Bug 242240

Summary: SELinux reports denied access error on USB-printer
Product: [Fedora] Fedora Reporter: Fabian M. Schindler <fschindler>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: low    
Version: 7CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-06-11 15:13:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
/var/log/audit/audit.log file none

Description Fabian M. Schindler 2007-06-02 16:03:06 UTC 
Description of problem:
SELinux is preventing /sbin/pam_console_apply (pam_console_t) "setattr" to fb0
(device_t).
SELinux denied access requested by /sbin/pam_console_apply. It is not expected
that this access is required by /sbin/pam_console_apply and this access may
signal an intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.

SELinux is preventing /usr/lib/cups/backend/ccp (cupsd_t) "write" to fifo0 (var_t).
SELinux denied access requested by /usr/lib/cups/backend/ccp. It is not expected
that this access is required by /usr/lib/cups/backend/ccp and this access may
signal an intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional access.

SELinux is preventing /usr/lib/cups/filter/pstocapt (cupsd_t) "setpgid" to
(cupsd_t).
SELinux denied access requested by /usr/lib/cups/filter/pstocapt. It is not
expected that this access is required by /usr/lib/cups/filter/pstocapt and this
access may signal an intrusion attempt. It is also possible that the specific
version or configuration of the application is causing it to require additional
access.

Under permissive mode, the printer works and prints the print-jobs. If SELinux
is set to "active/enforced" mode, the print job gets canceled.

Version of affected package: selinux-policy-2.6.4-8.fc7

How reproducible: Always

Steps to Reproduce:
1. Plug in and set up USB printer with permissive SELinux on system (or with
enforced SELinux policy)
2. Print a document
  
Actual results:
Permissive SELinux: Print-job is finished, SELinux error messages are reported
Active/Enforced SELinux: Print job is cancelled. SELinux error messages are reported

Expected results:
Print job should be executed without SELinux warnings

Additional info:
This bug has medium priority for systems with active SELinux. For systems with
permissive SELinux, consider the priority as low.

Permissive mode:
Source Context:  system_u:system_r:pam_console_t:SystemLow-SystemHighTarget
Context:  system_u:object_r:device_tTarget Objects:  fb0 [ file ]Affected RPM
Packages:  pam-0.99.7.1-5.fc7 [application]Policy
RPM:  selinux-policy-2.6.4-8.fc7Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  PermissivePlugin Name:  plugins.catchall_fileHost
Name:  nonamePlatform:  Linux noname 2.6.21-1.3194.fc7 #1 SMP Wed May 23
22:35:01 EDT 2007 i686 athlonAlert Count:  1First Seen:  Sa 02 Jun 2007 17:21:46
CESTLast Seen:  Sa 02 Jun 2007 17:21:46 CESTLocal
ID:  09af6509-8567-4d03-aa21-2b4464bda41a

Source Context:  system_u:system_r:cupsd_t:SystemLow-SystemHighTarget
Context:  system_u:object_r:var_tTarget Objects:  fifo0 [ fifo_file ]Affected
RPM Packages:  cndrvcups-capt-1.30-1 [application]Policy
RPM:  selinux-policy-2.6.4-8.fc7Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  PermissivePlugin Name:  plugins.catchallHost
Name:  nonamePlatform:  Linux noname 2.6.21-1.3194.fc7 #1 SMP Wed May 23
22:35:01 EDT 2007 i686 athlonAlert Count:  1First Seen:  Sa 02 Jun 2007 17:22:35
CESTLast Seen:  Sa 02 Jun 2007 17:22:35 CESTLocal
ID:  d3ef817f-6b1f-4502-92df-10de32b49968

Source Context:  system_u:system_r:cupsd_t:SystemLow-SystemHighTarget
Context:  system_u:system_r:cupsd_t:SystemLow-SystemHighTarget Objects:  None [
process ]Affected RPM Packages:  cndrvcups-capt-1.30-1 [application]Policy
RPM:  selinux-policy-2.6.4-8.fc7Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  PermissivePlugin Name:  plugins.catchallHost
Name:  nonamePlatform:  Linux noname 2.6.21-1.3194.fc7 #1 SMP Wed May 23
22:35:01 EDT 2007 i686 athlonAlert Count:  1First Seen:  Sa 02 Jun 2007 17:22:47
CESTLast Seen:  Sa 02 Jun 2007 17:22:47 CESTLocal
ID:  f20ae4ec-2aab-471d-9b7a-1b2976dfb649
Comment 1 Daniel Walsh 2007-06-04 16:24:51 UTC 
Please attach the audit.log (/var/log/audit/audit.log)
Comment 2 Fabian M. Schindler 2007-06-04 20:13:52 UTC 
Created attachment 156121 [details]
/var/log/audit/audit.log file

Here is the requested file.
Comment 3 Daniel Walsh 2007-06-04 20:44:11 UTC 
Please execute 
# restorecon -R -v /root 

This will cleanup the complaints about default_t.  Will be fixed in next release.


libcaiowrap.so and libcaepcm.so have been built wrong.
We can change the context on these files to allow execmod, but a bug report
should be sent to the developers to fix their bug.  These memory checks are
explained at the following link:

http://people.redhat.com/~drepper/selinux-mem.html

chcon -t textrel_shlib_t libcaepcm.so* libcaiowrap.so*
will fix the context to allow selinux to work with these shared libraries. 
Please send me the full path.

I will add setpgid to cups policy

Cups is trying to write to a fifo_file owned by some other process.  Do you know
what this is and why it is being written in /var?

/dev/fb0 is labeled incorrectly.  Do you know how these were created.  According
to policy these should be labeled

matchpathcon /dev/fb0
/dev/fb0        system_u:object_r:framebuf_device_t
Comment 4 Fabian M. Schindler 2007-06-09 16:31:10 UTC 
It seems to work after the latest update.