Coudn't print using Canon LBP 2900B - Page 2

mattywix · #16 11th February 2010, 04:16 PM

Did you turn selinux off and do a print to get messages in the audit log? tail the audit log and post it here on the forum.
You are close to finishing, but you just arent creating the policy correctly

---------- Post added at 04:16 PM CST ---------- Previous post was at 03:41 PM CST ----------

I replied but my post hasnt appeared so here it is again:
you have to make selinux permissive, then do a print (eg lpr filename), then tail your audit.log and post it here - but if it has the correct messages then audit2allow should work.
Did you do a print?

Anji_fedora · #17 11th February 2010, 04:43 PM

Here is audit log..

Quote:

# tail /var/log/audit/audit.log
type=AVC msg=audit(1265906380.616:61): avc: denied { read write } for pid=3874 comm="gs" path=2F535953563030303030303030202864656C657465642 9 dev=tmpfs ino=3080213 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1265906380.616:61): arch=c000003e syscall=30 success=yes exit=139853944078336 a0=2f0015 a1=0 a2=0 a3=8 items=0 ppid=3872 pid=3874 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="gs" exe="/usr/bin/gs" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
type=SYSCALL msg=audit(1265906380.370:60): arch=c000003e syscall=2 success=no exit=-4 a0=7fff93d33d10 a1=81 a2=0 a3=7fff93d33aa0 items=0 ppid=937 pid=3873 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="ccp" exe="/usr/lib64/cups/backend/ccp" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1265906439.251:62): avc: denied { write } for pid=3916 comm="ccp" name="fifo0" dev=sda7 ino=228290 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=fifo_file
type=AVC msg=audit(1265906439.611:63): avc: denied { read write } for pid=3917 comm="gs" path=2F535953563030303030303030202864656C657465642 9 dev=tmpfs ino=4194325 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file
type=SYSCALL msg=audit(1265906439.611:63): arch=c000003e syscall=30 success=yes exit=140099274010624 a0=400015 a1=0 a2=0 a3=8 items=0 ppid=3915 pid=3917 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="gs" exe="/usr/bin/gs" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
type=USER_AUTH msg=audit(1265906456.032:64): user pid=3955 uid=500 auid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="root" exe="/bin/su" hostname=? addr=? terminal=pts/0 res=success'
type=USER_ACCT msg=audit(1265906456.039:65): user pid=3955 uid=500 auid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/bin/su" hostname=? addr=? terminal=pts/0 res=success'
type=USER_START msg=audit(1265906456.501:66): user pid=3955 uid=500 auid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/bin/su" hostname=? addr=? terminal=pts/0 res=success'
type=CRED_ACQ msg=audit(1265906456.503:67): user pid=3955 uid=500 auid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/bin/su" hostname=? addr=? terminal=pts/0 res=success'

madhavdiwan · #18 11th February 2010, 06:39 PM

do you have setroubleshoot installed?

yum install setroubleshoot*

reboot

then try to print again

the sealert utility should pop up automatically and show you an AVC ( audit log ) denial and from within that sealert gui you will be allowed to create the rule to allow the access

if sealert does NOT come up automatically when you try to print , then you can run it manually from the command line in a terminal ( just run the command " sealert " )

Anji_fedora · #19 12th February 2010, 08:38 AM

To create a rules should I select " Ignore alert " check box?

mattywix · #20 12th February 2010, 11:34 AM

Your AVC message is there i can see it.

2 ways to solve this.
1) copy my file.
as root create a file called cncapt.te and paste into it

#-----start of file
module cncapt 1.0;

require {
type var_t;
type var_lib_t;
type tmpfs_t;
type cupsd_t;
class memprotect mmap_zero;
class fifo_file { write open };
class file { read write create };
}

#============= cupsd_t ==============
allow cupsd_t tmpfs_t:file { read write };
#!!!! The source type 'cupsd_t' can write to a 'fifo_file' of the following types:
# cupsd_var_run_t, pcscd_var_run_t, cupsd_tmp_t

allow cupsd_t var_t:fifo_file { write open };
#-----end of file

Now compile it

checkmodule -M -m -o local.mod cncapt.te
semodule_package -o local.pp -m local.mod

Now load it
semodule -i local.pp
set selinux back to enforcing and reboot.

2) Otherwise (and I think method 1 is better!) extract the message from your audit.log
grep ccp /var/log/audit/audit.log | audit2allow -M cncapt
semodule -i cncapt.pp

Anji_fedora · #21 12th February 2010, 01:15 PM

I have executed your code. Now in print job queue, the job shows processing. Also in printer status it shows processing. But it's not printing. Waited for 10 min...

And one more information here.

Now in system-config-printer 2 printer is showing for same canon printer.

Difference I found in both properties is Device URL one shows

Quote:

usb://Canon/LBP2900

and other

Quote:

ccp:/var/ccpd/fifo0

Second one is default printer

madhavdiwan · #22 12th February 2010, 01:46 PM

cancel you print jobs , print a test page from properties of each printer , if it starts printing immediately , thats the one you want to keep

mattywix · #23 12th February 2010, 02:05 PM

ccp:/var/ccpd/fifo0 is the correct one. Delete the other one.
It is associated to usb when you ran following:
/usr/sbin/ccpdadmin -p LBP2900 -o /dev/usb/lp0

Make sure ccp is running:
/etc/init.d/ccpd status
/etc/init.d/ccpd start

If it wasnt, then fix it to start in your runlevel.

Anji_fedora · #24 12th February 2010, 03:01 PM

USB printer will automatically added even after deleting (when print is switched on).

Quote:

/usr/sbin/ccpdadmin -p LBP2900 -o /dev/usb/lp0

CUPS_ConfigPath = /etc/cups/
LOG Path = None
UI Port = 59787

Entry Num : Spooler : Backend : FIFO path : Device Path : Status
----------------------------------------------------------------------------
[0] : LBP2900 : usb : //Canon/LBP2900 : /dev/usb/lp0 : Modified
[1] : LBP2900b : ccp : /var/ccpd/fifo0 : /dev/usb/lp0 :

mattywix · #25 12th February 2010, 03:13 PM

delete the one that is wrong with
ccpdadmin -x <printername>

Anji_fedora · #26 12th February 2010, 03:42 PM

Printer status doesn't show "Idle - Printer is Online". It's shows. Idle- Can't open FIFO Interupted Syste....."

mattywix · #27 12th February 2010, 03:46 PM

That FIFO error is the selinux policy and/or the permissions on the fifo just as I said in my other post.
You really should have read that post and followed the procedure.

Did you get the policy imported correctly?
Did you set the file permissions on the FIFO ?
chmod a+rw /var/ccpd/fifo*
its all in my post that I pointed you to.

Anji_fedora · #28 12th February 2010, 03:50 PM

I did every thing. I checked permission again. It's all = read + write.

mattywix · #29 12th February 2010, 04:25 PM

Then its back to SELinux for you. set it permissive then check your audit.log for the AVC message then use it to create a policy and so on...

mattywix · #30 19th February 2010, 09:34 AM

Did you ever get your printer working?

I found something wierd with mine - it has automatically created a second printer definition. I kept deleting it but it kept recreating it. It seems both have to be there for the printer to work.

The normal one has device URI: ccp:/var/ccpd/fifo0
The wierd one I didnt create myself has URI: usb://Canon/LBP5050

I had to set paper size on both of them for it to work.

Wierd!!