Bug 804304

Summary: SELinux is preventing /usr/sbin/cupsd from 'read' accesses on the file /etc/cups/ppd/HP-Officejet-Pro-8500-A910.ppd.
Product: [Fedora] Fedora Reporter: Stephen Haffly <hafflys>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:1d4c3080ea62504062e91d7eeb113eb65cb8ee929e41ca5665a9d6cf5f116889
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-19 14:33:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stephen Haffly 2012-03-17 16:18:55 UTC 
libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.2.9-2.fc16.x86_64
reason:         SELinux is preventing /usr/sbin/cupsd from 'read' accesses on the file /etc/cups/ppd/HP-Officejet-Pro-8500-A910.ppd.
time:           Sat 17 Mar 2012 12:17:08 PM EDT

description:
:SELinux is preventing /usr/sbin/cupsd from 'read' accesses on the file /etc/cups/ppd/HP-Officejet-Pro-8500-A910.ppd.
:
:*****  Plugin restorecon (99.5 confidence) suggests  *************************
:
:If you want to fix the label. 
:/etc/cups/ppd/HP-Officejet-Pro-8500-A910.ppd default label should be cupsd_rw_etc_t.
:Then you can run restorecon.
:Do
:# /sbin/restorecon -v /etc/cups/ppd/HP-Officejet-Pro-8500-A910.ppd
:
:*****  Plugin catchall (1.49 confidence) suggests  ***************************
:
:If you believe that cupsd should be allowed read access on the HP-Officejet-Pro-8500-A910.ppd file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep cupsd /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
:Target Context                system_u:object_r:tmp_t:s0
:Target Objects                /etc/cups/ppd/HP-Officejet-Pro-8500-A910.ppd [
:                              file ]
:Source                        cupsd
:Source Path                   /usr/sbin/cupsd
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           cups-1.5.2-1.fc16.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-75.fc16.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.2.9-2.fc16.x86_64 #1 SMP Mon
:                              Mar 5 20:55:39 UTC 2012 x86_64 x86_64
:Alert Count                   7
:First Seen                    Sat 17 Mar 2012 08:12:11 AM EDT
:Last Seen                     Sat 17 Mar 2012 12:15:39 PM EDT
:Local ID                      3b298626-f20b-43a7-89f3-5ce67a9639d9
:
:Raw Audit Messages
:type=AVC msg=audit(1332000939.101:128): avc:  denied  { read } for  pid=3759 comm="socket" name="HP-Officejet-Pro-8500-A910.ppd" dev=dm-0 ino=1709110 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1332000939.101:128): arch=x86_64 syscall=open success=no exit=EACCES a0=7ffff0e47e7a a1=0 a2=0 a3=7ffff0e3bb40 items=0 ppid=1275 pid=3759 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm=socket exe=/usr/lib/cups/backend/socket subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
:
:Hash: cupsd,cupsd_t,tmp_t,file,read
:
:audit2allow
:
:#============= cupsd_t ==============
:allow cupsd_t tmp_t:file read;
:
:audit2allow -R
:
:#============= cupsd_t ==============
:allow cupsd_t tmp_t:file read;
:
Comment 1 Stephen Haffly 2012-03-17 16:31:27 UTC 
I have been having trouble with Evince not printing my PDF documents. I decided to start Evince as su (sudo Evince) so I could try it from root access. When I tried to print, the printing failed and this ABRT message popped up. I used the restorecon button first, and then went to the print status window where it was showing the status as "stopped." I restarted the print job, and this time it completed.

I then executed the audot2allow commands.

Following its completion, I started Evince as a normal user and selected the document which failed to print previously. Now the dialog initially read that the printer wasn't connected, but then the status changed and the document printed successfully.

Since Evince printing has been a long-standing problem, this may explain why it has not been working. I will find the proper Evince bug report and cross-reference it to this report.
Comment 2 Stephen Haffly 2012-03-17 17:16:35 UTC 
I found the .ppd file for my Samsung ML-2510 printer and executed the restorecon command against it. After I did that, I could also print to it from Evince where it would also inevitably fail before.

The ML-2510 is currently connected to a different computer which is running Linux Mint 12 with XFCE as the DE.
Comment 3 Miroslav Grepl 2012-03-19 14:33:05 UTC 
You will need to fix labeling

$ restorecon -R -v /etc/cups/ppd/HP-Officejet-Pro-8500-A910.ppd
Comment 4 Stephen Haffly 2012-03-19 17:49:16 UTC 
I already did the restorecon function for my printers. It fixed the problem.

However, my point was that this mislabeling affected two different printers on a fresh Fedora 16 x86_64 installation. That suggests that when SELINUX is being set up, the initial labeling is not adequately working for the .ppd files. Else, I would not have seen this happen. Therefore, I still think it is a bug. Since it fixed the problem with printing from Evince as a user, something I had not been able to do previously, I contend that this is an issue that should be checked-out, not simply dismissed. That it happened only while printing from Evince is an added complication. Why it would print except from there is a mystery to me.

Prior to my reinstallation, I had experienced the same issue, especially with the Samsung printer. It meant that I usually had to use other means to print .pdf files. If I have experienced it, I don't think my experience is unique. When I install a printer, and particularly if I install the driver from the repositories, the SELINUX context for that .ppd file is not something I should have to fix. It should have been taken care of when I installed the driver via yum. Chasing this down and finding out about using the restorecon command is not something that is intuitive. It cost me a significant amount of time and frustration to find that the fix was actually something simple. Thus, I submitted this bug report.

Respectfully,

Stephen
Comment 5 Stephen Haffly 2012-03-20 01:55:38 UTC 
p.s. I should add that if I had gotten an ABRT pop-up on this, it would have been much easier to find and fix. However, it was just on a whim that I tried launching Evince from a terminal logged in as root (su -). If I had not done so and seen that Evince would print, I might never have launched Evince from a terminal as a normal user and seen why it was not working.