Bug 701720 - SELinux is preventing /usr/lib/cups/daemon/cups-deviced from execute access on the archivo /usr/lib/cups/backend/mfp
Summary: SELinux is preventing /usr/lib/cups/daemon/cups-deviced from execute access o...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-05-03 16:31 UTC by Alberto Segura
Modified: 2011-05-03 19:38 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-03 19:38:43 UTC
Type: ---


Attachments (Terms of Use)

Description Alberto Segura 2011-05-03 16:31:50 UTC
Description of problem:

I cannot print using this device.
Version-Release number of selected component (if applicable):


How reproducible:

Partially installed as clp-350, but not able to print or being correctly detected, due to driver issues probably.
Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:

printing normally.
Additional info:
...system says:
"SELinux is preventing /usr/lib/cups/daemon/cups-deviced from execute access on the archivo /usr/lib/cups/backend/mfp.

*****  Sugerencia de complemento restorecon (99.5 confidence)  ***************

Siyou want to fix the label. 
/usr/lib/cups/backend/mfp default label should be bin_t.
Entoncesyou can run restorecon.
Hacer
# /sbin/restorecon -v /usr/lib/cups/backend/mfp

*****  Sugerencia de complemento catchall (1.49 confidence)  *****************

Siyou believe that cups-deviced should be allowed execute access on the mfp file by default.
Entoncesyou should report this as a bug.
You can generate a local policy module to allow this access.
Hacer
allow this access for now by executing:
# grep cups-deviced /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Contexto Fuente               system_u:system_r:cupsd_t:s0-s0:c0.c1023
Contexto Destino              unconfined_u:object_r:user_home_t:s0
Objetos Destino               /usr/lib/cups/backend/mfp [ file ]
Fuente                        cups-deviced
Dirección de Fuente           /usr/lib/cups/daemon/cups-deviced
Puerto                        <Desconocido>
Nombre de Equipo              mud
Paquetes RPM Fuentes          cups-1.4.6-15.fc15
Paquetes RPM Destinos         
RPM de Políticas              selinux-policy-3.9.16-18.fc15
SELinux Activado              True
Tipo de Política              targeted
Modo Obediente                Enforcing
Nombre de Equipo              mud
Plataforma                    Linux mud 2.6.38.4-20.fc15.x86_64 #1 SMP Thu Apr
                              28 23:32:48 UTC 2011 x86_64 x86_64
Cantidad de Alertas           2
Visto por Primera Vez         mar 03 may 2011 17:58:08 CEST
Visto por Última Vez          mar 03 may 2011 18:13:33 CEST
ID Local                      797733f2-2dc9-42f2-b336-81d686ccf7d7

Mensajes de Auditoría Crudos
type=AVC msg=audit(1304439213.759:178): avc:  denied  { execute } for  pid=6170 comm="cups-deviced" name="mfp" dev=sda6 ino=519457 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file


type=SYSCALL msg=audit(1304439213.759:178): arch=x86_64 syscall=execve success=no exit=EACCES a0=7fff53345d40 a1=7fff53345530 a2=7fff53346aa0 a3=7fff53345150 items=0 ppid=6164 pid=6170 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm=cups-deviced exe=/usr/lib/cups/daemon/cups-deviced subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)

Hash: cups-deviced,cupsd_t,user_home_t,file,execute

audit2allow

#============= cupsd_t ==============
#!!!! This avc is allowed in the current policy

allow cupsd_t user_home_t:file execute;

audit2allow -R

#============= cupsd_t ==============
#!!!! This avc is allowed in the current policy

allow cupsd_t user_home_t:file execute;"

Comment 1 Alberto Segura 2011-05-03 16:34:32 UTC
... as suggested, I wrote:

allow this access for now by executing:
# grep cups-deviced /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

... but I'm unable to see the difference.

Thanks a lot and congratulations!

Alberto S.

Comment 3 Daniel Walsh 2011-05-03 19:38:43 UTC
Why would you build a policy module when the alert told you that you have a labelling issue?

"SELinux is preventing /usr/lib/cups/daemon/cups-deviced from execute access on
the archivo /usr/lib/cups/backend/mfp.

*****  Sugerencia de complemento restorecon (99.5 confidence)  ***************

Siyou want to fix the label. 
/usr/lib/cups/backend/mfp default label should be bin_t.
Entoncesyou can run restorecon.
Hacer
# /sbin/restorecon -v /usr/lib/cups/backend/mfp


Note You need to log in before you can comment on or make changes to this bug.