Bug 1095851

Summary: SELinux is preventing /usr/local/Brother/Printer/HL2270DW/inf/brprintconflsr3 from 'write' accesses on the file .
Product: [Fedora] Fedora Reporter: Msquared <142.bugzilla.redhat>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: dominick.grift, dwalsh, lvrabec, mgrepl
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:413ae70e02fc52c8289801cb3c53ee4d405e4bab3a8b393534bf921178db078c
Fixed In Version: selinux-policy-3.12.1-177.fc20 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-19 05:59:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
SELinux troubleshooter report 1 - rename
none
SELinux troubleshooter report 2 - create
none
SELinux troubleshooter report 3 - unlink
none
SELinux troubleshooter report 4 - execute none

Description Msquared 2014-05-08 16:32:07 UTC 
Description of problem:
This problem occurred while printing to a Brother HL-2270DW via the Brother-supplied drivers; the user-visible symptom of this issue is that the duplex and paper-tray settings are ignored.  Note that this problem does not occur with the version of selinux-policy that ships with F20's install media.

Steps to reproduce:
  * Go to http://support.brother.com/g/b/downloadlist.aspx?c=au&lang=en&prod=hl2270dw_all&os=127
  * Download "LPR printer driver (rpm package)" [hl2270dwlpr-2.1.0-1.i386.rpm]
  * Download "CUPSwrapper printer driver (rpm package)" [cupswrapperHL2270DW-2.0.4-2.i386.rpm]
  * Install 64-bit Fedora 20 from downloaded install media
  * yum -y install glibc.i686
  * yum -y localinstall *2270*.rpm
  * If printing via network, use CUPS' web interface to change the printer's address to dnssd://Brother%20HL-2270DW%20series._pdl-datastream._tcp.local/
  * Print a 2-page PDF twice: once using single-sided, once using duplex (to show that the duplex setting works)
  * yum -y update selinux-policy ; reboot
  * Again print a 2-page PDF twice: once using single-sided, once using duplex

This time, both prints will be either single-sided or double-sided, ignoring your setting.  Also, you will see an AVC denial message.
SELinux is preventing /usr/local/Brother/Printer/HL2270DW/inf/brprintconflsr3 from 'write' accesses on the file .

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow brprintconflsr3 to have write access on the  file
Then you need to change the label on $FIX_TARGET_PATH
Do
# semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH'
where FILE_TYPE is one of the following: afs_cache_t, anon_inodefs_t, cupsd_interface_t, cupsd_lock_t, cupsd_log_t, cupsd_rw_etc_t, cupsd_tmp_t, cupsd_var_lib_t, cupsd_var_run_t, faillog_t, initrc_tmp_t, krb5_host_rcache_t, print_spool_t, puppet_tmp_t, samba_var_t, security_t, tmpfs_t, usbfs_t, user_cron_spool_t. 
Then execute: 
restorecon -v '$FIX_TARGET_PATH'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that brprintconflsr3 should be allowed write access on the  file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep brprintconflsr3 /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:usr_t:s0
Target Objects                 [ file ]
Source                        brprintconflsr3
Source Path                   /usr/local/Brother/Printer/HL2270DW/inf/brprintcon
                              flsr3
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           hl2270dwlpr-2.1.0-1.i386
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-158.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.14.2-200.fc20.x86_64 #1 SMP Mon
                              Apr 28 14:40:57 UTC 2014 x86_64 x86_64
Alert Count                   513
First Seen                    2014-04-25 22:15:13 WST
Last Seen                     2014-05-08 23:46:27 WST
Local ID                      48ff401a-761d-4c30-be99-80a05f2bebbf

Raw Audit Messages
type=AVC msg=audit(1399563987.141:391): avc:  denied  { write } for  pid=2736 comm="brprintconflsr3" name="brHL2270DWrc" dev="dm-2" ino=529797 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file


type=SYSCALL msg=audit(1399563987.141:391): arch=i386 syscall=fstat per=400000 success=no exit=EACCES a0=ffb3b1af a1=241 a2=1b6 a3=8735008 items=0 ppid=2725 pid=2736 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm=brprintconflsr3 exe=/usr/local/Brother/Printer/HL2270DW/inf/brprintconflsr3 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)

Hash: brprintconflsr3,cupsd_t,usr_t,file,write

Additional info:
reporter:       libreport-2.2.2
hashmarkername: setroubleshoot
kernel:         3.14.2-200.fc20.x86_64
type:           libreport
Comment 1 Daniel Walsh 2014-05-08 20:51:59 UTC 
Not sure where this file is, but I believe it is mislabeled.

restorecon -R -v /usr /opt /etc

Should change the label, Probably in a brother directory.
Comment 2 Msquared 2014-05-11 00:05:01 UTC 
Running "restorecon -R -v /usr /opt /etc" produced the following output:

restorecon reset /usr/lib64/cups context unconfined_u:object_r:lib_t:s0->unconfined_u:object_r:bin_t:s0
restorecon reset /usr/lib64/cups/filter context unconfined_u:object_r:lib_t:s0->unconfined_u:object_r:bin_t:s0
restorecon reset /usr/lib64/cups/filter/brlpdwrapperHL2270DW context unconfined_u:object_r:lib_t:s0->unconfined_u:object_r:bin_t:s0
restorecon reset /etc/pam.d/system-auth-ac context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/pam.d/postlogin-ac context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/pam.d/password-auth-ac context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/pam.d/smartcard-auth-ac context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
restorecon reset /etc/pam.d/fingerprint-auth-ac context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0

I'll report the results in a moment.
Comment 3 Msquared 2014-05-11 00:09:38 UTC 
OK, it seems the SELinux log I reported in my initial big report was the first of four such messages.  That one has gone away, but the other three remain.  Also, I don't know if the first one disappeared because I changed SELinux from enforcing to permissive, or because I ran the restorecon command.

