FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 05-03-2010, 02:22 PM
Steve Blackwell
 
Default SELinux preventing printing.

My wife got a Lexmark X2670 printer with her new laptop and I connected
it to my Fedora 11 system, and downloaded the driver from Lexmark.

SELinux is preventing me from printing to it. At first I got 4 AVCs
about attempting to load shared libraries that require text relocation.
This I fixed with:

# semanage fcontext -a -t textrel_shlib_t
'/usr/local/lexmark/lxk08/lib(/.*)?'
# restorecon -R -v /usr/local/lexmark/lxk08/lib

but now I'm getting this one:

Raw Audit Messages :

node=steve.blackwell type=AVC
msg=audit(1272894966.836:66): avc: denied { search } for pid=29536
comm="printdriver" name="lib" dev=dm-0 ino=7635564
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_ubject_r:textrel_shlib_t:s0 tclass=dir

node=steve.blackwell type=SYSCALL msg=audit(1272894966.836:66):
arch=40000003 syscall=5 success=no exit=-13 a0=93cf620 a1=0 a2=0
a3=389660 items=0 ppid=1655 pid=29536 auid=4294967295 uid=4 gid=7
euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295
comm="printdriver" exe="/usr/local/lexmark/lxk08/bin/printdriver"
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)

What is the "correct" way to solve this? Create am audit2allow rule?

Thanks,
Steve
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 05-03-2010, 03:03 PM
Daniel J Walsh
 
Default SELinux preventing printing.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/03/2010 10:22 AM, Steve Blackwell wrote:
> My wife got a Lexmark X2670 printer with her new laptop and I connected
> it to my Fedora 11 system, and downloaded the driver from Lexmark.
>
> SELinux is preventing me from printing to it. At first I got 4 AVCs
> about attempting to load shared libraries that require text relocation.
> This I fixed with:
>
> # semanage fcontext -a -t textrel_shlib_t
> '/usr/local/lexmark/lxk08/lib(/.*)?'
> # restorecon -R -v /usr/local/lexmark/lxk08/lib
>
> but now I'm getting this one:
>
> Raw Audit Messages :
>
> node=steve.blackwell type=AVC
> msg=audit(1272894966.836:66): avc: denied { search } for pid=29536
> comm="printdriver" name="lib" dev=dm-0 ino=7635564
> scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
> tcontext=system_ubject_r:textrel_shlib_t:s0 tclass=dir
>
> node=steve.blackwell type=SYSCALL msg=audit(1272894966.836:66):
> arch=40000003 syscall=5 success=no exit=-13 a0=93cf620 a1=0 a2=0
> a3=389660 items=0 ppid=1655 pid=29536 auid=4294967295 uid=4 gid=7
> euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295
> comm="printdriver" exe="/usr/local/lexmark/lxk08/bin/printdriver"
> subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
>
> What is the "correct" way to solve this? Create am audit2allow rule?
>
> Thanks,
> Steve
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


# semanage fcontext -d -t textrel_shlib_t
'/usr/local/lexmark/lxk08/lib(/.*)?
# semanage fcontext -a -t textrel_shlib_t
'/usr/local/lexmark/lxk08/lib/.*.so.*'
# restorecon -R -v /usr/local/lexmark


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkve5dsACgkQrlYvE4MpobNllACff1YnvWPLe5 xtq1xNe8QoaOQd
Z7IAnjfeC3L54N87hxVLw3Ypwc7vlQrl
=3MWW
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 05-03-2010, 03:18 PM
Steve Blackwell
 
Default SELinux preventing printing.

