Description of problem: Adding and removing a printer via system-config-printer generated a couple of errors in SELinux permissions in permissive mode. Version-Release number of selected component (if applicable): selinux-policy-targeted-2.4.6-121.el5.noarch How reproducible: not very Steps to Reproduce: 1. 2. 3. Actual results: Source RPM Packages: cups-1.2.4-11.15.el5 Policy RPM: selinux-policy-2.4.6-121.el5 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Permissive Plugin Name: catchall_file First error on write: Raw Audit Messages : host=dakar-lap.lga.redhat.com type=AVC msg=audit(1206576283.185:130): avc: denied { write } for pid=4194 comm="cupsd" name="hp.ppd" dev=dm-1 ino=789017 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:cupsd_etc_t:s0 tclass=file host=dakar-lap.lga.redhat.com type=SYSCALL msg=audit(1206576283.185:130): arch=40000003 syscall=5 success=yes exit=14 a0=bff6c106 a1=8241 a2=1b6 a3=8241 items=0 ppid=1 pid=4194 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="cupsd" exe="/usr/sbin/cupsd" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) Second error on unlink: Raw Audit Messages : host=dakar-lap.lga.redhat.com type=AVC msg=audit(1206581650.167:248): avc: denied { unlink } for pid=9972 comm="cupsd" name="hp.ppd" dev=dm-1 ino=789017 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:cupsd_etc_t:s0 tclass=file host=dakar-lap.lga.redhat.com type=SYSCALL msg=audit(1206581650.167:248): arch=40000003 syscall=10 success=yes exit=0 a0=bfd8ca08 a1=0 a2=51bff4 a3=bfd8ce08 items=0 ppid=1 pid=9972 auid=10418 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="cupsd" exe="/usr/sbin/cupsd" subj=user_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) Expected results: success on both actions. Additional info: Have not been able to reproduce it.
Tim what is cups trying to do? Is there a directory where cups creates printers with system-config-printer?
When cupsd is asked (by system-config-printer, or lpadmin, or any CUPS management tool) to create or modify a printer it needs to create or modify a file in /etc/cups/ppd/. Each file in that directory represents a print queue, and the correct context for those files is cupsd_rw_etc_t. It looks like something has altered those files and left them with context cupsd_etc_t -- I don't know why that would happen.
Perhaps as a result of adding CSB cups selector? I will try to reproduce on a virgin system.
So restorecon -R -v /etc/cups/ppd/ Should fix. Perhaps a tool is creating the files in a different directory and then renaming or moving them there.
Closing as NOT A Bug, if it happens again, please reopen bugzilla.