Red Hat Bugzilla – Bug 1504594
SELinux is preventing /usr/libexec/gnome-settings-daemon from 'connectto' accesses on the unix_stream_socket /run/cups/cups.sock.
Last modified: 2018-04-10 08:45:39 EDT
Description of problem: I have no idea how this could relate to CUPS (I was doing nothing about the printing at the moment), but I was connecting to the remote computer via ssh. I have not had key for that computer in my ~/.ssh/known_hosts (or actually, I have remove the previous version of the key). I have no clue how it relates, but I did nothing about CUPS, but was logging via ssh to the other computer on my LAN, where I have not been before (or where I removed previous key from ~/.ssh/known_hosts). SELinux is preventing /usr/libexec/gnome-settings-daemon from 'connectto' accesses on the unix_stream_socket /run/cups/cups.sock. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that gnome-settings-daemon should be allowed connectto access on the cups.sock unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'gnome-settings-' --raw | audit2allow -M my-gnomesettings # semodule -i my-gnomesettings.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Objects /run/cups/cups.sock [ unix_stream_socket ] Source gnome-settings- Source Path /usr/libexec/gnome-settings-daemon Port <Unknown> Host (removed) Source RPM Packages gnome-settings-daemon-3.22.2-5.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-174.el7.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.10.0-737.el7.x86_64 #1 SMP Fri Oct 13 11:19:16 EDT 2017 x86_64 x86_64 Alert Count 4 First Seen 2017-10-20 10:26:56 CEST Last Seen 2017-10-20 11:02:36 CEST Local ID 01ba6e2f-e57d-4806-9817-65a83e41dc9f Raw Audit Messages type=AVC msg=audit(1508490156.132:445): avc: denied { connectto } for pid=23628 comm="gnome-settings-" path="/run/cups/cups.sock" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=unix_stream_socket type=SYSCALL msg=audit(1508490156.132:445): arch=x86_64 syscall=connect success=no exit=EACCES a0=15 a1=a3e578 a2=1a a3=7ffd9c13a7a8 items=0 ppid=23545 pid=23628 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=gnome-settings- exe=/usr/libexec/gnome-settings-daemon subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null) Hash: gnome-settings-,xdm_t,cupsd_t,unix_stream_socket,connectto Version-Release number of selected component: selinux-policy-3.13.1-174.el7.noarch Additional info: reporter: libreport-2.1.11.1 hashmarkername: setroubleshoot kernel: 3.10.0-737.el7.x86_64 reproducible: Not sure how to reproduce the problem type: libreport
This should be allowed. I believe its caused by new version of gnome.
*** Bug 1519764 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0763