Adding printers and printing documents is slow with SELinux enabled in RHEL 6

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 5.9
  • Quest Authentication System

Issue

Everything is good but after some time executing lpr takes a long time. For example:

Bad

$ date
Wed Feb 27 13:17:46 SGT 2013
$ lpr -P COSILD03 /tmp/PrintTest/TR/CODULD02.ps
$ date
Wed Feb 27 13:43:25 SGT 2013

Good

$ date
Wed, Feb 27 13:36:35 SGT 2013
$ lpr -P CODULD02 /tmp/PdfPrinrTest/TR/CODULD02.ps
$ date
Wed, Feb 27 13:36:36 SGT 2013

What I always do is to reset SELinux by putting it into permissive then back into enforcing again. Things are OK but the issue will arise again after few hours.

Resolution

Changing the SELinux permissions on the file /var/opt/quest/vas/vasd/vas_misc.vdb seems to work around this issue. Run:

chcon -v -t var_auth_t /var/opt/quest/vas/vasd/vas_misc.vdb

to accomplish this.

Root Cause

CUPS, the printing system used by Red Hat Enterprise Linux, sends messages through D-Bus when printing state changes occur. To function properly with the Quest Authentication System, D-Bus requires access to /var/opt/quest/vas/vasd/vas_misc.vdb. If access is blocked by SELinux, then CUPS continues to try to access this file, causing delays in CUPS operations.

Diagnostic Steps

  1. Enable CUPS error_log debugging, as described in How to enable and capture CUPS debugging logs, then look for message sequence like the following in /var/log/cups/error_log:

    d [26/Mar/2013:09:47:29 +0800] cupsdAddEvent(
W [26/Mar/2013:09:48:02 +0800] Discarding unused ...

    Note the delay of approximately 30 seconds between the two entries in the error_log.

  2. Run an ausearch command to look for SELinux AVC denials in /var/log/audit/audit.log. Look for entries where "dbus-daemon" was denied "lock" for the path "/var/opt/quest/vas/vasd/vas_misc.vdb". An example of this type of entry is:

    time->Tue Mar 26 09:47:29 2013
type=AVC msg=audit(1364262449.057:19498): avc:  denied  { lock } for  pid=4769 comm="dbus-daemon" 
path="/var/opt/quest/vas/vasd/vas_misc.vdb" dev=dm-0 ino=5799976 scontext=system_u:system_r:system_dbusd_t:s0 
tcontext=system_u:object_r:var_t:s0 tclass=file

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments