Description of problem: I was using a Plasma 5.23.5 on Wayland in Fedora 35 KDE Plasma installation. I tried to print a PDF attachment from an email in Thunderbird 91.6.0 on Wayland to an hp printer connected by USB. cupsd was denied writing to a directory faillock repeatedly. The same denials happened when I tried to print the PDF from okular. The PDF didn't print. The printing process remained in the printer queue. The program /usr/lib/cups/backend/gutenprint53+usb crashed when the denials happened. These denials happened each of a few times trying to print. SELinux is preventing cupsd from 'write' accesses on the directory faillock. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that cupsd should be allowed write access on the faillock directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'cupsd' --raw | audit2allow -M my-cupsd # semodule -X 300 -i my-cupsd.pp Additional Information: Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Context system_u:object_r:faillog_t:s0 Target Objects faillock [ dir ] Source cupsd Source Path cupsd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-35.15-1.fc35.noarch Local Policy RPM selinux-policy-targeted-35.15-1.fc35.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.16.10-200.fc35.x86_64 #1 SMP PREEMPT Wed Feb 16 13:28:00 UTC 2022 x86_64 x86_64 Alert Count 46 First Seen 2022-02-16 18:49:26 EST Last Seen 2022-02-16 18:57:44 EST Local ID ff4a13d1-7c32-458a-beef-b27f061f5da1 Raw Audit Messages type=AVC msg=audit(1645055864.33:570): avc: denied { write } for pid=933 comm="cupsd" name="faillock" dev="tmpfs" ino=1404 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=0 Hash: cupsd,cupsd_t,faillog_t,dir,write Version-Release number of selected component: selinux-policy-targeted-35.15-1.fc35.noarch Additional info: component: selinux-policy reporter: libreport-2.15.2 hashmarkername: setroubleshoot kernel: 5.16.10-200.fc35.x86_64 type: libreport
Hi, Would you mind collecting all denials in permissive mode? setenforce 0 -or- semanage permissive -a cupsd_t If possible, with full auditing enabled: 1) Open the /etc/audit/rules.d/audit.rules file in an editor. 2) Remove the following line if it exists: -a task,never 3) Add the following line to the end of the file: -w /etc/shadow -p w 4) Restart the audit daemon: # service auditd restart 5) Re-run your scenario. 6) Collect AVC denials: # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today > The program /usr/lib/cups/backend/gutenprint53+usb crashed If this means coredump, it should probably be also worth reporting bz on the component.
(In reply to Zdenek Pytela from comment #1) > Hi, > > Would you mind collecting all denials in permissive mode? > > setenforce 0 > -or- > semanage permissive -a cupsd_t > > If possible, with full auditing enabled: > > 1) Open the /etc/audit/rules.d/audit.rules file in an editor. > 2) Remove the following line if it exists: > -a task,never > 3) Add the following line to the end of the file: > -w /etc/shadow -p w > 4) Restart the audit daemon: > # service auditd restart > 5) Re-run your scenario. > 6) Collect AVC denials: > # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today > > > The program /usr/lib/cups/backend/gutenprint53+usb crashed > If this means coredump, it should probably be also worth reporting bz on the > component. I ran sudo semanage permissive -a cupsd_t then did the steps to enable full auditing. The denials happened when printing a PDF from okular as a user who isn't in the wheel group. The denials didn't appear with a user in the wheel group. The printing started in a paused state possibly due to the printer errors and gutenprint53+usb crash which I reported at https://bugzilla.redhat.com/show_bug.cgi?id=2055504 SELinux notifications appeared after I unpaused the printer queue using the Plasma Print queue program and was asked for and entered the root password. sudo ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today output denials of creating, add_name, writing, and setattr on /var/run/faillock/ I enabled login failure logging as part of an openSCAP policy remediation script in 2020 which might be where /var/run/faillock is from. type=PROCTITLE msg=audit(2022-02-17 10:43:17.688:1412) : proctitle=/usr/sbin/cupsd -l type=PATH msg=audit(2022-02-17 10:43:17.688:1412) : item=1 name=/var/run/faillock/root inode=1966 dev=00:1a mode=file,640 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:faillog_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(2022-02-17 10:43:17.688:1412) : item=0 name=/var/run/faillock/ inode=1516 dev=00:1a mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:faillog_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(2022-02-17 10:43:17.688:1412) : cwd=/ type=SYSCALL msg=audit(2022-02-17 10:43:17.688:1412) : arch=x86_64 syscall=openat success=yes exit=18 a0=AT_FDCWD a1=0x55763fd5e8a0 a2=O_RDWR|O_CREAT a3=0x1b0 items=2 ppid=1 pid=948 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cupsd exe=/usr/sbin/cupsd subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=logins type=AVC msg=audit(2022-02-17 10:43:17.688:1412) : avc: denied { create } for pid=948 comm=cupsd name=root scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=1 type=AVC msg=audit(2022-02-17 10:43:17.688:1412) : avc: denied { add_name } for pid=948 comm=cupsd name=root scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1 type=AVC msg=audit(2022-02-17 10:43:17.688:1412) : avc: denied { write } for pid=948 comm=cupsd name=faillock dev="tmpfs" ino=1516 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=1 ---- type=PROCTITLE msg=audit(2022-02-17 10:43:17.688:1413) : proctitle=/usr/sbin/cupsd -l type=PATH msg=audit(2022-02-17 10:43:17.688:1413) : item=0 name=(null) inode=1966 dev=00:1a mode=file,640 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:faillog_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(2022-02-17 10:43:17.688:1413) : cwd=/ type=SYSCALL msg=audit(2022-02-17 10:43:17.688:1413) : arch=x86_64 syscall=fchmod success=yes exit=0 a0=0x12 a1=0660 a2=0x7ffd4489b7d0 a3=0x1000 items=1 ppid=1 pid=948 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cupsd exe=/usr/sbin/cupsd subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=logins type=AVC msg=audit(2022-02-17 10:43:17.688:1413) : avc: denied { setattr } for pid=948 comm=cupsd name=root dev="tmpfs" ino=1966 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=file permissive=1
I was interested to know about it and it's really helpful. I will also leave a link to an equally useful resource that I can recommend to you. I always read articles like this https://goodmenproject.com/learning/best-services-to-hire-an-essay-writer-in-2021/ when it comes to choosing a writing service.
This message is a reminder that Fedora Linux 35 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 35 on 2022-12-13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '35'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 35 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
Fedora Linux 35 entered end-of-life (EOL) status on 2022-12-13. Fedora Linux 35 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora Linux please feel free to reopen this bug against that version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see the version field. If you are unable to reopen this bug, please file a new report against an active release. Thank you for reporting this bug and we are sorry it could not be fixed.
I have a problem with a cupsd on my Fedora 18 server. I have SELinux enabled and the cupsd is working fine. However, I cannot print to a local printer. I have tried to change permissions on the /var/spool/cups directory and /var/spool/lpd directory with no luck. When I look at /var/log/cups it says that cupsd is trying to open a file named fail lock but SELinux denies it access because it doesn't have the type(write) access. Since I find this really tough to do by my own I would like to hire a writer from online source but first I will visit https://essayreviewexpert.com/review/papersowl/ website to read Papersowl reviews because one of my friends has already got his programming assignments done timely through this source.