Selinux Problems

Daniel J Walsh dwalsh at redhat.com
Tue Oct 6 14:56:21 UTC 2009 

On 10/05/2009 05:27 PM, Paolo Galtieri wrote:
> On Mon, Oct 5, 2009 at 2:13 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
> 
>> On 10/05/2009 03:22 PM, Paolo Galtieri wrote:
>>> On Mon, Oct 5, 2009 at 11:11 AM, Daniel J Walsh <dwalsh at redhat.com>
>> wrote:
>>>
>>>> On 10/05/2009 02:08 PM, Jim wrote:
>>>>> FC11/Kde
>>>>>
>>>>> Trying to print on a Samsung CLX-3175FN.
>>>>> Selinux is playing havoc with printer drivers, these drivers are from
>>>>> Samsung and I'm getting many Selinux Alerts, to many to keep running
>>>>> Restorecon.
>>>>> The printing is coming out with double columns with 1/8" white lines
>>>>> down through text or pictures.
>>>>> There are no GPL drivers for this printer, it's to New !
>>>>>
>>>>> If I disable Selinux, the printer will print normal.
>>>>>
>>>>> How do I relabel all the files on the computer ?
>>>>> do I relabel from telinit 3 or what ?
>>>>>
>>>> Please show me the AVC's you are seeing.  Or send me a compresses
>>>> /var/log/audit/audit.log
>>>>
>>>> --
>>>> fedora-list mailing list
>>>> fedora-list at redhat.com
>>>> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>>>> Guidelines:
>>>> http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
>>>>
>>>
>>> I have seen the following SELinux alert:
>>>
>>> SELinux is preventing hp (hplip_t) "name_bind" howl_port_t.
>>>
>>> lpstat -t shows
>>>
>>> printer HP_Color_LaserJet_2605dn disabled since Thu 01 Oct 2009 09:36:23
>> AM
>>> MST -
>>>     /usr/lib/cups/backend/hp failed
>>>
>>> If I change the URI associated with the printer config from
>>>
>>> hp:/net/HP_Color_laserjet_2605dn?zc=hpcolorjet
>>>
>>> to
>>>
>>> hp:/net/HP_Color_laserjet_2605dn?ip=192.168.10.71
>>>
>>> then the alerts go away.
>>>
>>> The printer is an HP printer and was configured using hp-setup.
>>>
>>> Paolo
>>>
>>>
>> Could you grep for howl_port_t and attach the output
>>
>> grep howl_port_t /var/log/audit/audit.log
>>
>>
>> --
>> fedora-list mailing list
>> fedora-list at redhat.com
>> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>> Guidelines:
>> http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
>>
> 
> type=AVC msg=audit(1254414474.185:50294): avc:  denied  { name_bind } for
> pid=18462 comm="hp" src=5353
> scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
> type=AVC msg=audit(1254414573.360:50295): avc:  denied  { name_bind } for
> pid=18499 comm="hp" src=5353
> scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
> type=AVC msg=audit(1254414980.894:50346): avc:  denied  { name_bind } for
> pid=18699 comm="hp" src=5353
> scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
> type=AVC msg=audit(1254415674.640:50382): avc:  denied  { name_bind } for
> pid=18942 comm="hp" src=5353
> scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
> type=AVC msg=audit(1254415783.474:50425): avc:  denied  { name_bind } for
> pid=19012 comm="hp" src=5353
> scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
> type=AVC msg=audit(1254415964.178:50441): avc:  denied  { name_bind } for
> pid=19154 comm="hp" src=5353
> scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket
> 
> Paolo
> 
> 
I guess the question is why does the hplip want to listen on the Multicast DNS port.  If this is supposed to happen, we need to add it to policy.

You can add it for now using audit2allow

# grep hplip_t /var/log/audit/audit.log | audit2allow -M myhplip
# semodule -i myhplip.pp

More information about the fedora-list mailing list