Red Hat Bugzilla – Bug 441496
SELinux is preventing Brother print drivers from operating cleanly
Last modified: 2008-05-02 16:09:58 EDT
Description of problem: Selinux policy violation caused by brother cups printer drivers Version-Release number of selected component (if applicable): How reproducible: Easy. just try to print Steps to Reproduce: 1. 2. 3. Actual results: Summary: SELinux is preventing brlpdwrapperDCP (cupsd_t) "lock" to /var/run/utmp (initrc_var_run_t). Detailed Description: Error message: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by brlpdwrapperDCP. It is not expected that this access is required by brlpdwrapperDCP and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /var/run/utmp, restorecon -v '/var/run/utmp' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Context system_u:object_r:initrc_var_run_t:s0 Target Objects /var/run/utmp [ file ] Source brlpdwrapperDCP Source Path /bin/tcsh Port <Unknown> Host akpc.zincdigital.sbn Source RPM Packages tcsh-6.15-1.fc8 Target RPM Packages initscripts-8.60-1 Policy RPM selinux-policy-3.0.8-95.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name akpc.zincdigital.sbn Platform Linux akpc.zincdigital.sbn 2.6.24.4-64.fc8 #1 SMP Sat Mar 29 09:54:46 EDT 2008 i686 i686 Alert Count 5 First Seen Mon 07 Apr 2008 03:45:58 PM BST Last Seen Tue 08 Apr 2008 02:45:56 PM BST Local ID 7ac543f2-bf79-4875-b881-a2b534b532ff Line Numbers Raw Audit Messages host=akpc.zincdigital.sbn type=AVC msg=audit(1207662356.914:283): avc: denied { lock } for pid=7827 comm="brlpdwrapperDCP" path="/var/run/utmp" dev=dm-7 ino=110297095 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=file host=akpc.zincdigital.sbn type=SYSCALL msg=audit(1207662356.914:283): arch=40000003 syscall=221 success=yes exit=0 a0=5 a1=7 a2=bfbb9e44 a3=0 items=0 ppid=7826 pid=7827 auid=500 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) comm="brlpdwrapperDCP" exe="/bin/tcsh" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) Expected results: Additional info: Causes other errors: SELinux is preventing brprintconfij2 (cupsd_t) "create" to ./brDCP310CNrc (usr_t). SELinux is preventing brprintconfij2 (cupsd_t) "unlink" to ./brDCP310CNrc.old (usr_t). SELinux is preventing brlpdwrapperDCP (cupsd_t) "read" to ./utmp (initrc_var_run_t). SELinux is preventing brlpdwrapperDCP (cupsd_t) "read" to ./utmp (initrc_var_run_t).
Please attach the AVC messages. I can allow the read of utmp, but I don't know where the brDCP310Nrc files are located. Probably should not be in /usr though.
Added cups line. Fixed in selinux-policy-3.3.1-44.fc9