Description of problem: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by admin.cgi. It is not expected that this access is required by admin.cgi and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Version-Release number of selected component (if applicable): How reproducible: everytime in the last two weeks Steps to Reproduce: 1.system-config-printer 2. 3. Actual results: Traceback (most recent call last): File "/usr/share/system-config-printer/system-config-printer.py", line 40, in ? import cups ImportError: /usr/lib64/python2.4/site-packages/cups.so: undefined symbol: _cupsAdminGetServerSettings Expected results: configure cups for network printer Additional info: If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context user_u:system_r:cupsd_t:SystemLow-SystemHigh Target Context user_u:object_r:print_spool_t Target Objects 4cc5f04ab180b [ lnk_file ] Source admin.cgi Source Path /usr/lib/cups/cgi-bin/admin.cgi Port <Unknown> Host Sup0-64 Source RPM Packages cups-1.3.7-18.el5_5.7 Target RPM Packages Policy RPM selinux-policy-2.4.6-279.el5_5.1 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall_file Host Name Sup0-64 Platform Linux Sup0-64 2.6.18-194.17.1.el5 #1 SMP Mon Sep 20 07:12:06 EDT 2010 x86_64 x86_64 Alert Count 1 First Seen Mon Oct 25 17:02:02 2010 Last Seen Mon Oct 25 17:02:02 2010 Local ID 166193cf-8c64-46c5-9d10-2af22cb123a4 Line Numbers Raw Audit Messages host=Sup0-64 type=AVC msg=audit(1288040522.726:3566): avc: denied { create } for pid=4413 comm="admin.cgi" name="4cc5f04ab180b" scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:print_spool_t:s0 tclass=lnk_file host=Sup0-64 type=SYSCALL msg=audit(1288040522.726:3566): arch=c000003e syscall=88 success=yes exit=0 a0=7fffb0e1e180 a1=2b9f8e4e2a58 a2=21 a3=0 items=0 ppid=1790 pid=4413 auid=500 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=1 comm="admin.cgi" exe="/usr/lib/cups/cgi-bin/admin.cgi" subj=user_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
Miroslav RHEL6 policy lpd_manage_spool includes manage_lnk_files_pattern($1, print_spool_t, print_spool_t)
Wolfram You can add these rules for now using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Fixed in selinux-policy-2.4.6-289.el5.noarch
Wolfram, could you please describe the action in system-config-printer in more detail? Did you just execute s-c-m? It seems that you were trying to add a printer, could you specify the connection type, printer type, model, URI, s-c-p version. I am unable to reproduce this traceback. Thank you in advance.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Due to an error in an SELinux policy, the system-config-printer utility could terminate unexpectedly with the following message written to the standard error: ImportError: /usr/lib64/python2.4/site-packages/cups.so: undefined symbol: _cupsAdminGetServerSettings To resolve this issue, relevant SELinux rules have been corrected, so that the system-config-printer utility no longer crashes.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0026.html