Description of problem: Version-Release number of selected component (if applicable): # rpm -qa | egrep 'cups|selinux' | sort bluez-utils-cups-3.30-2.fc9.x86_64 cups-1.3.7-1.fc9.x86_64 cups-libs-1.3.7-1.fc9.i386 cups-libs-1.3.7-1.fc9.x86_64 cups-pdf-2.4.7-1.fc9.x86_64 hal-cups-utils-0.6.16-3.fc9.x86_64 libgnomecups-0.2.3-3.fc9.x86_64 libselinux-2.0.61-1.fc9.i386 libselinux-2.0.61-1.fc9.x86_64 libselinux-python-2.0.61-1.fc9.x86_64 selinux-policy-3.3.1-35.fc9.noarch selinux-policy-targeted-3.3.1-35.fc9.noarch How reproducible: 100% Steps to Reproduce: 1. easiest way to reproduce error is to run test page in cups setup gui 2. 3. Additional info: Summary: SELinux is preventing cups-pdf (cups_pdf_t) "write" to ./cups (cupsd_log_t). Detailed Description: SELinux denied access requested by cups-pdf. It is not expected that this access is required by cups-pdf and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./cups, restorecon -v './cups' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 Target Context system_u:object_r:cupsd_log_t:s0 Target Objects ./cups [ dir ] Source cups-pdf Source Path /usr/lib/cups/backend/cups-pdf Port <Unknown> Host yardsale Source RPM Packages cups-pdf-2.4.7-1.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-35.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name yardsale Platform Linux yardsale 2.6.25-1.fc9.x86_64 #1 SMP Thu Apr 17 01:11:31 EDT 2008 x86_64 x86_64 Alert Count 1 First Seen Sat 26 Apr 2008 02:34:32 PM PDT Last Seen Sat 26 Apr 2008 02:34:32 PM PDT Local ID b6843245-6f6e-464f-88f7-c40969330d2e Line Numbers Raw Audit Messages host=yardsale type=AVC msg=audit(1209245672.63:44): avc: denied { write } for pid=8224 comm="cups-pdf" name="cups" dev=dm-0 ino=28442 scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cupsd_log_t:s0 tclass=dir host=yardsale type=SYSCALL msg=audit(1209245672.63:44): arch=c000003e syscall=2 success=no exit=-13 a0=7fffff84d1d0 a1=441 a2=1b6 a3=7ff0f78376f0 items=0 ppid=2523 pid=8224 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" subj=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 key=(null) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Summary: SELinux is preventing the cups-pdf from using potentially mislabeled files (./user-dirs.dirs). Detailed Description: SELinux has denied cups-pdf access to potentially mislabeled file(s) (./user-dirs.dirs). This means that SELinux will not allow cups-pdf to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want cups-pdf to access this files, you need to relabel them using restorecon -v './user-dirs.dirs'. You might want to relabel the entire directory using restorecon -R -v '.'. Additional Information: Source Context system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:admin_home_t:s0 Target Objects ./user-dirs.dirs [ file ] Source cups-pdf Source Path /usr/lib/cups/backend/cups-pdf Port <Unknown> Host yardsale Source RPM Packages cups-pdf-2.4.7-1.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-35.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name yardsale Platform Linux yardsale 2.6.25-1.fc9.x86_64 #1 SMP Thu Apr 17 01:11:31 EDT 2008 x86_64 x86_64 Alert Count 1 First Seen Sat 26 Apr 2008 02:34:32 PM PDT Last Seen Sat 26 Apr 2008 02:34:32 PM PDT Local ID 5f8a986d-6fd2-4500-9ca7-a5dbe455af7c Line Numbers Raw Audit Messages host=yardsale type=AVC msg=audit(1209245672.63:45): avc: denied { read } for pid=8224 comm="cups-pdf" name="user-dirs.dirs" dev=dm-0 ino=148413 scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file host=yardsale type=SYSCALL msg=audit(1209245672.63:45): arch=c000003e syscall=2 success=no exit=-13 a0=7fffff84a1d0 a1=0 a2=1b6 a3=7ff0f78376f0 items=0 ppid=2523 pid=8224 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf" subj=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 key=(null)
The first avc is fixed in -42 policy package. The second one is cups_pdf_t trying to read a file in the /root directory. I have no idea what that file is and why it would need access. It is probably just looking for it in the the homedir. What is the command to run the cups setup gui?
