Bug 1246898
| Summary: | selinux avcs using brother printer drivers | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Brian J. Murrell <brian> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | urgent | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 22 | CC: | a.fedora, bgz, dominick.grift, dwalsh, kengert, lvrabec, mgrepl, plautrba, rob+redhat |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-08-27 17:23:17 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Brian J. Murrell
2015-07-26 18:34:19 UTC
*** Bug 1248755 has been marked as a duplicate of this bug. *** I'm affected by this, too.
Running the suggested command to allow execmem made printing work for me.
Below is the report from my system:
SELinux is preventing brcupsconfpt1 from using the execmem access on a process.
***** Plugin catchall_boolean (89.3 confidence) suggests ******************
If you want to allow cups to execmem
Then you must tell SELinux about this by enabling the 'cups_execmem' boolean.
You can read 'None' man page for more details.
Do
setsebool -P cups_execmem 1
***** Plugin catchall (11.6 confidence) suggests **************************
If you believe that brcupsconfpt1 should be allowed execmem access on processes labeled cupsd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep brcupsconfpt1 /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Objects Unknown [ process ]
Source brcupsconfpt1
Source Path brcupsconfpt1
Port <Unknown>
Host localhost
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-128.8.fc22.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost
Platform Linux localhost 4.1.4-200.fc22.x86_64+debug #1 SMP
Tue Aug 4 02:57:14 UTC 2015 x86_64 x86_64
Alert Count 8
First Seen 2015-08-19 20:32:47 CEST
Last Seen 2015-08-19 20:38:04 CEST
Raw Audit Messages
type=AVC msg=audit(1440009484.534:894): avc: denied { execmem } for pid=23163 comm="brmfcj6710dwfil" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=process permissive=0
Hash: brcupsconfpt1,cupsd_t,cupsd_t,process,execmem
Hi mgrepl - do you think the required fix could be applied to the default policy we ship, or is that a bad idea? This problem appeared in Fedora 21 with the selinux-policy-3.13.1-105.20 update on 20 August (my time). Unless multiple people have had their driver's hacked, it seems like the new policy must either be disallowing something that was previously allowed OR there was no policy related to the Brother drivers until now. It would be useful to know which. It's also not clear why the driver needs to create executable memory regions. I imagine code that really NEEDS execmem or execstack is pretty rare... Please fix. Had to downgrade and exclude selinux-policy until fixed. Not good. There is a boolean for this. setsebool -P cups_execmem 1 which will allow it. We don't want to allow execmem by default. |