Description of problem: SELinux is alerting like mentioned below. Restoring the context just works for a while, the problem show up again (seemingly after printing or some status change in the printer or CUPS, i.e. replacing toner which was low, restarting CUPS, ...) Version-Release number of selected component (if applicable): cups-1.4.4-7.fc14.x86_64 selinux-policy-targeted-3.8.8-8.fc14.noarch How reproducible: Happens at random, but quite often (two or three times yesterday afternoon, again today) Steps to Reproduce: 1. 2. 3. Actual results: (Machine name replaced with XXX to protect the guilty) Summary: SELinux is preventing /usr/lib/cups/backend/socket "read" access to /etc/cups/ppd/dcsc.ppd. Detailed Description: SELinux denied access requested by socket. /etc/cups/ppd/dcsc.ppd may be a mislabeled. /etc/cups/ppd/dcsc.ppd default SELinux type is cupsd_rw_etc_t, but its current type is tmp_t. Changing this file back to the default type, may fix your problem. File contexts can be assigned to a file in the following ways. * Files created in a directory receive the file context of the parent directory by default. * The SELinux policy might override the default label inherited from the parent directory by specifying a process running in context A which creates a file in a directory labeled B will instead create the file with label C. An example of this would be the dhcp client running with the dhclient_t type and creating a file in the directory /etc. This file would normally receive the etc_t type due to parental inheritance but instead the file is labeled with the net_conf_t type because the SELinux policy specifies this. * Users can change the file context on a file using tools such as chcon, or restorecon. This file could have been mislabeled either by user error, or if an normally confined application was run under the wrong domain. However, this might also indicate a bug in SELinux because the file should not have been labeled with this type. If you believe this is a bug, please file a bug report against this package. Allowing Access: You can restore the default system context to this file by executing the restorecon command. restorecon '/etc/cups/ppd/dcsc.ppd', if this file is a directory, you can recursively restore using restorecon -R '/etc/cups/ppd/dcsc.ppd'. Fix Command: /sbin/restorecon '/etc/cups/ppd/dcsc.ppd' Additional Information: Source Context unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Context system_u:object_r:tmp_t:s0 Target Objects /etc/cups/ppd/dcsc.ppd [ file ] Source pdftops Source Path /usr/lib/cups/filter/pdftops Port <Unknown> Host XXX Source RPM Packages cups-1.4.4-7.fc14 Target RPM Packages Policy RPM selinux-policy-3.8.8-8.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name restorecon Host Name XXX Platform Linux XXX 2.6.35-0.57.rc6.git5.fc15.x86_64 #1 SMP Fri Jul 30 17:16:30 UTC 2010 x86_64 x86_64 Alert Count 20 First Seen Mon 02 Aug 2010 03:34:54 PM CLT Last Seen Mon 02 Aug 2010 05:08:37 PM CLT Local ID 3ff8f68b-e581-4f5e-92b6-9775779a585e Line Numbers Raw Audit Messages node=XXX type=AVC msg=audit(1280783317.119:527): avc: denied { read } for pid=21078 comm="socket" name="dcsc.ppd" dev=dm-0 ino=1294512 scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=file node=XXX type=SYSCALL msg=audit(1280783317.119:527): arch=c000003e syscall=2 success=no exit=-13 a0=7fffd2f89ee6 a1=0 a2=0 a3=7fffd2f7cbd0 items=0 ppid=16637 pid=21078 auid=500 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=2 comm="socket" exe="/usr/lib/cups/backend/socket" subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) Expected results: No SELinux alerts... Additional info:
Hasn't happened again. Now: cups-1.4.4-8.fc15.x86_64 selinux-policy-targeted-3.8.8-12.fc15.noarch
*** Bug 646920 has been marked as a duplicate of this bug. ***