Hide Forgot
SELinux is preventing /usr/local/bin/cnijnetprn from 'write' accesses on the file /usr/lib/bjlib/cnnet.ini. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that cnijnetprn should be allowed write access on the cnnet.ini file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep cnijnetprn /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Context system_u:object_r:lib_t:s0 Target Objects /usr/lib/bjlib/cnnet.ini [ file ] Source cnijnetprn Source Path /usr/local/bin/cnijnetprn Port <Unknown> Host (removed) Source RPM Packages cnijfilter-common-3.30-1 Target RPM Packages cnijfilter-common-3.30-1 Policy RPM selinux-policy-3.9.7-20.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.35.10-74.fc14.x86_64 #1 SMP Thu Dec 23 16:04:50 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Thu 20 Jan 2011 10:02:02 AM CST Last Seen Thu 20 Jan 2011 10:02:02 AM CST Local ID 7471825f-4644-46c5-b67e-cd64ffbe9658 Raw Audit Messages type=AVC msg=audit(1295539322.835:43512): avc: denied { write } for pid=12246 comm="cnijnetprn" name="cnnet.ini" dev=dm-0 ino=9440681 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file cnijnetprn,cupsd_t,lib_t,file,write type=SYSCALL msg=audit(1295539322.835:43512): arch=i386 syscall=fstat success=no exit=4294967283 a0=804ab16 a1=2 a2=1b6 a3=ed4729 items=0 ppid=12235 pid=12246 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm=cnijnetprn exe=/usr/local/bin/cnijnetprn subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) cnijnetprn,cupsd_t,lib_t,file,write #============= cupsd_t ============== allow cupsd_t lib_t:file write;
I was normally printing. Then there was an error on the printer (page had printed fine though). Then this bug report. I followed up on the printer Troubleshooting, and got another error. In following up, a dialog box said that the Queue Not Enabled. I followed the instructions and clicked on the Enable box. The printer made sounds and printed the same page it had printed before. !!
There were several dialog boxes requesting my root password during this process. This is a little troubling..
This looks like some third party print driver that you downloaded. You could try chcon -t cupsd_var_lib_t -R /usr/lib/bjlib Which should fix this. The question is does cups really need to write to this directory?
Yes, 3rd party driver - Canon for MX870 inkjet printer. Printer works good. But, when I run the command you suggested, I get: [root@hoho6 user1]# chcon -t cupsd_var_lib_t -R /usr/lib/bjlib chcon: failed to change context of `CNC870.DAT' to `system_u:object_r:cupsd_var_lib_t:s0': Invalid argument chcon: failed to change context of `canon_mfp_net.ini' to `system_u:object_r:cupsd_var_lib_t:s0': Invalid argument chcon: failed to change context of `canon_mfp.conf' to `system_u:object_r:cupsd_var_lib_t:s0': Invalid argument chcon: failed to change context of `cnc1743d.tbl' to `system_u:object_r:cupsd_var_lib_t:s0': Invalid argument chcon: failed to change context of `cnnet.ini' to `system_u:object_r:cupsd_var_lib_t:s0': Invalid argument chcon: failed to change context of `CNC870P.DAT' to `system_u:object_r:cupsd_var_lib_t:s0': Invalid argument chcon: failed to change context of `cnbpname367.tbl' to `system_u:object_r:cupsd_var_lib_t:s0': Invalid argument chcon: failed to change context of `cifmx870.conf' to `system_u:object_r:cupsd_var_lib_t:s0': Invalid argument chcon: failed to change context of `cnb_3670.tbl' to `system_u:object_r:cupsd_var_lib_t:s0': Invalid argument chcon: failed to change context of `cnc_3670.tbl' to `system_u:object_r:cupsd_var_lib_t:s0': Invalid argument chcon: failed to change context of `/usr/lib/bjlib' to `system_u:object_r:cupsd_var_lib_t:s0': Invalid argument [root@hoho6 user1]#
Sorry cupsd_var_run_t
Canon ought to ship custom SELinux policy along with their driver IMHO.
Wouldn't that be nice or use standard locations. Miroslav lets add /usr/lib/bjlib(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,mls_systemhigh)
(In reply to comment #5) > Sorry cupsd_var_run_t [root@hoho6 user1]# chcon -t cupsd_var_run_t -R /usr/lib/bjlib [root@hoho6 user1]# Seems like it works OK. ----- It was difficult to find the Linux driver for the MX870. Their web site says that Linux is not supported. However, clicking around gave a Canon site in Taiwan that had the code. A few proprietary libraries and code to compile and link with the libraries, depending on the printer model.
Fixed in selinux-policy-3.9.7-26.fc14
selinux-policy-3.9.7-28.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-28.fc14
selinux-policy-3.9.7-28.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-28.fc14
selinux-policy-3.9.7-28.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.