Description of problem: SELinux is preventing /sbin/pam_console_apply (pam_console_t) "setattr" to fb0 (device_t). SELinux denied access requested by /sbin/pam_console_apply. It is not expected that this access is required by /sbin/pam_console_apply and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. SELinux is preventing /usr/lib/cups/backend/ccp (cupsd_t) "write" to fifo0 (var_t). SELinux denied access requested by /usr/lib/cups/backend/ccp. It is not expected that this access is required by /usr/lib/cups/backend/ccp and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. SELinux is preventing /usr/lib/cups/filter/pstocapt (cupsd_t) "setpgid" to (cupsd_t). SELinux denied access requested by /usr/lib/cups/filter/pstocapt. It is not expected that this access is required by /usr/lib/cups/filter/pstocapt and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Under permissive mode, the printer works and prints the print-jobs. If SELinux is set to "active/enforced" mode, the print job gets canceled. Version of affected package: selinux-policy-2.6.4-8.fc7 How reproducible: Always Steps to Reproduce: 1. Plug in and set up USB printer with permissive SELinux on system (or with enforced SELinux policy) 2. Print a document Actual results: Permissive SELinux: Print-job is finished, SELinux error messages are reported Active/Enforced SELinux: Print job is cancelled. SELinux error messages are reported Expected results: Print job should be executed without SELinux warnings Additional info: This bug has medium priority for systems with active SELinux. For systems with permissive SELinux, consider the priority as low. Permissive mode: Source Context: system_u:system_r:pam_console_t:SystemLow-SystemHighTarget Context: system_u:object_r:device_tTarget Objects: fb0 [ file ]Affected RPM Packages: pam-0.99.7.1-5.fc7 [application]Policy RPM: selinux-policy-2.6.4-8.fc7Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: PermissivePlugin Name: plugins.catchall_fileHost Name: nonamePlatform: Linux noname 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 athlonAlert Count: 1First Seen: Sa 02 Jun 2007 17:21:46 CESTLast Seen: Sa 02 Jun 2007 17:21:46 CESTLocal ID: 09af6509-8567-4d03-aa21-2b4464bda41a Source Context: system_u:system_r:cupsd_t:SystemLow-SystemHighTarget Context: system_u:object_r:var_tTarget Objects: fifo0 [ fifo_file ]Affected RPM Packages: cndrvcups-capt-1.30-1 [application]Policy RPM: selinux-policy-2.6.4-8.fc7Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: PermissivePlugin Name: plugins.catchallHost Name: nonamePlatform: Linux noname 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 athlonAlert Count: 1First Seen: Sa 02 Jun 2007 17:22:35 CESTLast Seen: Sa 02 Jun 2007 17:22:35 CESTLocal ID: d3ef817f-6b1f-4502-92df-10de32b49968 Source Context: system_u:system_r:cupsd_t:SystemLow-SystemHighTarget Context: system_u:system_r:cupsd_t:SystemLow-SystemHighTarget Objects: None [ process ]Affected RPM Packages: cndrvcups-capt-1.30-1 [application]Policy RPM: selinux-policy-2.6.4-8.fc7Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: PermissivePlugin Name: plugins.catchallHost Name: nonamePlatform: Linux noname 2.6.21-1.3194.fc7 #1 SMP Wed May 23 22:35:01 EDT 2007 i686 athlonAlert Count: 1First Seen: Sa 02 Jun 2007 17:22:47 CESTLast Seen: Sa 02 Jun 2007 17:22:47 CESTLocal ID: f20ae4ec-2aab-471d-9b7a-1b2976dfb649
Please attach the audit.log (/var/log/audit/audit.log)
Created attachment 156121 [details] /var/log/audit/audit.log file Here is the requested file.
Please execute # restorecon -R -v /root This will cleanup the complaints about default_t. Will be fixed in next release. libcaiowrap.so and libcaepcm.so have been built wrong. We can change the context on these files to allow execmod, but a bug report should be sent to the developers to fix their bug. These memory checks are explained at the following link: http://people.redhat.com/~drepper/selinux-mem.html chcon -t textrel_shlib_t libcaepcm.so* libcaiowrap.so* will fix the context to allow selinux to work with these shared libraries. Please send me the full path. I will add setpgid to cups policy Cups is trying to write to a fifo_file owned by some other process. Do you know what this is and why it is being written in /var? /dev/fb0 is labeled incorrectly. Do you know how these were created. According to policy these should be labeled matchpathcon /dev/fb0 /dev/fb0 system_u:object_r:framebuf_device_t
It seems to work after the latest update.