printer creation in RPM scriptlet
Daniel J Walsh
dwalsh at redhat.com
Tue Nov 29 16:47:16 UTC 2005
Matthew Saltzman wrote:
> I tried installing
> http://remi.collet.free.fr/rpms/fc4.i386/cups-pdf-2.0.0-0.1.fc4.remi.i386.rpm.
> The RPM has the following post-install scriptlet:
>
> if [ "$1" -eq "1" ]; then
> /etc/init.d/cups restart
> ( /usr/sbin/lpadmin -p Cups-PDF -v cups-pdf:/ -m
> PostscriptColor.ppd -E &&
> echo Cups-PDF printer created
> ) || true
> fi
>
> With selinux-policy-targeted-1.27.1-2.11 in enforcing mode, the
> lpadmin command fails with error:
>
> lpadmin: add-printer (set device) failed: client-error-not-possible
>
> In permissive mode, the install proceeds without problem.
>
> The relevant audit.log entries are:
>
> type=AVC msg=audit(1133045911.757:788): avc: denied { ioctl } for
> pid=20774 comm="printconf-backe" name="[7217936]" dev=pipefs
> ino=7217936 scontext=root:system_r:cupsd_config_t
> tcontext=root:system_r:unconfined_t tclass=fifo_file
>
> type=SYSCALL msg=audit(1133045911.757:788): arch=40000003 syscall=54
> success=no exit=-13 a0=0 a1=5401 a2=bfd10098 a3=bfd100d8 items=0
> pid=20774 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 comm="printconf-backe" exe="/usr/bin/python"
>
> type=AVC_PATH msg=audit(1133045911.757:788): path="pipe:[7217936]"
>
> type=AVC msg=audit(1133045911.757:789): avc: denied { getattr } for
> pid=20774 comm="printconf-backe" name="[7217936]" dev=pipefs
> ino=7217936 scontext=root:system_r:cupsd_config_t
> tcontext=root:system_r:unconfined_t tclass=fifo_file
>
> type=SYSCALL msg=audit(1133045911.757:789): arch=40000003 syscall=197
> success=no exit=-13 a0=0 a1=bfd0fffc a2=960ff4 a3=b7ec4020 items=0
> pid=20774 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 comm="printconf-backe" exe="/usr/bin/python"
>
> type=AVC_PATH msg=audit(1133045911.757:789): path="pipe:[7217936]"
>
> type=AVC msg=audit(1133045911.781:790): avc: denied { ioctl } for
> pid=20774 comm="printconf-backe" name="[7217936]" dev=pipefs
> ino=7217936 scontext=root:system_r:cupsd_config_t
> tcontext=root:system_r:unconfined_t tclass=fifo_file
>
> type=SYSCALL msg=audit(1133045911.781:790): arch=40000003 syscall=54
> success=no exit=-13 a0=0 a1=5401 a2=bfd0ffb8 a3=bfd0fff8 items=0
> pid=20774 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 comm="printconf-backe" exe="/usr/bin/python"
>
> type=AVC_PATH msg=audit(1133045911.781:790): path="pipe:[7217936]"
>
> type=AVC msg=audit(1133045912.273:791): avc: denied { getattr } for
> pid=20787 comm="cups-pdf" name="SPOOL" dev=dm-0 ino=737988
> scontext=root:system_r:cupsd_t tcontext=system_u:object_r:var_spool_t
> tclass=dir
>
> type=SYSCALL msg=audit(1133045912.273:791): arch=40000003 syscall=195
> success=no exit=-13 a0=8057f20 a1=bf9c9a6c a2=960ff4 a3=bf9c9a6c
> items=1 pid=20787 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0
> egid=7 sgid=7 fsgid=7 comm="cups-pdf"
> exe="/usr/lib/cups/backend/cups-pdf"
>
> type=AVC_PATH msg=audit(1133045912.273:791):
> path="/var/spool/cups-pdf/SPOOL"
>
> type=CWD msg=audit(1133045912.273:791): cwd="/"
>
> type=PATH msg=audit(1133045912.273:791): item=0
> name="/var/spool/cups-pdf/SPOOL" flags=1 inode=737988 dev=fd:00
> mode=040755 ouid=0 ogid=0 rdev=00:00
>
Fixed in selinux-policy-targeted-1.27.1-2.15
--
More information about the selinux
mailing list