Either way, here's what ends up in /var/log/audit/audit.log when I print:

type=AVC msg=audit(1399766839.070:1033): avc:  denied  { rename } for  pid=18630 comm="brprintconflsr3" name="brHL2270DWrc" dev="dm-2" ino=529797 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1399766839.070:1033): arch=40000003 syscall=38 per=400000 success=yes exit=0 a0=ffd5c6af a1=ffd5c2ae a2=415bd000 a3=0 items=0 ppid=18629 pid=18630 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="brprintconflsr3" exe="/usr/local/Brother/Printer/HL2270DW/inf/brprintconflsr3" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1399766839.070:1034): avc:  denied  { create } for  pid=18630 comm="brprintconflsr3" name="brHL2270DWrc" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=AVC msg=audit(1399766839.070:1034): avc:  denied  { write } for  pid=18630 comm="brprintconflsr3" path="/usr/local/Brother/Printer/HL2270DW/inf/brHL2270DWrc" dev="dm-2" ino=529810 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1399766839.070:1034): arch=40000003 syscall=5 per=400000 success=yes exit=7 a0=ffd5c6af a1=241 a2=1b6 a3=96d7008 items=0 ppid=18629 pid=18630 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="brprintconflsr3" exe="/usr/local/Brother/Printer/HL2270DW/inf/brprintconflsr3" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1399766839.070:1035): avc:  denied  { unlink } for  pid=18630 comm="brprintconflsr3" name="brHL2270DWrc.old" dev="dm-2" ino=529797 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1399766839.070:1035): arch=40000003 syscall=10 per=400000 success=yes exit=0 a0=ffd5c2ae a1=96d7000 a2=415bd000 a3=ffd5c2ae items=0 ppid=18629 pid=18630 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="brprintconflsr3" exe="/usr/local/Brother/Printer/HL2270DW/inf/brprintconflsr3" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)

I'll attach the three SELinux reports in a moment.
Comment 4 Msquared 2014-05-11 00:12:45 UTC 
Created attachment 894354 [details]
SELinux troubleshooter report 1 - rename
Comment 5 Msquared 2014-05-11 00:13:26 UTC 
Created attachment 894355 [details]
SELinux troubleshooter report 2 - create
Comment 6 Msquared 2014-05-11 00:14:07 UTC 
Created attachment 894356 [details]
SELinux troubleshooter report 3 - unlink
Comment 7 Miroslav Grepl 2014-05-12 11:08:05 UTC 
Please execute for now

# chcon -R -t cupsd_rw_etc_t /usr/local/Brother/Printer/HL2270DW/inf/



commit 1398083df4ffadaa28ceafa9b8df02d16d4a5025
Author: Miroslav Grepl <mgrepl>
Date:   Mon May 12 13:06:11 2014 +0200

    Add support for /usr/local/Brother labeling. We removed /usr/local equiv.
Comment 8 Fedora Update System 2014-05-13 13:22:19 UTC 
selinux-policy-3.12.1-163.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/FEDORA-2014-6084/selinux-policy-3.12.1-163.fc20
Comment 9 Fedora Update System 2014-05-14 23:53:06 UTC 
Package selinux-policy-3.12.1-163.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-163.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-6084/selinux-policy-3.12.1-163.fc20
then log in and leave karma (feedback).
Comment 10 Fedora Update System 2014-05-21 23:30:23 UTC 
selinux-policy-3.12.1-163.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Msquared 2014-06-02 10:26:22 UTC 
Created attachment 901397 [details]
SELinux troubleshooter report 4 - execute
Comment 12 Msquared 2014-06-02 10:28:40 UTC 
Sorry, I think I missed this: selinux is reporting an execute error (though the latest selinux-policy fixes the other issues I reported; thanks!).

See attachment https://bugzilla.redhat.com/attachment.cgi?id=901397&action=edit
Comment 13 Daniel Walsh 2014-06-03 20:21:35 UTC 
edd4b8cf9475d7d10e551cb886640d47f75a9c7b allows this in git.
Comment 14 Fedora Update System 2014-07-15 09:42:21 UTC 
selinux-policy-3.12.1-177.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-177.fc20
Comment 15 Fedora Update System 2014-07-17 04:28:46 UTC 
Package selinux-policy-3.12.1-177.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-177.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-8390/selinux-policy-3.12.1-177.fc20
then log in and leave karma (feedback).
Comment 16 Fedora Update System 2014-07-19 05:59:42 UTC 
selinux-policy-3.12.1-177.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.