Description of problem: I have a Samsung SCX-4200 MFP for which I downloaded the latest Linux drivers from Samsung from: http://www.samsung.com/uk/support/productsupport/download/Model_Select2.aspx?type=Print+Solutions&subtype=Multi+Function+Products&model=SCX%2D4200&fileType=DR&LSSI=%2Fuk%2Fmodule%2Fssi%2Fleft%2Flmenu%5Fprintsolutions%5Fmultifunctionproducts%2Esec&RSSI=%2Fuk%2Fmodule%2Fssi%2Fright%2Frmenu%5Fprintsolutions%2Esec The installation went OK, but when I try to print, SETroubleshooter gives an error (see attachment). I used to be able to fix this by running: [root@lambert ~]# restorecon /usr/lib64/cups/filter/rastertosamsung* [root@lambert ~]# chown root:root /usr/lib64/cups/filter/rastertosamsung* but not anymore. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1.Download Samsung driver from link above 2.Extract and, as root, run ./cdroot/autorun 3.Follow the GUI installation 4.Try to print a test page Actual results: SELinux blocks the printer. Expected results: A page to be printed out. Additional info:
Created attachment 255721 [details] Output from SETroubleshooter
This is the original Bugzilla report that helped me get it working: https://bugzilla.redhat.com/show_bug.cgi?id=214189
Fixed in selinux-policy-3.0.8-54.fc8
Created attachment 266401 [details] SELinux is preventing mfp (cupsd_t) "create" to <Unknown> (cupsd_t).
Hi, I just received an update from selinux-policy-3.0.8-53.fc8 to selinux-policy-3.0.8-56.fc8 and I still cannot print, I've attached the output from SETroubleshoot.
Could you put the machine in permissive mode and then run the print job. Then collect all of the avc messages and attach.
Created attachment 279581 [details] SELinux is preventing modprobe (cupsd_t) "getattr" to /lib/modules/2.6.23.1-49.fc8/kernel/drivers/char/lp.ko (modules_object_t).
Created attachment 279591 [details] SELinux is preventing modprobe (cupsd_t) "lock" to /lib/modules/2.6.23.1-49.fc8/kernel/drivers/parport/parport.ko (modules_object_t).
Created attachment 279601 [details] SELinux is preventing sh (cupsd_t) "read" to <Unknown> (insmod_exec_t).
Created attachment 279611 [details] SELinux is preventing /sbin/modprobe (cupsd_t) "read" to <Unknown> (modules_object_t).
Created attachment 279621 [details] SELinux is preventing modprobe (cupsd_t) "read" to <Unknown> (modules_dep_t).
Created attachment 279631 [details] SELinux is preventing /sbin/rmmod (cupsd_t) "sys_nice" to <Unknown> (cupsd_t).
Created attachment 279641 [details] SELinux is preventing mfp (cupsd_t) "sys_rawio" to <Unknown> (cupsd_t).
Created attachment 279651 [details] SELinux is preventing /sbin/modprobe (cupsd_t) "write" to <Unknown> (modules_object_t).
Created attachment 279811 [details] Policy module that should allow this to work. Ok this looks like cups is loading a kernel module in order to print the job. In order to compile and install this, You need to do the following Extract attachment to a directory # yum -y install selinux-policy-devel # make -f /usr/share/selinux/devel/Makefile # semodule -i mycups.pp Try to print again.
Hi, I did that and it went fine, rebooted, but it still will not let me print. So I rebooted into passive mode, and only get one message, another instance of: https://bugzilla.redhat.com/attachment.cgi?id=279641
Ok I can add sys_rawio. You can add it yourself by executing # grep sys_raw /var/log/audit/audit.log | audit2allow >> mycups.te # make -f /usr/share/selinux/devel/Makefile # semodule -i mycups.pp Tim is there any reason for this tool to be loading kernel modules rather then just doing it in an init script. I really would prefer not to allow cups to modify the kernel.
Created attachment 280191 [details] mycups.te:5:ERROR 'syntax error' at token 'allow' on line 1014: allow cupsd_t self:capability sys_rawio; It seems to fail at the make stage: [root@lambert ~]# make -f /usr/share/selinux/devel/Makefile Compiling targeted mycups module /usr/bin/checkmodule: loading policy configuration from tmp/mycups.tmp mycups.te:5:ERROR 'syntax error' at token 'allow' on line 1014: allow cupsd_t self:capability sys_rawio; #============= cupsd_t ============== /usr/bin/checkmodule: error(s) encountered while parsing configuration make: *** [tmp/mycups.mod] Error 1 I've attached tmp/mycups.tmp, in case you need it. Thanks for all your help by the way.
That is strange. If you just do # grep sys_raw /var/log/audit/audit.log | audit2allow -M mycups1 # semodule -i mycupsi.pp Does that work? Please attach the mycups.te
YES! That fixed it, thanks so much. Here's mycups.te anyway: #============= cupsd_t ============== allow cupsd_t self:capability sys_rawio; #============= cupsd_t ============== allow cupsd_t self:capability sys_rawio;
Fixed in selinux-policy-3.0.8-68
Bulk closing all bugs in Fedora updates in the modified state. If you bug is not fixed, please reopen.