https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160292 says that this bug is fixed in selinux-policy-targeted-1.23.18-12. I'm running 1.23.18-16 (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161383) and this bug is definitely present.
I've tried futzing with cupsd_lpd_disable_trans and cupsd_config_disable_trans to no avail. (Are these documented anywhere?)
Am I nuts?
Ian Pilcher wrote:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160292 says that this bug is fixed in selinux-policy-targeted-1.23.18-12. I'm running 1.23.18-16 (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161383) and this bug is definitely present.
I've tried futzing with cupsd_lpd_disable_trans and cupsd_config_disable_trans to no avail. (Are these documented anywhere?)
Am I nuts?
Probably not. What avc messages are you seeing?
Dan
Daniel J Walsh wrote:
Probably not. What avc messages are you seeing?
Clean install of selinux-policy-targeted-1.23.18-17:
* rpm -e selinux-policy-targeted * rm -rf /etc/selinux * yum install selinux-policy-targeted * reboot
Printer is set as shared in printconf-gui and LPD is enabled. xinetd is running and cups-lpd is enabled. ('nmap localhost' shows port 515 is open.) Try "Print Test Page" on my Windows XP laptop which has this printer configured.
/var/log/secure:
Jun 29 19:48:33 home xinetd[2014]: START: printer pid=5767 from=192.168.1.128
/var/log/messages:
Jun 29 19:48:33 home cups-lpd[5767]: Unable to get client address - Socket operation on non-socket
Jun 29 19:48:33 home cups-lpd[5767]: Unable to get command line from client!
/var/log/audit/audit.log:
type=AVC msg=audit(1120092513.256:10611097): avc: denied { read write } for pid=5767 comm="cups-lpd" name=[11317] dev=sockfs ino=11317 scontext=system_u:system_r:cupsd_t tcontext=system_u:system_r:inetd_t tclass=tcp_socket
type=AVC msg=audit(1120092513.256:10611097): avc: denied { read write } for pid=5767 comm="cups-lpd" name=[11317] dev=sockfs ino=11317 scontext=system_u:system_r:cupsd_t tcontext=system_u:system_r:inetd_t tclass=tcp_socket
type=AVC msg=audit(1120092513.256:10611097): avc: denied { read write } for pid=5767 comm="cups-lpd" name=[11317] dev=sockfs ino=11317 scontext=system_u:system_r:cupsd_t tcontext=system_u:system_r:inetd_t tclass=tcp_socket
type=PATH msg=audit(1120092513.256:10611097): item=1 inode=362148 dev=09:03 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1120092513.256:10611097): item=0 name="/usr/lib/cups/daemon/cups-lpd" inode=295106 dev=09:03 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC_PATH msg=audit(1120092513.256:10611097): path="socket:[11317]" type=AVC_PATH msg=audit(1120092513.256:10611097): path="socket:[11317]" type=AVC_PATH msg=audit(1120092513.256:10611097): path="socket:[11317]"
type=SYSCALL msg=audit(1120092513.256:10611097): arch=40000003 syscall=11 success=yes exit=0 a0=9d7e678 a1=9d7e668 a2=9d7ee10 a3=bfed5ba4 items=2 pid=5767 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 comm="cups-lpd" exe="/usr/lib/cups/daemon/cups-lpd"
(The same messages, with different PIDs, are repeated, presumably as Windows retries the job.)
getsebool -a:
NetworkManager_disable_trans --> inactive allow_execmem --> active allow_execmod --> active allow_execstack --> active allow_kerberos --> active allow_write_xshm --> inactive allow_ypbind --> active apmd_disable_trans --> inactive arpwatch_disable_trans --> inactive auditd_disable_trans --> inactive bluetooth_disable_trans --> inactive canna_disable_trans --> inactive cardmgr_disable_trans --> inactive comsat_disable_trans --> inactive cupsd_config_disable_trans --> inactive cupsd_disable_trans --> inactive cupsd_lpd_disable_trans --> inactive cvs_disable_trans --> inactive cyrus_disable_trans --> inactive dbskkd_disable_trans --> inactive dhcpc_disable_trans --> inactive dhcpd_disable_trans --> inactive dovecot_disable_trans --> inactive fingerd_disable_trans --> inactive ftp_home_dir --> active ftpd_disable_trans --> inactive ftpd_is_daemon --> active hald_disable_trans --> inactive hotplug_disable_trans --> inactive howl_disable_trans --> inactive hplip_disable_trans --> inactive httpd_builtin_scripting --> active httpd_can_network_connect --> inactive httpd_disable_trans --> inactive httpd_enable_cgi --> active httpd_enable_homedirs --> active httpd_ssi_exec --> active httpd_suexec_disable_trans --> inactive httpd_tty_comm --> inactive httpd_unified --> active i18n_input_disable_trans --> inactive inetd_child_disable_trans --> inactive inetd_disable_trans --> inactive innd_disable_trans --> inactive kadmind_disable_trans --> inactive klogd_disable_trans --> inactive krb5kdc_disable_trans --> inactive ktalkd_disable_trans --> inactive lpd_disable_trans --> inactive mysqld_disable_trans --> inactive named_disable_trans --> inactive named_write_master_zones --> inactive nfs_export_all_ro --> active nfs_export_all_rw --> active nmbd_disable_trans --> inactive nscd_disable_trans --> inactive ntpd_disable_trans --> inactive portmap_disable_trans --> inactive postgresql_disable_trans --> inactive pppd_disable_trans --> inactive pppd_for_user --> inactive privoxy_disable_trans --> inactive ptal_disable_trans --> inactive radiusd_disable_trans --> inactive radvd_disable_trans --> inactive read_default_t --> active rlogind_disable_trans --> inactive rsync_disable_trans --> inactive samba_enable_home_dirs --> inactive saslauthd_disable_trans --> inactive slapd_disable_trans --> inactive smbd_disable_trans --> inactive snmpd_disable_trans --> inactive squid_connect_any --> inactive squid_disable_trans --> inactive stunnel_disable_trans --> inactive stunnel_is_daemon --> inactive syslogd_disable_trans --> inactive system_dbusd_disable_trans --> inactive telnetd_disable_trans --> inactive tftpd_disable_trans --> inactive udev_disable_trans --> inactive use_nfs_home_dirs --> inactive use_samba_home_dirs --> inactive user_ping --> inactive uucpd_disable_trans --> inactive winbind_disable_trans --> inactive ypbind_disable_trans --> inactive ypserv_disable_trans --> inactive zebra_disable_trans --> inactive
Thanks!
I'm not sure what did the trick (possibly relabeling the whole root filesystem), but this problem has gone away.
I do still get the following in /var/log/audit/audit.log when I print, but it doesn't seem to make a difference.
type=PATH msg=audit(1120753044.639:1494072): item=0 name="/etc/cups/lpoptions" flags=101 inode=3081109 dev=09:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 type=Unknown msg=audit(1120753044.639:1494072): cwd="/" type=SYSCALL msg=audit(1120753044.639:1494072): arch=40000003 syscall=5 success=no exit=-13 a0=261e8a a1=0 a2=1b6 a3=98a8798 items=1 pid=3208 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 comm="cups-lpd" exe="/usr/lib/cups/daemon/cups-lpd" type=AVC msg=audit(1120753044.639:1494072): avc: denied { read } for pid=3208 comm="cups-lpd" name="lpoptions" dev=md3 ino=3081109 scontext=system_u:system_r:cupsd_lpd_t tcontext=system_u:object_r:cupsd_rw_etc_t tclass=file
selinux@lists.fedoraproject.org