Bug 426055 - CUPS can't talk to printer with selinux set to enforcing.
Summary: CUPS can't talk to printer with selinux set to enforcing.
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 8
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-12-18 01:26 UTC by Ben Popatopalous
Modified: 2008-01-30 19:20 UTC (History)
0 users

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-01-30 19:20:12 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Ben Popatopalous 2007-12-18 01:26:53 UTC
Description of problem: SeLinux does not allow computer [CUPS latest version] to
communicate with local printer when SeLinux is set to enforcing.



Version-Release number of selected component (if applicable): Canon PIXMA MP 830
printer in Fedora 8 x86_64 with latest version of CUPS and
gutenprint-5.0.1-1lsb3.1.x86_64.rpm [the Fedora version of gutenprint doesn't
support this printer yet]. I got the gutenprint version for my printer here:

http://www.openprinting.org/show_printer.cgi?recnum=Canon-PIXMA_MP830


How reproducible: Always

Steps to Reproduce
1.Try to print on Canon PIXMA MP 830 using CUPS with
gutenprint-5.0.1-1lsb3.1.x86_64.rpm and w/selinux set to enforcing.
2.
3.
  
Actual results: Can only print with selinux set to permissive.


Expected results: CUPS should be allowed to communicate with local printer in my
opinion. On the Fedora Forum others report same problem with several models and
brands of printers.


Additional info: Summary SELinux is preventing cupsd (cupsd_t)
"execute_no_trans" to /opt/gutenprint/cups/lib/filter/rastertogutenprint.5.0
(lib_t).

Detailed Description
    SELinux denied access requested by cupsd. It is not expected that this
    access is required by cupsd and this access may signal an intrusion attempt.
    It is also possible that the specific version or configuration of the
    application is causing it to require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for
    /opt/gutenprint/cups/lib/filter/rastertogutenprint.5.0, restorecon -v
    /opt/gutenprint/cups/lib/filter/rastertogutenprint.5.0 If this does not
    work, there is currently no automatic way to allow this access. Instead,
    you can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:lib_t:s0
Target Objects                /opt/gutenprint/cups/lib/filter/rastertogutenprint
                              .5.0 [ file ]
Affected RPM Packages         gutenprint-5.0.1-1lsb3.1 [target]
Policy RPM                    selinux-policy-3.0.8-64.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.23.8-63.fc8 #1 SMP
                              Wed Nov 21 17:56:40 EST 2007 x86_64 x86_64
Alert Count                   1
First Seen                    Mon 17 Dec 2007 06:00:02 PM MST
Last Seen                     Mon 17 Dec 2007 06:00:02 PM MST
Local ID                      55e81e3f-9650-4c02-8c7f-831c475b9b0d
Line Numbers                  

Raw Audit Messages            

avc: denied { execute_no_trans } for comm=cupsd dev=sda4
path=/opt/gutenprint/cups/lib/filter/rastertogutenprint.5.0 pid=3404
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=file
tcontext=system_u:object_r:lib_t:s0

Comment 1 Ben Popatopalous 2007-12-18 02:07:40 UTC
Here's a link I was following:

http://forums.fedoraforum.org/forum/showthread.php?t=175125

Which directs one to the same page as SETroubleshooter message does:

http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385

I followed that and it does work. My printer now prints with SELinux set to
enforcing. However in my opinion the bug remains as this should not be a problem
in the first place. I'm considering the Windows user who might pick Fedora for a
first try at Linux. At the time of Fedora Core 3 I was that person.

Comment 2 Daniel Walsh 2007-12-18 14:38:03 UTC
chcon -R -t bin_t /opt/gutenprint/cups/lib/filter

Should fix the problem.  I have updated the labeling in 

selinux-policy-3.0.8-69.fc8

Comment 3 Daniel Walsh 2008-01-30 19:20:12 UTC
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.


Note You need to log in before you can comment on or make changes to this bug.