SELinux is preventing /usr/lib/cups/filter/rastertosamsungspl from 'write' accesses on the file rastertosamsungspl.log. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that rastertosamsungspl should be allowed write access on the rastertosamsungspl.log file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep rastertosamsung /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Context system_u:object_r:tmp_t:s0 Target Objects rastertosamsungspl.log [ file ] Source rastertosamsung Source Path /usr/lib/cups/filter/rastertosamsungspl Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.9.7-37.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Sun 03 Apr 2011 12:01:54 AM EDT Last Seen Sun 03 Apr 2011 12:01:54 AM EDT Local ID 1c350a87-cb25-4a2b-96c6-a8103b2cb0a5 Raw Audit Messages type=AVC msg=audit(1301803314.428:50): avc: denied { write } for pid=3814 comm="rastertosamsung" name="rastertosamsungspl.log" dev=sdb7 ino=883287 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=AVC msg=audit(1301803314.428:50): avc: denied { open } for pid=3814 comm="rastertosamsung" name="rastertosamsungspl.log" dev=sdb7 ino=883287 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=file type=SYSCALL msg=audit(1301803314.428:50): arch=i386 syscall=fstat per=400000 success=yes exit=EIO a0=8052c6c a1=241 a2=1b6 a3=8052b38 items=0 ppid=1659 pid=3814 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm=rastertosamsung exe=/usr/lib/cups/filter/rastertosamsungspl subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) Hash: rastertosamsung,cupsd_t,tmp_t,file,write audit2allow #============= cupsd_t ============== #!!!! The source type 'cupsd_t' can write to a 'file' of the following types: # faillog_t, cupsd_lock_t, samba_var_t, cupsd_var_run_t, pcscd_var_run_t, print_spool_t, cupsd_interface_t, cupsd_rw_etc_t, cupsd_tmp_t, usbfs_t, cupsd_log_t, security_t, root_t allow cupsd_t tmp_t:file { write open }; audit2allow -R #============= cupsd_t ============== #!!!! The source type 'cupsd_t' can write to a 'file' of the following types: # faillog_t, cupsd_lock_t, samba_var_t, cupsd_var_run_t, pcscd_var_run_t, print_spool_t, cupsd_interface_t, cupsd_rw_etc_t, cupsd_tmp_t, usbfs_t, cupsd_log_t, security_t, root_t allow cupsd_t tmp_t:file { write open };
It has taken several hours, but I finally got the printer to print by disabling SELinux and setting it up. However, now that I have reenabled SELinux, this error remains.
Where is actually the 'rastertosamsungspl.log' file located?
Created attachment 489734 [details] File location
Created attachment 489735 [details] File properties Searching shows it in /usr/tmp which is linked to /var/tmp.
Stephen if you remove the file does everything work? rm /var/tmp/rastertosamsungspl.log
I'm not sure since I already did the audit2allow change. Is there a way to revert that and then I can check?
I opened system-config-selinux, and took a look at /usr/tmp and /usr/tmp/.* for the settings. They are: /usr/tmp tmp_t:s0 directory /usr/tmp/.* <<None>> all files /var/tmp, is different. It has: /var/tmp tmp_t:s0 all files /var/tmp/.* <<None>> all files I don't know if this is significant or not.
I had previously changed manually the cups and cupsd entries under Process Domain to Permissive in an attempt to install and configure this printer. I am going to change those now back to Enforcing.
I am actually interested in the name and label of the log file. If the name of the log file is guessable, this might be a security risk on a multi user system. I would prefer if cupsd never wrote to /tmp. If cups creates the log file as cupsd_tmp_t and be allowed to use it.
cupsd isn't doing any of this; it's rastertosamsungspl. That 3rd party driver needs to be fixed.