Description of problem: SELinux is preventing hp from 'wake_alarm' accesses on the capability2 Unknown. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that hp should be allowed wake_alarm access on the Unknown capability2 by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'hp' --raw | audit2allow -M my-hp # semodule -X 300 -i my-hp.pp Additional Information: Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Context system_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Objects Unknown [ capability2 ] Source hp Source Path hp Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-206.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.8.0-0.rc0.git3.1.fc25.x86_64 #1 SMP Fri Jul 29 15:09:59 UTC 2016 x86_64 x86_64 Alert Count 4 First Seen 2016-08-03 18:24:17 CEST Last Seen 2016-08-03 18:24:26 CEST Local ID db9f12ae-e6f8-463d-8fcb-eea10d4c5551 Raw Audit Messages type=AVC msg=audit(1470241466.118:265): avc: denied { wake_alarm } for pid=2515 comm="gutenprint52+us" capability=35 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=capability2 permissive=0 Hash: hp,cupsd_t,cupsd_t,capability2,wake_alarm Version-Release number of selected component: selinux-policy-3.13.1-206.fc25.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc0.git3.1.fc25.x86_64 type: libreport
Description of problem: switch on HP printer Version-Release number of selected component: selinux-policy-3.13.1-215.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc7.git0.1.fc25.x86_64 type: libreport
In which errata was this supposed to be fixed? I updated to 3.13.1-215.fc25 which is the most recent in the F25 channels. But I still get the same AVC.
(In reply to Göran Uddeborg from comment #2) The latest available version is selinux-policy-3.13.1-218.fc25 which was released two days ago and which you should have had already unless you forgot to update or use an outdated mirror. As of selinux-policy-3.13.1-218.fc25, I do not see any alert of type "SELinux is preventing hp from 'wake_alarm' accesses on the capability2 Unknown.". I do actually still see "SELinux is preventing hpfax from using the 'wake_alarm' capabilities." but that relates to bug 1374990, thus, it is "hpfax" and -not- "hp". It is a bad idea to reopen other people's closed bugs without having a clear idea of the present situation. Please recheck for selinux-policy-3.13.1-218.fc25, make sure that the alert was triggered by "hp" and not by "hpfax"; otherwise close the bug, thanks.
I tried an update once more now, and this time dnf did indeed find a -218 release. I don't quite understand why it wasn't found when I checked earlier today. Some kind of caching could be a reason, but if it was released two days ago it seems a bit strange to me. My issue was with "hp", not "hpfax" or any other binary. So I did actually think I had the latest update and the same error, why I ventured a reopen. Since I obviously was wrong, I'm closing again.
(In reply to Göran Uddeborg from comment #4) A good place to check for the latest updates is the Fedora Update System at https://bodhi.fedoraproject.org. This allows you to verify whether an update to the package in question is already in the testing stage or scheduled for being released to updates-testing. Unfortunately, you do not mention whether selinux-policy-3.13.1-218.fc25 -does- resolve the issue successfully for you. Testing the latter with a positive result would have been the prerequisite for closing this bug report again as you have done.
I know about Bodhi, but when I'm only interested in released packages it should not be any point in going there. A simple dnf command should give the same information. Besides, normally there is a mention in a bugzilla which release is supposed to fix the issue I found missing here. But since you seemed unhappy I reopened your bug, I wanted to leave it the way I found it. If I can reproduce the problem with the new policy, I can open a separate case.
SELinux is preventing hp from using the 'wake_alarm' capabilities. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that hp should have the wake_alarm capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'hp' --raw | audit2allow -M my-hp # semodule -X 300 -i my-hp.pp Additional Information: Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Context system_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Objects Unknown [ capability2 ] Source hp Source Path hp Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-218.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.8.1-1.fc25.x86_64 #1 SMP Fri Oct 7 14:38:22 UTC 2016 x86_64 x86_64 Alert Count 2 First Seen 2016-10-09 20:38:40 CEST Last Seen 2016-10-09 20:38:46 CEST Local ID d225dc9f-0669-472c-95e5-312c1a51c6db Raw Audit Messages type=AVC msg=audit(1476038326.139:212): avc: denied { wake_alarm } for pid=1938 comm="hpfax" capability=35 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=capability2 permissive=1 Hash: hp,cupsd_t,cupsd_t,capability2,wake_alarm
Description of problem: Error encountered when adding network printer whilst testing Fedora 25. Version-Release number of selected component: selinux-policy-3.13.1-220.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.3-300.fc25.x86_64 type: libreport
This bug definitely occurs on uptodate Fedora 25, with the latest version of selinux-policy: Installed Packages Name : selinux-policy Arch : noarch Epoch : 0 Version : 3.13.1 Release : 220.fc25 Size : 20 k Repo : @System Summary : SELinux policy configuration URL : http://github.com/TresysTechnology/refpolicy/wiki License : GPLv2+ Description : SELinux Base package for SELinux Reference Policy - modular. : Based off of reference policy: Checked out revision 2.20091117
Description of problem: Added a Canon MX 340 printer attached to a Synology DiskStation that was autodiscovered by the Gnome-Settings Printer section. The printer was added and the screen said "Installing printer" (or similar) and then the SELinux violation came up Version-Release number of selected component: selinux-policy-3.13.1-220.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.3-300.fc25.x86_64 type: libreport
Description of problem: I tried to print from LibreOffice to my HP LaserJet p2055dn. Apparently SELinux prevented it. Version-Release number of selected component: selinux-policy-3.13.1-220.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.5-300.fc25.x86_64 type: libreport
Description of problem: Scan for printers Gnome Settings -> Printers -> Unlock -> '+' / Add a New Printer The system scans for printers, and somewhere wakes an hp process (probably part of hplip or hpijs) Version-Release number of selected component: selinux-policy-3.13.1-220.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.6-300.fc25.x86_64 type: libreport
Description of problem: I attempted to scan for available printers Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.6-300.fc25.x86_64 type: libreport
Description of problem: Trying to wake my Surface Pro 3 by pressing the power button Version-Release number of selected component: selinux-policy-3.13.1-220.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.4-301.fc25.x86_64 type: libreport
Description of problem: Appeared when I opened Printers Settings and clicked on "Add a Printer" button. I typed some letters to search field. Version-Release number of selected component: selinux-policy-3.13.1-222.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.6-300.fc25.x86_64 type: libreport