Bug 470621 - SELinux is preventing cups-deviced (cupsd_t) "signal"
Summary: SELinux is preventing cups-deviced (cupsd_t) "signal"
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted
Version: 5.3
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact: BaseOS QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-11-08 00:59 UTC by John Poelstra
Modified: 2012-10-16 08:43 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-01-20 21:31:25 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2009:0163 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2009-01-20 16:05:21 UTC

Description John Poelstra 2008-11-08 00:59:20 UTC
Description of problem:
Adding a new printer results in AVC

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-180.el5


Steps to Reproduce:
1. Install a new printer
2.
3.
  

Summary:

SELinux is preventing cups-deviced (cupsd_t) "signal" to <Unknown> (hplip_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by cups-deviced. It is not expected that this
access is required by cups-deviced and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                system_u:system_r:hplip_t:s0-s0:c0.c1023
Target Objects                None [ process ]
Source                        cups-deviced
Source Path                   /usr/lib/cups/daemon/cups-deviced
Port                          <Unknown>
Host                          screamer
Source RPM Packages           cups-1.3.7-7.el5
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-180.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     screamer
Platform                      Linux screamer 2.6.18-122.el5 #1 SMP Mon Nov 3
                              18:18:14 EST 2008 i686 i686
Alert Count                   1
First Seen                    Fri 07 Nov 2008 04:43:22 PM PST
Last Seen                     Fri 07 Nov 2008 04:43:22 PM PST
Local ID                      77776acf-a2ce-4333-ab72-711aa2937e72
Line Numbers                  

Raw Audit Messages            

host=screamer type=AVC msg=audit(1226105002.798:116): avc:  denied  { signal } for  pid=29075 comm="cups-deviced" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tclass=process

host=screamer type=SYSCALL msg=audit(1226105002.798:116): arch=40000003 syscall=37 success=yes exit=0 a0=7194 a1=f a2=b77ff4 a3=bfc9cd54 items=0 ppid=2603 pid=29075 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="cups-deviced" exe="/usr/lib/cups/daemon/cups-deviced" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)

Comment 1 Daniel Walsh 2008-11-10 15:49:32 UTC
Fixed in selinux-policy-2.4.6-183.el5

Comment 8 errata-xmlrpc 2009-01-20 21:31:25 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0163.html


Note You need to log in before you can comment on or make changes to this bug.