Selinux Problems

Jim mickeyboa at sbcglobal.net
Tue Oct 6 15:45:21 UTC 2009 

On 10/06/2009 10:56 AM, Daniel J Walsh wrote:
> On 10/05/2009 05:27 PM, Paolo Galtieri wrote:
>    
>> On Mon, Oct 5, 2009 at 2:13 PM, Daniel J Walsh<dwalsh at redhat.com>  wrote:
>>
>>      
>>> On 10/05/2009 03:22 PM, Paolo Galtieri wrote:
>>>        
>>>> On Mon, Oct 5, 2009 at 11:11 AM, Daniel J Walsh<dwalsh at redhat.com>
>>>>          
>>> wrote:
>>>        
>>>>          
>>>>> On 10/05/2009 02:08 PM, Jim wrote:
>>>>>            
>>>>>> FC11/Kde
>>>>>>
>>>>>> Trying to print on a Samsung CLX-3175FN.
>>>>>> Selinux is playing havoc with printer drivers, these drivers are from
>>>>>> Samsung and I'm getting many Selinux Alerts, to many to keep running
>>>>>> Restorecon.
>>>>>> The printing is coming out with double columns with 1/8" white lines
>>>>>> down through text or pictures.
>>>>>> There are no GPL drivers for this printer, it's to New !
>>>>>>
>>>>>> If I disable Selinux, the printer will print normal.
>>>>>>
>>>>>> How do I relabel all the files on the computer ?
>>>>>> do I relabel from telinit 3 or what ?
>>>>>>
>>>>>>              
>>>>> Please show me the AVC's you are seeing.  Or send me a compresses
>>>>> /var/log/audit/audit.log
>>>>>
>>>>> --
>>>>> fedora-list mailing list
>>>>> fedora-list at redhat.com
>>>>> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>>>>> Guidelines:
>>>>> http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
>>>>>
>>>>>            
>>>> I have seen the following SELinux alert:
>>>>
>>>> SELinux is preventing hp (hplip_t) "name_bind" howl_port_t.
>>>>
>>>> lpstat -t shows
>>>>
>>>> printer HP_Color_LaserJet_2605dn disabled since Thu 01 Oct 2009 09:36:23
>>>>          
>>> AM
>>>        
>>>> MST -
>>>>      /usr/lib/cups/backend/hp failed
>>>>
>>>> If I change the URI associated with the printer config from
>>>>
>>>> hp:/net/HP_Color_laserjet_2605dn?zc=hpcolorjet
>>>>
>>>> to
>>>>
>>>> hp:/net/HP_Color_laserjet_2605dn?ip=192.168.10.71
>>>>
>>>> then the alerts go away.
>>>>
>>>> The printer is an HP printer and was configured using hp-setup.
>>>>
>>>> Paolo
>>>>
>>>>
>>>>          
>>> Could you grep for howl_port_t and attach the output
>>>
>>> grep howl_port_t /var/log/audit/audit.log
>>>
>>>
>>> --
>>> fedora-list mailing list
>>> fedora-list at redhat.com
>>> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>>> Guidelines:
>>> http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
>>>
>>>        
>> type=AVC msg=audit(1254414474.185:50294): avc:  denied  { name_bind } for
>> pid=18462 comm="hp" src=5353
>> scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
>> type=AVC msg=audit(1254414573.360:50295): avc:  denied  { name_bind } for
>> pid=18499 comm="hp" src=5353
>> scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
>> type=AVC msg=audit(1254414980.894:50346): avc:  denied  { name_bind } for
>> pid=18699 comm="hp" src=5353
>> scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
>> type=AVC msg=audit(1254415674.640:50382): avc:  denied  { name_bind } for
>> pid=18942 comm="hp" src=5353
>> scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
>> type=AVC msg=audit(1254415783.474:50425): avc:  denied  { name_bind } for
>> pid=19012 comm="hp" src=5353
>> scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
>> type=AVC msg=audit(1254415964.178:50441): avc:  denied  { name_bind } for
>> pid=19154 comm="hp" src=5353
>> scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
>> tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
>>
>> Paolo
>>
>>
>>      
> I guess the question is why does the hplip want to listen on the Multicast DNS port.  If this is supposed to happen, we need to add it to policy.
>
> You can add it for now using audit2allow
>
> # grep hplip_t /var/log/audit/audit.log | audit2allow -M myhplip
> # semodule -i myhplip.pp
>
>    
I have a problem with DNS in FC11, FC12 and in a file  
/etc/dhclient-eth0.conf   I have the line;

prepend domain-name-servers 127.0.0.1;

And DNSmasq is enabled.


And in Firefox config I have;

network.dns.disableIPv6

More information about the users mailing list