Description of problem: During the creation of a new printer an "avc: denied" message is spawned to "audit.log". When I first tried, the "SELinux Alert" applet popped up but I unintenionally closed it immediately without taking a screenshot. Upon a 2nd trial, there is another message of this type in "audit.log", but the applet does not show up anymore. The 2nd (identical) entry reads: type=AVC msg=audit(1157897864.063:325): avc: denied { ioctl } for pid=24886 comm="serial" name="ttyS0" dev=tmpfs ino=781 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file Version-Release number of selected component (if applicable): selinux-policy-targeted-2.3.3-22 How reproducible: Always Steps to Reproduce: 1. Create a new printer. 2. Check "audit.log" Actual results: New "avc: denied" entry in "audit.log". Expected results: No "avc: denied" entry in "audit.log". Additional info: The full "audit.log" file is attached below. Beware, a couple of other "avc: denied" entries are lurking there ..
Created attachment 135930 [details] Current "audit.log" file with "avc: denied" entries
Does cups seem to be working correctly? Looks like the policy should currently dontaudit this. But I am not sure how cupsd handles serial printers. The other AVC messages seem to involve xdm/XServer leaking some file descriptors, setroubleshoot is fixed in Rawhide.
Printing works for me, probably because "SELinux" is running in "permissive" mode here. I haven't checked for "enforcing" mode yet. Btw, I do not have any serial printer attached. It's an "HP LaserJet 4100" network printer which is controlled through the "JetDirect" interface.
For serial printers CUPS runs the 'serial' backend (/usr/lib/cups/backend/serial). The general process seems to be: open(resource, O_RDWR | O_NOCTTY | O_EXCL | O_NDELAY) tcgetattr(device_fd, &origopts); tcgetattr(device_fd, &opts); ... cfsetispeed(&opts, atoi(value)); cfsetospeed(&opts, atoi(value)); tcsetattr(device_fd, TCSANOW, &opts); fcntl(device_fd, F_SETFL, 0); if (FD_ISSET(device_fd, &input)) { if ((bc_bytes = read(device_fd, bc_buffer, sizeof(bc_buffer))) > 0) ... } ioctl(device_fd, TIOCMGET, &status); /* until DSR set */ write(device_fd, print_ptr, print_bytes); tcsetattr(device_fd, TCSADRAIN, &origopts); close(device_fd); Full source in cups-1.2.3/backend/serial.c.
Fixed in selinux-policy-2.3.14-3
Adding to beta blocker since meets criteria and is already fixed.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering. This request is not yet committed for inclusion in release.