Bug 470621 - SELinux is preventing cups-deviced (cupsd_t) "signal"
SELinux is preventing cups-deviced (cupsd_t) "signal"
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity medium
: rc
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2008-11-07 19:59 EST by John Poelstra
Modified: 2012-10-16 04:43 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-01-20 16:31:25 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description John Poelstra 2008-11-07 19:59:20 EST
Description of problem:
Adding a new printer results in AVC

Version-Release number of selected component (if applicable):

Steps to Reproduce:
1. Install a new printer


SELinux is preventing cups-deviced (cupsd_t) "signal" to <Unknown> (hplip_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by cups-deviced. It is not expected that this
access is required by cups-deviced and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                system_u:system_r:hplip_t:s0-s0:c0.c1023
Target Objects                None [ process ]
Source                        cups-deviced
Source Path                   /usr/lib/cups/daemon/cups-deviced
Port                          <Unknown>
Host                          screamer
Source RPM Packages           cups-1.3.7-7.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-180.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     screamer
Platform                      Linux screamer 2.6.18-122.el5 #1 SMP Mon Nov 3
                              18:18:14 EST 2008 i686 i686
Alert Count                   1
First Seen                    Fri 07 Nov 2008 04:43:22 PM PST
Last Seen                     Fri 07 Nov 2008 04:43:22 PM PST
Local ID                      77776acf-a2ce-4333-ab72-711aa2937e72
Line Numbers                  

Raw Audit Messages            

host=screamer type=AVC msg=audit(1226105002.798:116): avc:  denied  { signal } for  pid=29075 comm="cups-deviced" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tclass=process

host=screamer type=SYSCALL msg=audit(1226105002.798:116): arch=40000003 syscall=37 success=yes exit=0 a0=7194 a1=f a2=b77ff4 a3=bfc9cd54 items=0 ppid=2603 pid=29075 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="cups-deviced" exe="/usr/lib/cups/daemon/cups-deviced" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2008-11-10 10:49:32 EST
Fixed in selinux-policy-2.4.6-183.el5
Comment 8 errata-xmlrpc 2009-01-20 16:31:25 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.