Bug 247225
| Summary: | Brother DCP-130C SELinux blocking | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Daryl Thompson <daryl.francis.thompson> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CANTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | urgent | Docs Contact: | |
| Priority: | low | ||
| Version: | 9 | CC: | gwhitesr, twaugh |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Current | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-10-20 14:55:56 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Fixed in selinux-policy-2.6.4-25.fc7 chcon -R -t cupsd_rw_etc_t /usr/local/Brother/inf Should allow this to work Closing as fixes are in the current release *** Bug 466143 has been marked as a duplicate of this bug. *** Seems like this needs fixing again in Fedora 9. Why the SELinux context on the system is correct, the problem is the rpm does not specify the directory so it must be created in the post install and not labeled correctly. So there is nothing I can do to fix this. Brother either needs to include /usr/local/Brother/*/inf In the rpm payload or run restorecon in the post install script. |
Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: Summary SELinux is preventing /usr/bin/brprintconf_dcp130c (cupsd_t) "write" to inf (usr_t). Detailed Description SELinux denied access requested by /usr/bin/brprintconf_dcp130c. It is not expected that this access is required by /usr/bin/brprintconf_dcp130c and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for inf, restorecon -v inf If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context user_u:system_r:cupsd_t:SystemLow-SystemHigh Target Context user_u:object_r:usr_t Target Objects inf [ dir ] Affected RPM Packages dcp130clpr-1.0.0-9 [application] Policy RPM selinux-policy-2.6.4-23.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name editor.netcastaustralia.com Platform Linux editor.netcastaustralia.com 2.6.21-1.3228.fc7 #1 SMP Tue Jun 12 15:37:31 EDT 2007 i686 athlon Alert Count 36 First Seen Fri 06 Jul 2007 01:42:03 PM EST Last Seen Fri 06 Jul 2007 02:22:31 PM EST Local ID 27f6f6d0-f626-4b57-b1a7-9b8f0e0ae67a Line Numbers Raw Audit Messages avc: denied { write } for comm="brprintconf_dcp" dev=dm-0 egid=7 euid=4 exe="/usr/bin/brprintconf_dcp130c" exit=-13 fsgid=7 fsuid=4 gid=7 items=0 name="inf" pid=4128 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=7 subj=user_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=4 tclass=dir tcontext=user_u:object_r:usr_t:s0 tty=(none) uid=4