From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7.3) Gecko/20041020 Epiphany/1.4.4 Description of problem: Fedora's strict SELinux policy does not seem to give lpr and lpq access to the system printer queue. I have a USB printer that was configured automatically by hal-cups-utils and friends. Everything works fine when SELinux is not enforcing its policy. However, when I tell SELinux to start enforcing the strict policy, printing breaks. lpq causes: Nov 10 20:51:00 imp kernel: audit(1100141460.498:0): avc: denied { read } for pid=6432 exe=/usr/bin/lpq.cups path=pipe:[22289] dev=pipefs ino=22289 scontext=root:sysadm_r:sysadm_lpr_t tcontext=user_u:user_r:user_su_t tclass=fifo_file Nov 10 20:51:00 imp kernel: audit(1100141460.731:0): avc: denied { connect } for pid=6432 exe=/usr/bin/lpq.cups scontext=root:sysadm_r:sysadm_lpr_t tcontext=root:sysadm_r:sysadm_lpr_t tclass=tcp_socket lpr causes: Nov 10 20:52:48 imp kernel: audit(1100141568.526:0): avc: denied { read } for pid=6452 exe=/usr/bin/lpr.cups path=pipe:[22289] dev=pipefs ino=22289 scontext=root:sysadm_r:sysadm_lpr_t tcontext=user_u:user_r:user_su_t tclass=fifo_file Nov 10 20:52:48 imp kernel: audit(1100141568.589:0): avc: denied { connect } for pid=6452 exe=/usr/bin/lpr.cups scontext=root:sysadm_r:sysadm_lpr_t tcontext=root:sysadm_r:sysadm_lpr_t tclass=tcp_socket Version-Release number of selected component (if applicable): selinux-policy-strict-1.18.2-2 How reproducible: Always Steps to Reproduce: 1. Try to print using lpr with SELinux enforcing Fedora's strict policy 2. Turn off SELinux and print using lpr. Actual Results: 1. Fails 2. Works Additional info:
Added the connect permission to selinux-policy-targeted-1.19.1-4 Not sure why it wants to talk to the su, what command were you executing? Did you do something with the su command?
I did nothing special with the su command. All I did was type "lpq" and "lpr <file>" at my bash prompt as a non-root user. My assumption is that cups creates a fifo for communication with clients and that this fifo has the context of user_u:user_r:user_su_t. I wonder if this is intentional.
Can you run a ps -eZ | grep user_su_t and see if cups is running in this context? Dan
Sorry, I had already done that but didn't mention it here. Cupsd is running with system_u:system_r:cupsd_t. Also of possible interest is cups-config-daemon (system_u:system_r:cupsd_config_t) and eggcups (user_u:user_r:user_t). "ps auxZ | grep su_t" displays nothing, so it does not appear to be a daemon that has this context.
I have tried this with policy-1.19.1-10 and have not been able to reproduce it. Are you still seeing it with the latest policy files? Dan
I don't see this issue any longer in selinux-policy-strict-1.19.1-11.