Created attachment 591114 [details] raw avc denials Description of problem: selinux is blocking printer configuration for staff_u in KDE. Version-Release number of selected component (if applicable): How reproducible: Try to launch printer configuration from: System Settings -> Printer Configuration as a staff_u confined user. Steps to Reproduce: 1. Open KDE System Settings 2. Open Printer Configuration 3. Actual results: Printer configuration dialog does not open, no option to enter root password (kdesu does not start). Expected results: kdesu starts, enter password, configure printer. Additional info: I have attached the raw avc denials I also allowed the user_setrlimit boolean setsebool -P user_setrlimit on my .te file: cat myprint_config.te module myprint_config 1.0; require { type staff_t; type locale_t; type usr_t; type xauth_t; type cupsd_var_run_t; type sysfs_t; type system_dbusd_t; type chkpwd_t; type user_devpts_t; type xauth_tmp_t; type systemd_logind_sessions_t; type su_exec_t; type fprintd_t; class file { execute read execute_no_trans write getattr unlink open }; class process { siginh noatsecure rlimitinh }; class unix_stream_socket { read write }; class chr_file { read write }; class capability dac_override; class fifo_file write; class lnk_file read; } #============= chkpwd_t ============== allow chkpwd_t user_devpts_t:chr_file { read write }; #============= staff_t ============== allow staff_t chkpwd_t:process { siginh rlimitinh noatsecure }; allow staff_t cupsd_var_run_t:file { read getattr open }; allow staff_t locale_t:file write; allow staff_t self:capability dac_override; allow staff_t su_exec_t:file { read getattr open execute execute_no_trans }; allow staff_t systemd_logind_sessions_t:fifo_file write; allow staff_t usr_t:file write; allow staff_t xauth_t:process { siginh rlimitinh noatsecure }; allow staff_t xauth_tmp_t:file { read getattr unlink open }; #============= system_dbusd_t ============== allow system_dbusd_t fprintd_t:process { siginh rlimitinh noatsecure }; #============= xauth_t ============== allow xauth_t staff_t:unix_stream_socket { read write }; allow xauth_t sysfs_t:lnk_file read;
This is not something what we want to allow for SELinux staff_r role. You could use sudo to swith to unconfined_t or sysadm_t. You can read more # man sysadm_selinux # man unconfined_selinux
OK, I can understand wanting staff_u to use sudo. FYI , su is being called by the (default) graphical tool / control panel, not something I am entering into a terminal. I am going to file a bug upstream with KDE.
Does kdesu work like sudo or like su?
Daniel Walsh - Thank you once again for your time. FWIW: I had a chat on #fedora-kde. They are aware of the general issue and this bug report and the long term solution is to switch to print-manager. "In any case, this particular issue is a side-effect of the bug that system-config-printer-kde does not support PolicyKit auth as is supposed to and so we have to run the entire KCM as root. It'll be gone soon because we're going to switch to print-manager." The work around I was given is to use system-config-printer. This is an acceptable work around to me, sort of allows me to maintain confined users and you to maintain the policy of staff_u (restrict access to su).