SELinux is preventing /usr/libexec/colord from getattr access on the file /usr/local/Brother/sane/models3/ext4.ini.

Clyde E. Kunkel clydekunkel7734 at cox.net
Tue Jun 7 15:04:36 UTC 2011 

On 06/07/2011 09:47 AM, Lawrence E Graves wrote:
> SELinux is preventing /usr/libexec/colord from getattr access on the file /usr/local/Brother/sane/models3/ext4.ini.
>
> *****  Plugin catchall (100. confidence) suggests  ***************************
>
> If you believe that colord should be allowed getattr access on the ext4.ini file by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep colord /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
> Additional Information:
> Source Context                system_u:system_r:colord_t:s0-s0:c0.c1023
> Target Context                system_u:object_r:bin_t:s0
> Target Objects                /usr/local/Brother/sane/models3/ext4.ini [ file ]
> Source                        colord
> Source Path                   /usr/libexec/colord
> Port<Unknown>
> Host                          Jehovah.localdomain
> Source RPM Packages           colord-0.1.7-1.fc15
> Target RPM Packages           brscan3-0.2.11-4
> Policy RPM                    selinux-policy-3.9.16-26.fc15
> Selinux Enabled               True
> Policy Type                   targeted
> Enforcing Mode                Enforcing
> Host Name                     Jehovah.localdomain
> Platform                      Linux Jehovah.localdomain 2.6.38.7-30.fc15.x86_64
>                                #1 SMP Fri May 27 05:15:53 UTC 2011 x86_64 x86_64
> Alert Count                   5
> First Seen                    Mon 06 Jun 2011 06:40:50 AM MDT
> Last Seen                     Tue 07 Jun 2011 05:20:41 AM MDT
> Local ID                      5284eedd-a207-486b-a7d9-09af2e567072
>
> Raw Audit Messages
> type=AVC msg=audit(1307445641.672:26): avc:  denied  { getattr } for  pid=1136 comm="colord" path="/usr/local/Brother/sane/models3/ext4.ini" dev=dm-1 ino=1325526 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
>
>
> type=SYSCALL msg=audit(1307445641.672:26): arch=x86_64 syscall=fstat success=yes exit=0 a0=12 a1=7fffa928d6a0 a2=7fffa928d6a0 a3=7fffa928d5a0 items=0 ppid=1 pid=1136 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=colord exe=/usr/libexec/colord subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null)
>
> Hash: colord,colord_t,bin_t,file,getattr
>
> audit2allow
>
> #============= colord_t ==============
> allow colord_t bin_t:file getattr;
>
> audit2allow -R
>
> #============= colord_t ==============
> allow colord_t bin_t:file getattr;
>
>

colord is required by both cups (print server) and foomatic (printer 
databases).  It looks like you are using selinux in enforcing mode which 
is preventing your printing due to the denial above (best guess on my part).

Turn off selinux and try it.  I told you how to do that offlist.  If 
that doesn't work, please note in Dan's response that there is bug for 
this open.  You might just need to wait for the fix to hit F15 
updates-testing.  (sudo yum --enablerepo=updates-testing update).

If that doesn't work, follow Dan's advice and open a bugzilla for the 
problem.  Open against cups for now and the triagers will get it to the 
right place.  Include this selinux denial.

There is nothing else I can do to help you.  Good luck.

-- 
Regards,
OldFart

More information about the users mailing list