I will dontaudit in selinux-policy-3.3.1-43.fc9.noarch
system-config-printer
I am not sure if this is a cups-pdf bug or a system-config-printer. Even if we allow for SELinux to make this happen, system-config-printer ends up printing a file (or at least trying to print) in the /root directory. The user would not have access to this file. system-config-printer should print to the users homedir, if consolehelper/userhelper has maintained this information.
Yes, indeed, system-config-printer ought to submit test pages as the invoking user, not root. This is fixed upstream in 0.9.90 using an authentication wrapper around the CUPS API so that it is a lot easier to run system-config-printer as a non-root user. I can look at back-porting that to Fedora 9.
...of course, the fact remains that root will not be able to successfully submit print jobs to a cups-pdf queue -- is that something we want to fix?
Please try with system-config-printer-0.7.82.2-3.fc9.
I installed 0.7.82.2-4.fc9 and still get AVC trying to print test page.
Please detail the steps you are using to print the test page, starting from the GDM login screen.
0) login from GDM 1) run gnome-terminal 2) from terminal window as regular user $ system-config-printer 3) enter root password 4) select Cups-Pdf 5) Click print test page ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ $ rpm -qa | egrep 'selinux|system-config-printer|cups' | sort bluez-utils-cups-3.30-2.fc9.x86_64 cups-1.3.7-1.fc9.x86_64 cups-libs-1.3.7-1.fc9.i386 cups-libs-1.3.7-1.fc9.x86_64 cups-pdf-2.4.7-1.fc9.x86_64 hal-cups-utils-0.6.16-3.fc9.x86_64 libgnomecups-0.2.3-3.fc9.x86_64 libselinux-2.0.61-1.fc9.i386 libselinux-2.0.61-1.fc9.x86_64 libselinux-python-2.0.61-1.fc9.x86_64 selinux-policy-3.3.1-42.fc9.noarch selinux-policy-targeted-3.3.1-42.fc9.noarch system-config-printer-0.7.82.2-4.fc9.x86_64 system-config-printer-libs-0.7.82.2-4.fc9.x86_64 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I didn't realize that the AVCs had changed. Here they are: Summary: SELinux is preventing gs (cups_pdf_t) "getattr" to /usr/share/fonts/default/Type1/n019004l.pfb (fonts_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by gs. It is not expected that this access is required by gs and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /usr/share/fonts/default/Type1/n019004l.pfb, restorecon -v '/usr/share/fonts/default/Type1/n019004l.pfb' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 Target Context system_u:object_r:fonts_t:s0 Target Objects /usr/share/fonts/default/Type1/n019004l.pfb [ file ] Source gs Source Path /usr/bin/gs Port <Unknown> Host yardsale Source RPM Packages ghostscript-8.62-3.fc9 Target RPM Packages urw-fonts-2.4-5.fc9 Policy RPM selinux-policy-3.3.1-42.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name yardsale Platform Linux yardsale 2.6.25-14.fc9.x86_64 #1 SMP Thu May 1 06:06:21 EDT 2008 x86_64 x86_64 Alert Count 3 First Seen Tue 06 May 2008 04:28:07 PM PDT Last Seen Wed 07 May 2008 04:26:10 PM PDT Local ID 30e1e36e-0f7c-48cd-82e6-912cef7cdb25 Line Numbers Raw Audit Messages host=yardsale type=AVC msg=audit(1210202770.958:40): avc: denied { getattr } for pid=4070 comm="gs" path="/usr/share/fonts/default/Type1/n019004l.pfb" dev=dm-0 ino=18130 scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=file host=yardsale type=SYSCALL msg=audit(1210202770.958:40): arch=c000003e syscall=5 success=yes exit=0 a0=12 a1=7fff20402df0 a2=7fff20402df0 a3=7fc5183e27b0 items=0 ppid=4069 pid=4070 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="gs" exe="/usr/bin/gs" subj=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 key=(null) ~~~~~~~~~~~~~~~~~~~~~ Summary: SELinux is preventing gs (cups_pdf_t) "read" to ./n019004l.pfb (fonts_t). