Bug 244765
Summary: | AVC Denials for CPUs using MFC420CN Printer | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Mark Phipps <phi_factor> | ||||
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | low | ||||||
Version: | 7 | ||||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Current | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2007-08-22 14:11:03 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Mark Phipps
2007-06-19 02:20:23 UTC
Created attachment 157341 [details]
six AVC alert messages from the SELinux debugger
Do you know what directory it is trying to create files in? /usr/local/Brother/cupswrapper? Did you run it in permissive mode? When you run it a second time, does it try to unlink the file again? Yes, I ran it in permissive mode in order to see the denials--in enforcing mode it would not print at all. It appears to be attempting to modify the file "brMFC420CNrc" which is in the /usr/local/Brother/inf directory. The brMFC420CNrc file has information like the print resolution, paper type, etc. When trying different file-contexts, I did full system re-boots just to be sure everything was reset. It may require that I create a local policy to avoid the situation, but I haven't gotten that far yet. See if #chcon -R -t cups_rw_etc_t /usr/local/Brother/inf Makes it work. This should be brought up as a bug to Brother that they should not have r/w files under /usr. They should be under /var or /etc/. (Preferably /var). If this works for you I will change the default policy to label this directory. That takes care of most of the issues. I think you really meant chcon -R -t cupsd_rw_etc_t (cupsd instead of cups). The only denials now concern the cupswrapper file trying to do various things (lock, get_addr, etc)with /var/run/utmp. It will now print in enforcing mode, but you still get a few denials regarding /var/run/utmp. The file that is trying to access /var/run/utmp is brlpdwrapperMFC and is located in the usr/lib/cups/filter folder. By default it has the following context: system_u:object_r:bin_t Whatever it is trying to do doesn't stop the print job from execution, even in enforcing mode, but does pop up with AVC denials. Ok, I will add a dontaudit rule for the next selinux-policy update along with fixing the labeling of that directory. fixed in selinux-policy-2.6.4-23 Closing as fixes are in the current release |