Description of problem: The 'hp' CUPS backend needs to use USB device files to do its job. Version-Release number of selected component (if applicable): selinux-policy-targeted-2.2.23-15 How reproducible: 100% Steps to Reproduce: 1. setenforce 0 2. Run /usr/lib/cups/backend/hp (with HP multi-function device plugged in) Actual results: audit(1143543819.520:190): avc: denied { read write } for pid=27691 comm="hpiod" name="001" dev=tmpfs ino=3990 scontext=user_u:system_r:hplip_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file audit(1143543819.520:191): avc: denied { ioctl } for pid=27691 comm="hpiod" name="001" dev=tmpfs ino=3990 scontext=user_u:system_r:hplip_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file (With 'setenforce 1', no device is found.) Additional info: This should fix it: allow hplip_t usb_device_t:chr_file { ioctl read write };
Also needs this when running hp-toolbox: allow hplip_t self:fifo_file { read write };
FWIW, this is blocking FC5 updates for hplip and (transitively) CUPS.
Fixed in selinux-policy-2.2.25-3.fc5
Great, works perfectly here. Thanks!
Closing bugs