Selinux, cups, hplip
Daniel J Walsh
dwalsh at redhat.com
Mon Jun 22 20:48:35 UTC 2009
On 06/20/2009 01:50 PM, Steven Stern wrote:
> On 06/20/2009 06:12 AM, Daniel J Walsh wrote:
>> On 06/19/2009 07:10 PM, Steven Stern wrote:
>>> After installing hplip-gui, I got selinux errors when checking on the
>>> printer status.
>>>
>>> audit2allow generated the following policy
>>>
>>> module cups20090619 1.0;
>>>
>>> require {
>>> type hwdata_t;
>>> type xdm_t;
>>> class dir search;
>>> class file { read getattr open };
>>> }
>>>
>>> #============= xdm_t ==============
>>> allow xdm_t hwdata_t:dir search;
>>> allow xdm_t hwdata_t:file { read getattr open };
>>>
>>>
>> xdm is checking the printer status? This allow rule indicates the X
>> Login program is checking the printer status. Could you attach the AVC's
>> you used to generate this policy.
>>
>
> And here's another one related to hplip
>
> type=AVC msg=audit(1245520061.974:38037): avc: denied { read } for
> pid=25561 comm="python" name="mls" dev=selinuxfs ino=12
> scontext=system_u:system_r:hplip_t:s0
> tcontext=system_u:object_r:security_t:s0 tclass=file
>
> type=AVC msg=audit(1245520061.974:38037): avc: denied { read open } for
> pid=25561 comm="python" name="mls" dev=selinuxfs ino=12
> scontext=system_u:system_r:hplip_t:s0
> tcontext=system_u:object_r:security_t:s0 tclass=file
>
>
>
Could you report this as a bug to cups. Cups has some MLS aware ness in
it and maybe it is reading this file directly rather then through
libselinux. CC me on the bug report dwalsh at redhat.com
More information about the fedora-list
mailing list