FC5 CUPS and Netatalk (fixed?)
Tony Nelson
tonynelson at georgeanelson.com
Thu Apr 20 02:47:39 UTC 2006
I've just fixed an SELinux policy issue on FC5, printing via CUPS to a
printer connected via Netatalk (AppleTalk).
I upgrade installed from FC3 to FC5. I had Netatalk 1.6.x on FC3, with
SELinux enforcing, and could print via CUPS over Ethernet to a printer on a
Mac on Localtalk. After the upgrade (and getting Netatalk working again)
it would only print with SELinux in permissive mode. After a few tries, I
collected the following AVC messages and used audit2allow to make the
module below, installed it, and printing works again.
I don't know if this module is exactly right, or even if it is generally
needed by CUPS or only for PAP with Netatalk.
type=AVC msg=audit(1145484476.381:82): avc: denied { create } for pid=8035 comm="pap" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tclass=socket
type=AVC msg=audit(1145485638.551:86): avc: denied { bind } for pid=8215 comm="pap" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tclass=socket
type=AVC msg=audit(1145485978.490:91): avc: denied { getattr } for pid=8291 comm="pap" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tclass=socket
type=AVC msg=audit(1145486131.769:96): avc: denied { write } for pid=8336 comm="pap" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tclass=socket
type=AVC msg=audit(1145486380.729:103): avc: denied { read } for pid=8408 comm="pap" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tclass=socket
------- pap.te -------
module pap 1.0;
require {
class socket { bind create getattr read write };
type cupsd_t;
};
allow cupsd_t self:socket { bind create getattr read write };
-------
____________________________________________________________________
TonyN.:' <mailto:tonynelson at georgeanelson.com>
' <http://www.georgeanelson.com/>
More information about the fedora-selinux-list
mailing list