printer creation in RPM scriptlet

Daniel J Walsh dwalsh at redhat.com
Tue Nov 29 16:47:16 UTC 2005 

Matthew Saltzman wrote:
> I tried installing 
> http://remi.collet.free.fr/rpms/fc4.i386/cups-pdf-2.0.0-0.1.fc4.remi.i386.rpm. 
> The RPM has the following post-install scriptlet:
>
> if [ "$1" -eq "1" ]; then
>         /etc/init.d/cups restart
>         (       /usr/sbin/lpadmin -p Cups-PDF -v cups-pdf:/ -m 
> PostscriptColor.ppd -E &&
>                 echo Cups-PDF printer created
>         ) || true
> fi
>
> With selinux-policy-targeted-1.27.1-2.11 in enforcing mode, the 
> lpadmin command fails with error:
>
>     lpadmin: add-printer (set device) failed: client-error-not-possible
>
> In permissive mode, the install proceeds without problem.
>
> The relevant audit.log entries are:
>
> type=AVC msg=audit(1133045911.757:788): avc:  denied  { ioctl } for 
> pid=20774 comm="printconf-backe" name="[7217936]" dev=pipefs 
> ino=7217936 scontext=root:system_r:cupsd_config_t 
> tcontext=root:system_r:unconfined_t tclass=fifo_file
>
> type=SYSCALL msg=audit(1133045911.757:788): arch=40000003 syscall=54 
> success=no exit=-13 a0=0 a1=5401 a2=bfd10098 a3=bfd100d8 items=0 
> pid=20774 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
> sgid=0 fsgid=0 comm="printconf-backe" exe="/usr/bin/python"
>
> type=AVC_PATH msg=audit(1133045911.757:788):  path="pipe:[7217936]"
>
> type=AVC msg=audit(1133045911.757:789): avc:  denied  { getattr } for 
> pid=20774 comm="printconf-backe" name="[7217936]" dev=pipefs 
> ino=7217936 scontext=root:system_r:cupsd_config_t 
> tcontext=root:system_r:unconfined_t tclass=fifo_file
>
> type=SYSCALL msg=audit(1133045911.757:789): arch=40000003 syscall=197 
> success=no exit=-13 a0=0 a1=bfd0fffc a2=960ff4 a3=b7ec4020 items=0 
> pid=20774 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
> sgid=0 fsgid=0 comm="printconf-backe" exe="/usr/bin/python"
>
> type=AVC_PATH msg=audit(1133045911.757:789):  path="pipe:[7217936]"
>
> type=AVC msg=audit(1133045911.781:790): avc:  denied  { ioctl } for 
> pid=20774 comm="printconf-backe" name="[7217936]" dev=pipefs 
> ino=7217936 scontext=root:system_r:cupsd_config_t 
> tcontext=root:system_r:unconfined_t tclass=fifo_file
>
> type=SYSCALL msg=audit(1133045911.781:790): arch=40000003 syscall=54 
> success=no exit=-13 a0=0 a1=5401 a2=bfd0ffb8 a3=bfd0fff8 items=0 
> pid=20774 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 
> sgid=0 fsgid=0 comm="printconf-backe" exe="/usr/bin/python"
>
> type=AVC_PATH msg=audit(1133045911.781:790):  path="pipe:[7217936]"
>
> type=AVC msg=audit(1133045912.273:791): avc:  denied  { getattr } for 
> pid=20787 comm="cups-pdf" name="SPOOL" dev=dm-0 ino=737988 
> scontext=root:system_r:cupsd_t tcontext=system_u:object_r:var_spool_t 
> tclass=dir
>
> type=SYSCALL msg=audit(1133045912.273:791): arch=40000003 syscall=195 
> success=no exit=-13 a0=8057f20 a1=bf9c9a6c a2=960ff4 a3=bf9c9a6c 
> items=1 pid=20787 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 
> egid=7 sgid=7 fsgid=7 comm="cups-pdf" 
> exe="/usr/lib/cups/backend/cups-pdf"
>
> type=AVC_PATH msg=audit(1133045912.273:791): 
> path="/var/spool/cups-pdf/SPOOL"
>
> type=CWD msg=audit(1133045912.273:791):  cwd="/"
>
> type=PATH msg=audit(1133045912.273:791): item=0 
> name="/var/spool/cups-pdf/SPOOL" flags=1  inode=737988 dev=fd:00 
> mode=040755 ouid=0 ogid=0 rdev=00:00
>
Fixed in selinux-policy-targeted-1.27.1-2.15

--

More information about the selinux mailing list