Red Hat Bugzilla – Bug 244765
AVC Denials for CPUs using MFC420CN Printer
Last modified: 2007-11-30 17:12:07 EST
Description of problem:
Installed MFC420CN lpr drivers with cupswrapper rpm from manufacturer website here:
Will not print at all with SELinux Enforcing. Will print perfectly fine with
SELinux disabled or permissive. In permissive, you get many AVC denial errors.
Manufacturers site lists instructions to edit the file_contexts, but they don't
Version-Release number of selected component (if applicable):
MFC420CNlpr-1.0.2-1.i386.rpm (no x86_64 rpm available)
cupswrapperMFC420CN-1.0.0-1.i386.rpm (no x86_64 rpm available)
I *do not* have cups-lpd or cups-pdf installed
Very reproducible by turning SE Linux on and off (permissive mode)
Steps to Reproduce:
1. Start with clean fc7 install.
2. install lpr and cupswrapper packages with instructions at:
3. Verify SELinux policy is enforcing
4. Print a test page...no printing
5. Set SELinux to permissive
6. Print a test page
7. See AVC denials
Many AVC denials (see attachment)
No AVC denials
Additional info: See attachment
Created attachment 157341 [details]
six AVC alert messages from the SELinux debugger
Do you know what directory it is trying to create files in?
Did you run it in permissive mode? When you run it a second time, does it try
to unlink the file again?
Yes, I ran it in permissive mode in order to see the denials--in enforcing mode
it would not print at all.
It appears to be attempting to modify the file "brMFC420CNrc" which is in the
/usr/local/Brother/inf directory. The brMFC420CNrc file has information like the
print resolution, paper type, etc.
When trying different file-contexts, I did full system re-boots just to be sure
everything was reset. It may require that I create a local policy to avoid the
situation, but I haven't gotten that far yet.
#chcon -R -t cups_rw_etc_t /usr/local/Brother/inf
Makes it work.
This should be brought up as a bug to Brother that they should not have r/w
files under /usr. They should be under /var or /etc/. (Preferably /var). If
this works for you I will change the default policy to label this directory.
That takes care of most of the issues. I think you really meant chcon -R -t
cupsd_rw_etc_t (cupsd instead of cups). The only denials now concern the
cupswrapper file trying to do various things (lock, get_addr, etc)with
/var/run/utmp. It will now print in enforcing mode, but you still get a few
denials regarding /var/run/utmp.
The file that is trying to access /var/run/utmp is brlpdwrapperMFC and is
located in the usr/lib/cups/filter folder. By default it has the following
Whatever it is trying to do doesn't stop the print job from execution, even in
enforcing mode, but does pop up with AVC denials.
Ok, I will add a dontaudit rule for the next selinux-policy update along with
fixing the labeling of that directory.
fixed in selinux-policy-2.6.4-23
Closing as fixes are in the current release