libreport version: 2.0.10 executable: /usr/bin/python2.7 hashmarkername: setroubleshoot kernel: 3.3.6-3.fc17.i686.PAE time: Вт. 22 мая 2012 23:35:35 description: :SELinux is preventing /usr/bin/lpstat.cups from 'write' accesses on the sock_file pkcs11. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that lpstat.cups should be allowed write access on the pkcs11 sock_file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep lpstat /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context unconfined_u:unconfined_r:lpr_t:s0-s0:c0.c1023 :Target Context unconfined_u:object_r:user_tmp_t:s0 :Target Objects pkcs11 [ sock_file ] :Source lpstat :Source Path /usr/bin/lpstat.cups :Port <Unknown> :Host (removed) :Source RPM Packages cups-1.5.3-1.fc17.i686 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-125.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.3.6-3.fc17.i686.PAE #1 SMP Wed May 16 : 22:01:11 UTC 2012 i686 i686 :Alert Count 4 :First Seen Вт. 22 мая 2012 23:33:53 :Last Seen Вт. 22 мая 2012 23:34:08 :Local ID 351872fd-4f0f-47dd-b790-e52709ffca35 : :Raw Audit Messages :type=AVC msg=audit(1337708048.954:90): avc: denied { write } for pid=8585 comm="lpstat" name="pkcs11" dev="tmpfs" ino=19871 scontext=unconfined_u:unconfined_r:lpr_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file : : :type=SYSCALL msg=audit(1337708048.954:90): arch=i386 syscall=socketcall success=no exit=EACCES a0=3 a1=bfb9ed80 a2=b7728ff4 a3=b7f57e88 items=0 ppid=8584 pid=8585 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm=lpstat exe=/usr/bin/lpstat.cups subj=unconfined_u:unconfined_r:lpr_t:s0-s0:c0.c1023 key=(null) : :Hash: lpstat,lpr_t,user_tmp_t,sock_file,write : :audit2allowunable to open /sys/fs/selinux/policy: Permission denied : : :audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied : :
Any idea why this access is required?
I have been googling but no answer. Did you setup CUPS somehow together with PKCS?
I plugged a HP DeskJet 3054 printer (one of the printers that came for free with an Apple computer, if that helps), and followed the automated setup steps. I got this SElinux error when trying to print something from Firefox.
I just realized: I can print from programs that use the Gnome(?) printer dialog (e.g., evince). I get this error when trying to print from a Web site (jetblue.com's online checkin application) that uses Adobe Flash. One more reason to hate Flash, I guess.
Did it work?
@Miroslav: Nope. In the end, I got my boarding pass to print by installing cups-pdf, using the PDF printer from Flash, and then printing the PDF with evince. I guess Flash is doing something dumb. When I did the PDF printing, the policy in this bug was already added.
Looks like this could be a duplicate of bug #808933?
That links says he was executing within mozilla_plugin, this one says it is using lpr?
But I agree they both show it connecting to a pkcs socket. Does lpr use some kind of authorization to print to certain printers?
I think this happens from libp11-kit via gnutls.
Fixed in selinux-policy-3.10.0-130.fc17
selinux-policy-3.10.0-130.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-130.fc17
Package selinux-policy-3.10.0-130.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-130.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-9520/selinux-policy-3.10.0-130.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-130.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.