Bug 160292 (cups-lpd) - back in 1.23.18-16?

Ian Pilcher i.pilcher at comcast.net
Thu Jun 30 01:06:15 UTC 2005 

Daniel J Walsh wrote:
> Probably not.  What avc messages are you seeing?

Clean install of selinux-policy-targeted-1.23.18-17:

   * rpm -e selinux-policy-targeted
   * rm -rf /etc/selinux
   * yum install selinux-policy-targeted
   * reboot

Printer is set as shared in printconf-gui and LPD is enabled.  xinetd is
running and cups-lpd is enabled.  ('nmap localhost' shows port 515 is
open.)  Try "Print Test Page" on my Windows XP laptop which has this
printer configured.


/var/log/secure:

Jun 29 19:48:33 home xinetd[2014]: START: printer pid=5767 
from=192.168.1.128


/var/log/messages:

Jun 29 19:48:33 home cups-lpd[5767]: Unable to get client address - 
Socket operation on non-socket

Jun 29 19:48:33 home cups-lpd[5767]: Unable to get command line from client!


/var/log/audit/audit.log:

type=AVC msg=audit(1120092513.256:10611097): avc:  denied  { read write 
} for  pid=5767 comm="cups-lpd" name=[11317] dev=sockfs ino=11317 
scontext=system_u:system_r:cupsd_t tcontext=system_u:system_r:inetd_t 
tclass=tcp_socket

type=AVC msg=audit(1120092513.256:10611097): avc:  denied  { read write 
} for  pid=5767 comm="cups-lpd" name=[11317] dev=sockfs ino=11317 
scontext=system_u:system_r:cupsd_t tcontext=system_u:system_r:inetd_t 
tclass=tcp_socket

type=AVC msg=audit(1120092513.256:10611097): avc:  denied  { read write 
} for  pid=5767 comm="cups-lpd" name=[11317] dev=sockfs ino=11317 
scontext=system_u:system_r:cupsd_t tcontext=system_u:system_r:inetd_t 
tclass=tcp_socket

type=PATH msg=audit(1120092513.256:10611097): item=1 inode=362148 
dev=09:03 mode=0100755 ouid=0 ogid=0 rdev=00:00

type=PATH msg=audit(1120092513.256:10611097): item=0 
name="/usr/lib/cups/daemon/cups-lpd" inode=295106 dev=09:03 mode=0100755 
ouid=0 ogid=0 rdev=00:00

type=AVC_PATH msg=audit(1120092513.256:10611097):  path="socket:[11317]"
type=AVC_PATH msg=audit(1120092513.256:10611097):  path="socket:[11317]"
type=AVC_PATH msg=audit(1120092513.256:10611097):  path="socket:[11317]"

type=SYSCALL msg=audit(1120092513.256:10611097): arch=40000003 
syscall=11 success=yes exit=0 a0=9d7e678 a1=9d7e668 a2=9d7ee10 
a3=bfed5ba4 items=2 pid=5767 auid=4294967295 uid=4 gid=7 euid=4 suid=4 
fsuid=4 egid=7 sgid=7 fsgid=7 comm="cups-lpd" 
exe="/usr/lib/cups/daemon/cups-lpd"


(The same messages, with different PIDs, are repeated, presumably as
Windows retries the job.)

getsebool -a:

NetworkManager_disable_trans --> inactive
allow_execmem --> active
allow_execmod --> active
allow_execstack --> active
allow_kerberos --> active
allow_write_xshm --> inactive
allow_ypbind --> active
apmd_disable_trans --> inactive
arpwatch_disable_trans --> inactive
auditd_disable_trans --> inactive
bluetooth_disable_trans --> inactive
canna_disable_trans --> inactive
cardmgr_disable_trans --> inactive
comsat_disable_trans --> inactive
cupsd_config_disable_trans --> inactive
cupsd_disable_trans --> inactive
cupsd_lpd_disable_trans --> inactive
cvs_disable_trans --> inactive
cyrus_disable_trans --> inactive
dbskkd_disable_trans --> inactive
dhcpc_disable_trans --> inactive
dhcpd_disable_trans --> inactive
dovecot_disable_trans --> inactive
fingerd_disable_trans --> inactive
ftp_home_dir --> active
ftpd_disable_trans --> inactive
ftpd_is_daemon --> active
hald_disable_trans --> inactive
hotplug_disable_trans --> inactive
howl_disable_trans --> inactive
hplip_disable_trans --> inactive
httpd_builtin_scripting --> active
httpd_can_network_connect --> inactive
httpd_disable_trans --> inactive
httpd_enable_cgi --> active
httpd_enable_homedirs --> active
httpd_ssi_exec --> active
httpd_suexec_disable_trans --> inactive
httpd_tty_comm --> inactive
httpd_unified --> active
i18n_input_disable_trans --> inactive
inetd_child_disable_trans --> inactive
inetd_disable_trans --> inactive
innd_disable_trans --> inactive
kadmind_disable_trans --> inactive
klogd_disable_trans --> inactive
krb5kdc_disable_trans --> inactive
ktalkd_disable_trans --> inactive
lpd_disable_trans --> inactive
mysqld_disable_trans --> inactive
named_disable_trans --> inactive
named_write_master_zones --> inactive
nfs_export_all_ro --> active
nfs_export_all_rw --> active
nmbd_disable_trans --> inactive
nscd_disable_trans --> inactive
ntpd_disable_trans --> inactive
portmap_disable_trans --> inactive
postgresql_disable_trans --> inactive
pppd_disable_trans --> inactive
pppd_for_user --> inactive
privoxy_disable_trans --> inactive
ptal_disable_trans --> inactive
radiusd_disable_trans --> inactive
radvd_disable_trans --> inactive
read_default_t --> active
rlogind_disable_trans --> inactive
rsync_disable_trans --> inactive
samba_enable_home_dirs --> inactive
saslauthd_disable_trans --> inactive
slapd_disable_trans --> inactive
smbd_disable_trans --> inactive
snmpd_disable_trans --> inactive
squid_connect_any --> inactive
squid_disable_trans --> inactive
stunnel_disable_trans --> inactive
stunnel_is_daemon --> inactive
syslogd_disable_trans --> inactive
system_dbusd_disable_trans --> inactive
telnetd_disable_trans --> inactive
tftpd_disable_trans --> inactive
udev_disable_trans --> inactive
use_nfs_home_dirs --> inactive
use_samba_home_dirs --> inactive
user_ping --> inactive
uucpd_disable_trans --> inactive
winbind_disable_trans --> inactive
ypbind_disable_trans --> inactive
ypserv_disable_trans --> inactive
zebra_disable_trans --> inactive

Thanks!

-- 
========================================================================
Ian Pilcher                                        i.pilcher at comcast.net
========================================================================

More information about the fedora-selinux-list mailing list