After install of cups-pdf today and checking settings in system-config-printer, this AVC shows up. If I attempt to print test page is repeats. #-> llz /var/log/cups total 46M drwxr-xr-x 4 3 system_u:object_r:cupsd_log_t:s0 ./ drwxr-xr-x 0 0 system_u:object_r:var_log_t:s0 ../ -rw------- 0 7 system_u:object_r:cupsd_log_t:s0 access_log -rw------- 0 7 system_u:object_r:cupsd_log_t:s0 access_log-20080330 -rw------- 0 7 system_u:object_r:cupsd_log_t:s0 access_log-20080406 -rw------- 0 7 system_u:object_r:cupsd_log_t:s0 error_log -rw------- 0 7 system_u:object_r:cupsd_log_t:s0 error_log-20080330 -rw------- 0 7 system_u:object_r:cupsd_log_t:s0 error_log-20080406 -rw------- 0 7 system_u:object_r:cupsd_log_t:s0 page_log -rw------- 0 7 system_u:object_r:cupsd_log_t:s0 page_log-20080406 Summary: SELinux is preventing cups-pdf (cups_pdf_t) "write" to ./cups (cupsd_log_t). Detailed Description: SELinux denied access requested by cups-pdf. It is not expected that this access is required by cups-pdf and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./cups, restorecon -v './cups' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 Target Context system_u:object_r:cupsd_log_t:s0 Target Objects ./cups [ dir ] Source cups-pdf Source Path /usr/lib/cups/backend/cups-pdf Port <Unknown> Host cirithungol Source RPM Packages cups-pdf-2.4.7-1.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-28.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name cirithungol Platform Linux cirithungol 2.6.25-0.200.rc8.git3.fc9.i686 #1 SMP Sat Apr 5 00:00:10 EDT 2008 i686 i686 Alert Count 2 First Seen Mon 07 Apr 2008 06:10:10 PM PDT Last Seen Mon 07 Apr 2008 06:29:54 PM PDT Local ID 59ac007d-24a1-41de-b724-0ec0bfc25a4c Line Numbers Raw Audit Messages host=cirithungol type=AVC msg=audit(1207618194.739:236): avc: denied { write } for pid=28086 comm="cups-pdf" name="cups" dev=dm-0 ino=726758 scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cupsd_log_t:s0 tclass=dir host=cirithungol type=SYSCALL msg=audit(1207618194.739:236): arch=40000003 syscall=5 success=no exit=-13 a0=bfb43e54 a1=441 a2=1b6 a3=440 items=0 ppid=2493 pid=28086 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" subj=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 key=(null)
Can you try to create the log before the test : touch /var/log/cups/cups-pdf_log
With the file already there it does succeed. I think either the file needs to be created blank by the spec (%post?) or better yet, just access given to cups-pdf to write to the directory.
Context after being touched by root. -rw-r--r-- 0 0 unconfined_u:object_r:cupsd_log_t:s0 cups-pdf_log
You can allow this for now by executing # audit2allow -M mypol -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.3.1-29.fc9