SELinux is preventing hp (hplip_t) read write to socket (cupsd_t).
Hi, I have an attached printer on a SL5.3 system. SELinux prevents printing with the following sealert message: Summary: SELinux is preventing hp (hplip_t) read write to socket (cupsd_t). Detailed Description: SELinux denied access requested by hp. It is not expected that this access is required by hp and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Contextsystem_u:system_r:hplip_t:SystemLow-SystemHigh Target Contextsystem_u:system_r:cupsd_t:SystemLow-SystemHigh Target Objectssocket [ unix_stream_socket ] Sourcehp Source Path /usr/lib/cups/backend/hp Port Unknown Host beauty Source RPM Packages hplip-1.6.7-4.1.el5_2.4 Target RPM Packages Policy RPMselinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing ModeEnforcing Plugin Name catchall Host Name beauty Platform Linux beauty 2.6.18-128.1.6.el5 #1 SMP Wed Apr 1 07:03:59 EDT 2009 i686 i686 Alert Count 8 First SeenThu Apr 23 11:19:05 2009 Last Seen Wed May 6 14:30:08 2009 Local ID ba70412d-c28b-4706-a7b4-307382d8e97e Line Numbers Raw Audit Messages host=beauty type=AVC msg=audit(1241645408.355:12867): avc: denied { read write } for pid=7124 comm=hp path=socket:[587466] dev=sockfs ino=587466 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=unix_stream_socket host=beauty type=AVC msg=audit(1241645408.355:12867): avc: denied { read write } for pid=7124 comm=hp path=socket:[587465] dev=sockfs ino=587465 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=unix_stream_socket host=beauty type=AVC msg=audit(1241645408.355:12867): avc: denied { read write } for pid=7124 comm=hp path=socket:[587466] dev=sockfs ino=587466 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=unix_stream_socket host=beauty type=SYSCALL msg=audit(1241645408.355:12867): arch=4003 syscall=11 success=yes exit=0 a0=bfe57794 a1=834afd8 a2=bfe560e0 a3=bfe55ea0 items=0 ppid=2608 pid=7124 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm=hp exe=/usr/lib/cups/backend/hp subj=system_u:system_r:hplip_t:s0-s0:c0.c1023 key=(null) Other than turning off SELinux, how may this be fixed? Is there an update coming which will fix this problem? NOTE: This problem is not experienced when printing to networked printers. Philip
Re: SELinux is preventing hp (hplip_t) read write to socket (cupsd_t).
Philip Goisman wrote: Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. snip Other than turning off SELinux, how may this be fixed? Is there an update coming which will fix this problem? As it says, by generating a local policy module to allow this access. There's a HowTo on the CentOS Wiki that covers generating custom SELinux policy modules (section 7) with examples: http://wiki.centos.org/HowTos/SELinux Hope that helps, Phil