Description of problem: Color management on printers is effectively impossible with SELinux enabled. SELinux prevents gs from reading the color profile, so the collor corrections can't be made. SELinux is preventing gs from 'search' accesses on the directory /var/lib/colord. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that gs should be allowed search access on the colord directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep gs /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Context system_u:object_r:colord_var_lib_t:s0 Target Objects /var/lib/colord [ dir ] Source gs Source Path gs Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages colord-1.2.8-1.fc21.x86_64 Policy RPM selinux-policy-3.13.1-105.3.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.18.7-200.fc21.x86_64 #1 SMP Wed Feb 11 21:53:17 UTC 2015 x86_64 x86_64 Alert Count 4 First Seen 2015-03-06 16:36:48 PST Last Seen 2015-03-07 18:18:23 PST Local ID ac009ab7-2102-45dd-b91e-77723710de94 Raw Audit Messages type=AVC msg=audit(1425781103.345:616): avc: denied { search } for pid=7548 comm="gs" name="colord" dev="dm-5" ino=786446 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:colord_var_lib_t:s0 tclass=dir permissive=0 Hash: gs,cupsd_t,colord_var_lib_t,dir,search Version-Release number of selected component: selinux-policy-3.13.1-105.3.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 3.18.7-200.fc21.x86_64 type: libreport
And then there's also this: SELinux is preventing gs from open access on the file /var/lib/colord/icc/SPR2880 UPrmLstr SprPhto.icc. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that gs should be allowed open access on the SPR2880 UPrmLstr SprPhto.icc file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep gs /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Context system_u:object_r:colord_var_lib_t:s0 Target Objects /var/lib/colord/icc/SPR2880 UPrmLstr SprPhto.icc [ file ] Source gs Source Path gs Port <Unknown> Host vernazza.home.bmason.com Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-105.3.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name vernazza.home.bmason.com Platform Linux vernazza.home.bmason.com 3.18.7-200.fc21.x86_64 #1 SMP Wed Feb 11 21:53:17 UTC 2015 x86_64 x86_64 Alert Count 4 First Seen 2015-03-06 17:43:11 PST Last Seen 2015-03-07 15:33:22 PST Local ID d22e5784-d481-47d8-8ec2-4b2ed65d875b Raw Audit Messages type=AVC msg=audit(1425771202.543:3292): avc: denied { open } for pid=7486 comm="gs" path=2F7661722F6C69622F636F6C6F72642F6963632F53505232383830205550726D4C737472205370725068746F2E696363 dev="dm-5" ino=787386 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:colord_var_lib_t:s0 tclass=file permissive=1 Hash: gs,cupsd_t,colord_var_lib_t,file,open
commit e6724781130fe7dd3029cdefee850a7c8ce12a72 Author: Lukas Vrabec <lvrabec> Date: Mon Mar 9 13:10:14 2015 +0100 Allow cups to read colord_var_lib_t files. BZ(1199765)
selinux-policy-3.13.1-105.9.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-105.9.fc21
Package selinux-policy-3.13.1-105.9.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.9.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-4492/selinux-policy-3.13.1-105.9.fc21 then log in and leave karma (feedback).
selinux-policy-3.13.1-105.9.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.