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by gs. It is not expected that this access is required by gs and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./n019004l.pfb, restorecon -v './n019004l.pfb' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 Target Context system_u:object_r:fonts_t:s0 Target Objects ./n019004l.pfb [ file ] Source gs Source Path /usr/bin/gs Port <Unknown> Host yardsale Source RPM Packages ghostscript-8.62-3.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-42.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name yardsale Platform Linux yardsale 2.6.25-14.fc9.x86_64 #1 SMP Thu May 1 06:06:21 EDT 2008 x86_64 x86_64 Alert Count 3 First Seen Tue 06 May 2008 04:28:07 PM PDT Last Seen Wed 07 May 2008 04:26:10 PM PDT Local ID ebbbc0b4-9dd1-4ef6-a420-dc558b9bedfc Line Numbers Raw Audit Messages host=yardsale type=AVC msg=audit(1210202770.958:39): avc: denied { read } for pid=4070 comm="gs" name="n019004l.pfb" dev=dm-0 ino=18130 scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=file host=yardsale type=SYSCALL msg=audit(1210202770.958:39): arch=c000003e syscall=2 success=yes exit=18 a0=215e500 a1=0 a2=1b6 a3=7fc5183e27b0 items=0 ppid=4069 pid=4070 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="gs" exe="/usr/bin/gs" subj=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 key=(null)
Changing component back to cups-pdf and reassigning.
Removing from F9 blocker, as we aren't holding the release for this.
Changing version to '9' as part of upcoming Fedora 9 GA. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
About fonts AVC. I can't reproduce. What document are you trying to print ? No problem in "Enforcing" mode printing cups test page from s-c-p (i don't enter the root password to be sure to run it as regular user). Can you try with latest selinux-policy version (-55)
printing any document from firefox gives me this AVC Summary: SELinux is preventing sh (cups_pdf_t) "search" to ./nscd (nscd_var_run_t). Detailed Description: SELinux denied access requested by sh. It is not expected that this access is required by sh and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./nscd, restorecon -v './nscd' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 Target Context system_u:object_r:nscd_var_run_t:s0 Target Objects ./nscd [ dir ] Source cups-pdf Source Path /usr/lib/cups/backend/cups-pdf Port <Unknown> Host yardsale Source RPM Packages bash-3.2-22.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-55.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name yardsale Platform Linux yardsale 2.6.25.3-18.fc9.i686 #1 SMP Tue May 13 05:38:53 EDT 2008 i686 i686 Alert Count 6 First Seen Wed 04 Jun 2008 07:54:14 PM PDT Last Seen Wed 04 Jun 2008 07:54:15 PM PDT Local ID 5863be92-7343-4e89-bd49-2533610c7d7c Line Numbers Raw Audit Messages host=yardsale type=AVC msg=audit(1212634455.189:47): avc: denied { search } for pid=3864 comm="sh" name="nscd" dev=sda5 ino=427593 scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=dir host=yardsale type=SYSCALL msg=audit(1212634455.189:47): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf841660 a2=7c8ff4 a3=0 items=0 ppid=3863 pid=3864 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 key=(null)
*** This bug has been marked as a duplicate of 448652 ***