Description of problem: With selinux set to enforcing, the printer will not print. With selinux set to permissive, the printer has no problems. Version-Release number of selected component (if applicable): selinux-policy-2.4.6-46.fc6 selinux-policy-targeted-2.4.6-46.fc6 How reproducible: Problem occures every time selinux is set to enforcing. Steps to Reproduce: 1. set seliux to enforcing 2. submit job to printer Actual results: Printer does not print. Expected results: Get output from printer. Additional info: The following error is logged to /var/log/cups/error_log ever second until selinux is set to permissive and the job prints: E [30/Mar/2007:10:54:54 -0500] [Job 68] Unable to reserve port: Permission denied There are no selinux error messages entered in /var/logs/messages file. The printer is attached to a ethernet print server and is installed using cups with a lpd connection.
Seen here too.
Are there AVC messages in /var/log/audit/audit.log?
In mine: no, it's odd. I can't see any "avc: denied" messages pertaining to the printing subsystem. Nor do I get any "SELinux problem" alerts from the troubleshooter application (except for "SELinux is preventing the /usr/bin/python from using potentially mislabeled files (.hplip.conf).", but I'm not using an HP printer).
I don't have selinux set up to log errors to /var/log/audit/audit.log. All avc messages go to /var/log/messages. No errors are entered in this file when trying to print.
You can turn off the dontaudit rules with the following command semodule -b /usr/share/selinux/targeted/enableaudit.pp See if the kernel reports any avc messages now? Any idea which port it is trying to communicate with? Then turn them back on with this command. semodule -b /usr/share/selinux/targeted/base.pp
avc: denied { name_bind } for comm="lpd" egid=7 euid=0 exe="/usr/lib/cups/backend/lpd" exit=-13 fsgid=7 fsuid=0 gid=7 items=0 pid=14912 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=7 src=993 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=0 tclass=tcp_socket tcontext=system_u:object_r:pop_port_t:s0 tty=(none) uid=0
Tim does this make sense to you? Do you know if cups/lpd does a bindresvport?
This is the avc message I get after turning off dontaudit rules: Apr 2 16:00:13 cm kernel: audit(1175547613.491:60): avc: denied { name_bind } for pid=8204 comm="lpd" src=1016 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket
The CUPS lpd backend (for sending a job to an LPR server) does a regular bind(). It's actually after a priveleged port between 721 and 731 (this is from RFC 1179): 3.1 Message formats LPR is a a TCP-based protocol. The port on which a line printer daemon listens is 515. The source port must be in the range 721 to 731, inclusive. The way the CUPS lpd backend tries to do this is by trying bind() for port 731, retrying with a lower port number until it gets to 721, then starting back at 731. Should it be using bindresvport() instead?
The strange part above is that the avc's are reporting that cupsd tried to bind to ports 993 and 1016. I can give it the policy that allows cups to bind to ports between 600-1023 which is what we usually give for bindresvport.
The 'strict' 721-731 requirement is an option in the lpd backend. If it is not set to strict RFC 1179 compliance it will try any port between 512 and 1023. Also when it is not running as root it will just take any port (but we run the lpd backend as root). So giving it policy to allow it to bind to ports between 600 and 1023 would be fine.
Fixed in selinux-policy-2.4.6-52
After updating to selinux-policy-2.4.6-54.fc6, I am now able to print with selinux set to enforcing. Thank you for the fix.