Problems with selinux after upgrade to F40

After I upgarded to Fedora 40, selinux is creating problems. Every time I log in, I get a lot of error messages about selinux preventing ftscanhvd from access to /run/cups/cups.sock. So far I have not observed any actual problems, and I do not know what ftscanhvd is. However, the flashing error messages are very annoying, and I’d be very grateful if anyone knows how to solve this. Here is the full message:

SELinux is preventing ftscanhvd from connectto access on the unix_stream_socket /run/cups/cups.sock.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that ftscanhvd should be allowed connectto access on the cups.sock unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:

ausearch -c ‘ftscanhvd’ --raw | audit2allow -M my-ftscanhvd

semodule -X 300 -i my-ftscanhvd.pp

Additional Information:
Source Context system_u:system_r:init_t:s0
Target Context system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Objects /run/cups/cups.sock [ unix_stream_socket ]
Source ftscanhvd
Source Path ftscanhvd
Port
Host hf-pam1-ap1131-2.uio.no
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-40.18-2.fc40.noarch
Local Policy RPM selinux-policy-targeted-40.18-2.fc40.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name hf-pam1-ap1131-2.uio.no
Platform Linux hf-pam1-ap1131-2.uio.no
6.8.9-300.fc40.x86_64 #1 SMP PREEMPT_DYNAMIC Thu
May 2 18:59:06 UTC 2024 x86_64
Alert Count 34
First Seen 2024-05-15 04:06:16 CEST
Last Seen 2024-05-28 14:28:38 CEST
Local ID a1921701-47a5-4ecc-b369-ad6e0dd83068

Raw Audit Messages
type=AVC msg=audit(1716899318.600:4320): avc: denied { connectto } for pid=99967 comm=“ftscanhvd” path=“/run/cups/cups.sock” scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0

Hash: ftscanhvd,init_t,cupsd_t,unix_stream_socket,connectto

ftscanhvd seems to be part of a vmware horizon client product. Is it expected to be there? Remove it and see if the problem goes away.

Oh, I see. I need the vmware horizon client as it is what are using to access shared servers at my university. It did not cause any problems under F39, but I do not see why it needs to access cups so maybe I should ask there instead.

vmware is not responsive in keeping their products up to date. There are a number of bugzillas on this, maybe one of them has a reasonable solution. Applying the my-ftscanhvd policy may be too permissive but I’m not sure. Custom selinux policy can be a bit tricky.

1 Like

Please reach out to the software vendor for further support. As a workaround, you can use semanage-fcontext and restorecon commands to label the executables e. g. with the bin_t type.

1 Like

you can disable the ftscanhv if you don’t need to print on the remote server.
Just do systemctl disable ftscanhv and systemctl stop ftscanhv.

1 Like