On Mon, 03 May 2010 11:03:55 -0400
Daniel J Walsh <dwalsh@redhat.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 05/03/2010 10:22 AM, Steve Blackwell wrote:
> > My wife got a Lexmark X2670 printer with her new laptop and I
> > connected it to my Fedora 11 system, and downloaded the driver from
> > Lexmark.
> >
> > SELinux is preventing me from printing to it. At first I got 4 AVCs
> > about attempting to load shared libraries that require text
> > relocation. This I fixed with:
> >
> > # semanage fcontext -a -t textrel_shlib_t
> > '/usr/local/lexmark/lxk08/lib(/.*)?'
> > # restorecon -R -v /usr/local/lexmark/lxk08/lib
> >
> > but now I'm getting this one:
> >
> > Raw Audit Messages :
> >
> > node=steve.blackwell type=AVC
> > msg=audit(1272894966.836:66): avc: denied { search } for pid=29536
> > comm="printdriver" name="lib" dev=dm-0 ino=7635564
> > scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
> > tcontext=system_ubject_r:textrel_shlib_t:s0 tclass=dir
> >
> > node=steve.blackwell type=SYSCALL msg=audit(1272894966.836:66):
> > arch=40000003 syscall=5 success=no exit=-13 a0=93cf620 a1=0 a2=0
> > a3=389660 items=0 ppid=1655 pid=29536 auid=4294967295 uid=4 gid=7
> > euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none)
> > ses=4294967295 comm="printdriver"
> > exe="/usr/local/lexmark/lxk08/bin/printdriver"
> > subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
> >
> > What is the "correct" way to solve this? Create am audit2allow rule?
> >
> > Thanks,
> > Steve
> > --
> > selinux mailing list
> > selinux@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
> # semanage fcontext -d -t textrel_shlib_t
> '/usr/local/lexmark/lxk08/lib(/.*)?
> # semanage fcontext -a -t textrel_shlib_t
> '/usr/local/lexmark/lxk08/lib/.*.so.*'
> # restorecon -R -v /usr/local/lexmark

That got it. Thanks, Dan.
So the files in the lib directory were labeled correctly but the
directory itself was not. It needed to be of type lib_t.

Steve
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 05-03-2010, 03:22 PM
Daniel J Walsh
 
Default SELinux preventing printing.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/03/2010 11:18 AM, Steve Blackwell wrote:
> On Mon, 03 May 2010 11:03:55 -0400
> Daniel J Walsh <dwalsh@redhat.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 05/03/2010 10:22 AM, Steve Blackwell wrote:
>>> My wife got a Lexmark X2670 printer with her new laptop and I
>>> connected it to my Fedora 11 system, and downloaded the driver from
>>> Lexmark.
>>>
>>> SELinux is preventing me from printing to it. At first I got 4 AVCs
>>> about attempting to load shared libraries that require text
>>> relocation. This I fixed with:
>>>
>>> # semanage fcontext -a -t textrel_shlib_t
>>> '/usr/local/lexmark/lxk08/lib(/.*)?'
>>> # restorecon -R -v /usr/local/lexmark/lxk08/lib
>>>
>>> but now I'm getting this one:
>>>
>>> Raw Audit Messages :
>>>
>>> node=steve.blackwell type=AVC
>>> msg=audit(1272894966.836:66): avc: denied { search } for pid=29536
>>> comm="printdriver" name="lib" dev=dm-0 ino=7635564
>>> scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
>>> tcontext=system_ubject_r:textrel_shlib_t:s0 tclass=dir
>>>
>>> node=steve.blackwell type=SYSCALL msg=audit(1272894966.836:66):
>>> arch=40000003 syscall=5 success=no exit=-13 a0=93cf620 a1=0 a2=0
>>> a3=389660 items=0 ppid=1655 pid=29536 auid=4294967295 uid=4 gid=7
>>> euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none)
>>> ses=4294967295 comm="printdriver"
>>> exe="/usr/local/lexmark/lxk08/bin/printdriver"
>>> subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
>>>
>>> What is the "correct" way to solve this? Create am audit2allow rule?
>>>
>>> Thanks,
>>> Steve
>>> --
>>> selinux mailing list
>>> selinux@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>
>>
>> # semanage fcontext -d -t textrel_shlib_t
>> '/usr/local/lexmark/lxk08/lib(/.*)?
>> # semanage fcontext -a -t textrel_shlib_t
>> '/usr/local/lexmark/lxk08/lib/.*.so.*'
>> # restorecon -R -v /usr/local/lexmark
>
> That got it. Thanks, Dan.
> So the files in the lib directory were labeled correctly but the
> directory itself was not. It needed to be of type lib_t.
>
> Steve
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
Yes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkve6lMACgkQrlYvE4MpobP3ZwCgjxUu/M3PGNZpJtFsbiabXszu
r40An0M1EbEk2xRtEfa9wQEpXZVQqbG0
=s01c
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 01:10 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org