This occured whilst installing driver for a Samsung CLX-3175N network printer. SELinux is preventing /usr/lib/cups/daemon/cups-driverd from 'read' accesses on the file CLP-310-600x600cms2. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that cups-driverd should be allowed read access on the CLP-310-600x600cms2 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep cups-driverd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:user_home_t:s0 Target Objects CLP-310-600x600cms2 [ file ] Source cups-driverd Source Path /usr/lib/cups/daemon/cups-driverd Port <Unknown> Host (removed) Source RPM Packages cups-1.4.6-15.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-26.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38.6-27.fc15.x86_64 #1 SMP Sun May 15 17:23:28 UTC 2011 x86_64 x86_64 Alert Count 8 First Seen Wed 01 Jun 2011 13:20:45 BST Last Seen Wed 01 Jun 2011 13:20:45 BST Local ID 6be18b76-aeea-4e4d-ab88-5829f11639d3 Raw Audit Messages type=AVC msg=audit(1306930845.180:259): avc: denied { read } for pid=15799 comm="cups-driverd" name="CLP-310-600x600cms2" dev=dm-1 ino=662744 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=SYSCALL msg=audit(1306930845.180:259): arch=x86_64 syscall=open success=no exit=EACCES a0=7ffff9d529e0 a1=0 a2=0 a3=7ffff9d510a0 items=0 ppid=15642 pid=15799 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm=cups-driverd exe=/usr/lib/cups/daemon/cups-driverd subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) Hash: cups-driverd,cupsd_t,user_home_t,file,read audit2allow #============= cupsd_t ============== allow cupsd_t user_home_t:file read; audit2allow -R #============= cupsd_t ============== allow cupsd_t user_home_t:file read;
Where is CLP-310-600x600cms2 located? You will need to fix a label on this file # restorecon -R -v PATHTO/CLP-310-600x600cms2 I guess you moved this file from your homedir to a location. If I am wrong, please reopen the bug.
Hi Miroslav, I'm just running an installation script straight from Samsung themselves, so it's likely the script not taking SELinux into account. [root@office ricky]# updatedb [root@office ricky]# locate CLP-310-600x600cms2 /home/ricky/Downloads/cdroot/Linux/noarch/at_opt/share/ppd/cms/CLP-310-600x600cms2 /opt/Samsung/mfp/share/ppd/cms/CLP-310-600x600cms2 /usr/share/cups/model/samsung/cms/CLP-310-600x600cms2 What do you think?
Yes the script is probably mv'ing content into those system directories which maintains the context of the users homedir. Could you open a bug with samsung, to just run restorecon on the newly created directory. Something like [ -x /sbin/restorecon ] && /sbin/restorecon -R /usr/share/cups/model/samsung /opt/Samsung
And you need to run # restorecon -R -v /opt/Samsung/mfp/share/ppd/cms/CLP-310-600x600cms2 /usr/share/cups/model/samsung/cms/CLP-310-600x600cms2
They don't seem to have a point of contact; presumably because the context isn't changed, this isn't a problem with selinux policy then?
Well SELinux requires proper labels, since their install tool is putting bad labels on the system, there really is no way for SELinux to handle this.
*** Bug 1653431 has been marked as a duplicate of this bug. ***