FC5 CUPS and Netatalk (fixed?)

Tony Nelson tonynelson at georgeanelson.com
Thu Apr 20 02:47:39 UTC 2006 

I've just fixed an SELinux policy issue on FC5, printing via CUPS to a
printer connected via Netatalk (AppleTalk).

I upgrade installed from FC3 to FC5.  I had Netatalk 1.6.x on FC3, with
SELinux enforcing, and could print via CUPS over Ethernet to a printer on a
Mac on Localtalk.  After the upgrade (and getting Netatalk working again)
it would only print with SELinux in permissive mode. After a few tries, I
collected the following AVC messages and used audit2allow to make the
module below, installed it, and printing works again.

I don't know if this module is exactly right, or even if it is generally
needed by CUPS or only for PAP with Netatalk.

type=AVC msg=audit(1145484476.381:82): avc:  denied  { create } for  pid=8035 comm="pap" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tclass=socket
type=AVC msg=audit(1145485638.551:86): avc:  denied  { bind } for  pid=8215 comm="pap" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tclass=socket
type=AVC msg=audit(1145485978.490:91): avc:  denied  { getattr } for  pid=8291 comm="pap" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tclass=socket
type=AVC msg=audit(1145486131.769:96): avc:  denied  { write } for  pid=8336 comm="pap" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tclass=socket
type=AVC msg=audit(1145486380.729:103): avc:  denied  { read } for  pid=8408 comm="pap" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c255 tclass=socket

------- pap.te -------
module pap 1.0;

require {
	class socket { bind create getattr read write }; 

	type cupsd_t; 
};

allow cupsd_t self:socket { bind create getattr read write };
-------
____________________________________________________________________
TonyN.:'                       <mailto:tonynelson at georgeanelson.com>
      '                              <http://www.georgeanelson.com/>

More information about the selinux mailing list