamsungspl". # restorecon -R -v PATHO/rastertosamsungspl Ta ta - a Test Page commeth. Thanks much |
SELinux is preventing /usr/lib/cups/daemon/cups-deviced from 'open' accesses on the file rastertosamsungspl. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that cups-deviced should be allowed open access on the rastertosamsungspl file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep cups-deviced /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:user_home_t:s0 Target Objects rastertosamsungspl [ file ] Source cups-deviced Source Path /usr/lib/cups/daemon/cups-deviced Port <Unknown> Host (removed) Source RPM Packages cups-1.4.8-5.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-44.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.40.6-0.fc15.x86_64 #1 SMP Tue Oct 4 00:39:50 UTC 2011 x86_64 x86_64 Alert Count 9 First Seen Tue 06 Dec 2011 05:53:58 PM CST Last Seen Tue 06 Dec 2011 05:58:06 PM CST Local ID b7a8aa93-e566-4691-b122-cac27ed48c92 Raw Audit Messages type=AVC msg=audit(1323215886.413:6019): avc: denied { open } for pid=29310 comm="cupsd" name="rastertosamsungspl" dev=dm-0 ino=21126956 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=SYSCALL msg=audit(1323215886.413:6019): arch=x86_64 syscall=execve success=no exit=EACCES a0=7fff40d93590 a1=7f03cbf220e0 a2=7fff40d92c10 a3=7fff40d92700 items=0 ppid=23576 pid=29310 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm=cupsd exe=/usr/sbin/cupsd subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) Hash: cups-deviced,cupsd_t,user_home_t,file,open audit2allow #============= cupsd_t ============== #!!!! This avc is allowed in the current policy allow cupsd_t user_home_t:file open; audit2allow -R #============= cupsd_t ============== #!!!! This avc is allowed in the current policy allow cupsd_t user_home_t:file open;