printer creation in RPM scriptlet

Matthew Saltzman <mjs@xxxxxxxxxxxxxxx> · Sat, 26 Nov 2005 18:03:57 -0500 (EST)

I tried installing 
http://remi.collet.free.fr/rpms/fc4.i386/cups-pdf-2.0.0-0.1.fc4.remi.i386.rpm. 
The RPM has the following post-install scriptlet:

if [ "$1" -eq "1" ]; then
        /etc/init.d/cups restart
        (       /usr/sbin/lpadmin -p Cups-PDF -v cups-pdf:/ -m PostscriptColor.ppd -E &&
                echo Cups-PDF printer created
        ) || true
fi

With selinux-policy-targeted-1.27.1-2.11 in enforcing mode, the lpadmin 
command fails with error:

	lpadmin: add-printer (set device) failed: client-error-not-possible

In permissive mode, the install proceeds without problem.

The relevant audit.log entries are:

type=AVC msg=audit(1133045911.757:788): avc:  denied  { ioctl } for 
pid=20774 comm="printconf-backe" name="[7217936]" dev=pipefs ino=7217936 
scontext=root:system_r:cupsd_config_t tcontext=root:system_r:unconfined_t 
tclass=fifo_file

type=SYSCALL msg=audit(1133045911.757:788): arch=40000003 syscall=54 
success=no exit=-13 a0=0 a1=5401 a2=bfd10098 a3=bfd100d8 items=0 pid=20774 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
comm="printconf-backe" exe="/usr/bin/python"

type=AVC_PATH msg=audit(1133045911.757:788):  path="pipe:[7217936]"

type=AVC msg=audit(1133045911.757:789): avc:  denied  { getattr } for 
pid=20774 comm="printconf-backe" name="[7217936]" dev=pipefs ino=7217936 
scontext=root:system_r:cupsd_config_t tcontext=root:system_r:unconfined_t 
tclass=fifo_file

type=SYSCALL msg=audit(1133045911.757:789): arch=40000003 syscall=197 
success=no exit=-13 a0=0 a1=bfd0fffc a2=960ff4 a3=b7ec4020 items=0 
pid=20774 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 comm="printconf-backe" exe="/usr/bin/python"

type=AVC_PATH msg=audit(1133045911.757:789):  path="pipe:[7217936]"

type=AVC msg=audit(1133045911.781:790): avc:  denied  { ioctl } for 
pid=20774 comm="printconf-backe" name="[7217936]" dev=pipefs ino=7217936 
scontext=root:system_r:cupsd_config_t tcontext=root:system_r:unconfined_t 
tclass=fifo_file

type=SYSCALL msg=audit(1133045911.781:790): arch=40000003 syscall=54 
success=no exit=-13 a0=0 a1=5401 a2=bfd0ffb8 a3=bfd0fff8 items=0 pid=20774 
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 
comm="printconf-backe" exe="/usr/bin/python"

type=AVC_PATH msg=audit(1133045911.781:790):  path="pipe:[7217936]"

type=AVC msg=audit(1133045912.273:791): avc:  denied  { getattr } for 
pid=20787 comm="cups-pdf" name="SPOOL" dev=dm-0 ino=737988 
scontext=root:system_r:cupsd_t tcontext=system_u:object_r:var_spool_t 
tclass=dir

type=SYSCALL msg=audit(1133045912.273:791): arch=40000003 syscall=195 
success=no exit=-13 a0=8057f20 a1=bf9c9a6c a2=960ff4 a3=bf9c9a6c items=1 
pid=20787 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 
fsgid=7 comm="cups-pdf" exe="/usr/lib/cups/backend/cups-pdf"

type=AVC_PATH msg=audit(1133045912.273:791): 
path="/var/spool/cups-pdf/SPOOL"

type=CWD msg=audit(1133045912.273:791):  cwd="/"

type=PATH msg=audit(1133045912.273:791): item=0 
name="/var/spool/cups-pdf/SPOOL" flags=1  inode=737988 dev=fd:00 
mode=040755 ouid=0 ogid=0 rdev=00:00

--
		Matthew Saltzman

Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list