SELinux is preventing hp (hplip_t) read write to socket (cupsd_t).
Hi,
I have an attached printer on a SL5.3 system. SELinux prevents printing with
the
following sealert message:
Summary:
SELinux is preventing hp (hplip_t) read write to socket (cupsd_t).
Detailed Description:
SELinux denied access requested by hp. It is not expected that this access is
required by hp and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Contextsystem_u:system_r:hplip_t:SystemLow-SystemHigh
Target Contextsystem_u:system_r:cupsd_t:SystemLow-SystemHigh
Target Objectssocket [ unix_stream_socket ]
Sourcehp
Source Path /usr/lib/cups/backend/hp
Port Unknown
Host beauty
Source RPM Packages hplip-1.6.7-4.1.el5_2.4
Target RPM Packages
Policy RPMselinux-policy-2.4.6-203.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing ModeEnforcing
Plugin Name catchall
Host Name beauty
Platform Linux beauty 2.6.18-128.1.6.el5 #1 SMP Wed Apr 1
07:03:59 EDT 2009 i686 i686
Alert Count 8
First SeenThu Apr 23 11:19:05 2009
Last Seen Wed May 6 14:30:08 2009
Local ID ba70412d-c28b-4706-a7b4-307382d8e97e
Line Numbers
Raw Audit Messages
host=beauty type=AVC msg=audit(1241645408.355:12867): avc: denied { read
write } for pid=7124 comm=hp path=socket:[587466] dev=sockfs ino=587466
scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=unix_stream_socket
host=beauty type=AVC msg=audit(1241645408.355:12867): avc: denied { read
write } for pid=7124 comm=hp path=socket:[587465] dev=sockfs ino=587465
scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=unix_stream_socket
host=beauty type=AVC msg=audit(1241645408.355:12867): avc: denied { read
write } for pid=7124 comm=hp path=socket:[587466] dev=sockfs ino=587466
scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=unix_stream_socket
host=beauty type=SYSCALL msg=audit(1241645408.355:12867): arch=4003
syscall=11 success=yes exit=0 a0=bfe57794 a1=834afd8 a2=bfe560e0 a3=bfe55ea0
items=0 ppid=2608 pid=7124 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4
egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm=hp
exe=/usr/lib/cups/backend/hp subj=system_u:system_r:hplip_t:s0-s0:c0.c1023
key=(null)
Other than turning off SELinux, how may this be fixed? Is there an update
coming which will
fix this problem?
NOTE: This problem is not experienced when printing to networked printers.
Philip
Re: SELinux is preventing hp (hplip_t) read write to socket (cupsd_t).
Philip Goisman wrote: Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. snip Other than turning off SELinux, how may this be fixed? Is there an update coming which will fix this problem? As it says, by generating a local policy module to allow this access. There's a HowTo on the CentOS Wiki that covers generating custom SELinux policy modules (section 7) with examples: http://wiki.centos.org/HowTos/SELinux Hope that helps, Phil
