Description of problem: SeLinux does not allow computer [CUPS latest version] to communicate with local printer when SeLinux is set to enforcing. Version-Release number of selected component (if applicable): Canon PIXMA MP 830 printer in Fedora 8 x86_64 with latest version of CUPS and gutenprint-5.0.1-1lsb3.1.x86_64.rpm [the Fedora version of gutenprint doesn't support this printer yet]. I got the gutenprint version for my printer here: http://www.openprinting.org/show_printer.cgi?recnum=Canon-PIXMA_MP830 How reproducible: Always Steps to Reproduce 1.Try to print on Canon PIXMA MP 830 using CUPS with gutenprint-5.0.1-1lsb3.1.x86_64.rpm and w/selinux set to enforcing. 2. 3. Actual results: Can only print with selinux set to permissive. Expected results: CUPS should be allowed to communicate with local printer in my opinion. On the Fedora Forum others report same problem with several models and brands of printers. Additional info: Summary SELinux is preventing cupsd (cupsd_t) "execute_no_trans" to /opt/gutenprint/cups/lib/filter/rastertogutenprint.5.0 (lib_t). Detailed Description SELinux denied access requested by cupsd. It is not expected that this access is required by cupsd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /opt/gutenprint/cups/lib/filter/rastertogutenprint.5.0, restorecon -v /opt/gutenprint/cups/lib/filter/rastertogutenprint.5.0 If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Context system_u:object_r:lib_t:s0 Target Objects /opt/gutenprint/cups/lib/filter/rastertogutenprint .5.0 [ file ] Affected RPM Packages gutenprint-5.0.1-1lsb3.1 [target] Policy RPM selinux-policy-3.0.8-64.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.23.8-63.fc8 #1 SMP Wed Nov 21 17:56:40 EST 2007 x86_64 x86_64 Alert Count 1 First Seen Mon 17 Dec 2007 06:00:02 PM MST Last Seen Mon 17 Dec 2007 06:00:02 PM MST Local ID 55e81e3f-9650-4c02-8c7f-831c475b9b0d Line Numbers Raw Audit Messages avc: denied { execute_no_trans } for comm=cupsd dev=sda4 path=/opt/gutenprint/cups/lib/filter/rastertogutenprint.5.0 pid=3404 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=file tcontext=system_u:object_r:lib_t:s0
Here's a link I was following: http://forums.fedoraforum.org/forum/showthread.php?t=175125 Which directs one to the same page as SETroubleshooter message does: http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 I followed that and it does work. My printer now prints with SELinux set to enforcing. However in my opinion the bug remains as this should not be a problem in the first place. I'm considering the Windows user who might pick Fedora for a first try at Linux. At the time of Fedora Core 3 I was that person.
chcon -R -t bin_t /opt/gutenprint/cups/lib/filter Should fix the problem. I have updated the labeling in selinux-policy-3.0.8-69.fc8
Bulk closing all bugs in Fedora updates in the modified state. If you bug is not fixed, please reopen.