Bug 501362

Summary: selinux preventing gs and texttopaps from rendering correctly during cups printing
Product: [Fedora] Fedora Reporter: Peter F. Patel-Schneider <pfpschneider>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: dwalsh, jkubin, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-11-03 09:23:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Peter F. Patel-Schneider 2009-05-18 18:19:44 UTC
Description of problem:

selinux is preventing gs access during printing

Version-Release number of selected component (if applicable):

kernel 2.6.29.3-140.fc11.i586 

How reproducible:

Always


Steps to Reproduce:
1. Print something using CUPS that requires postscript rendering
2.
3.
  
Actual results:

Selinux reports problems, printing fails or prints poorly.

Expected results:

No selinux violations, printing succeeds

Additional info:

/var/log/messages with errors (several runs):

May 18 10:34:19 getafix setroubleshoot: SELinux is preventing gs (cupsd_t) "setattr" fonts_t. For complete SELinux messages. run sealert -l 7f6a92de-a7ff-47f4-9ba8-46b722bdd053
May 18 10:34:22 getafix setroubleshoot: SELinux is preventing gs (cupsd_t) "setattr" fonts_t. For complete SELinux messages. run sealert -l 7f6a92de-a7ff-47f4-9ba8-46b722bdd053
May 18 10:34:24 getafix setroubleshoot: SELinux is preventing gs (cupsd_t) "setattr" fonts_t. For complete SELinux messages. run sealert -l 7f6a92de-a7ff-47f4-9ba8-46b722bdd053
May 18 10:34:26 getafix setroubleshoot: SELinux is preventing gs (cupsd_t) "setattr" fonts_t. For complete SELinux messages. run sealert -l 7f6a92de-a7ff-47f4-9ba8-46b722bdd053
May 18 10:34:27 getafix setroubleshoot: SELinux is preventing texttopaps (cupsd_t) "setattr" fonts_t. For complete SELinux messages. run sealert -l 7f6a92de-a7ff-47f4-9ba8-46b722bdd053
May 18 10:34:28 getafix setroubleshoot: SELinux is preventing texttopaps (cupsd_t) "setattr" fonts_t. For complete SELinux messages. run sealert -l 7f6a92de-a7ff-47f4-9ba8-46b722bdd053
May 18 10:34:28 getafix setroubleshoot: SELinux is preventing gs (cupsd_t) "setattr" fonts_t. For complete SELinux messages. run sealert -l 7f6a92de-a7ff-47f4-9ba8-46b722bdd053
May 18 10:34:29 getafix setroubleshoot: SELinux is preventing gs (cupsd_t) "setattr" fonts_t. For complete SELinux messages. run sealert -l 7f6a92de-a7ff-47f4-9ba8-46b722bdd053
May 18 10:34:30 getafix setroubleshoot: SELinux is preventing gs (cupsd_t) "setattr" fonts_t. For complete SELinux messages. run sealert -l 7f6a92de-a7ff-47f4-9ba8-46b722bdd053
May 18 10:34:31 getafix setroubleshoot: SELinux is preventing gs (cupsd_t) "setattr" fonts_t. For complete SELinux messages. run sealert -l 7f6a92de-a7ff-47f4-9ba8-46b722bdd053
May 18 10:42:56 getafix pulseaudio[1923]: alsa-sink.c: Increasing wakeup watermark to 90.00 ms
May 18 10:57:03 getafix setroubleshoot: SELinux is preventing gs (cupsd_t) "setattr" fonts_t. For complete SELinux messages. run sealert -l 7f6a92de-a7ff-47f4-9ba8-46b722bdd053
May 18 10:57:05 getafix setroubleshoot: SELinux is preventing gs (cupsd_t) "setattr" fonts_t. For complete SELinux messages. run sealert -l 7f6a92de-a7ff-47f4-9ba8-46b722bdd053
May 18 10:57:07 getafix setroubleshoot: SELinux is preventing gs (cupsd_t) "setattr" fonts_t. For complete SELinux messages. run sealert -l 7f6a92de-a7ff-47f4-9ba8-46b722bdd053
May 18 10:57:08 getafix setroubleshoot: SELinux is preventing gs (cupsd_t) "setattr" fonts_t. For complete SELinux messages. run sealert -l 7f6a92de-a7ff-47f4-9ba8-46b722bdd053


sealert output:
getafix 46> sealert -l 7f6a92de-a7ff-47f4-9ba8-46b722bdd053

Summary:

SELinux is preventing gs (cupsd_t) "setattr" fonts_t.

Detailed Description:

SELinux denied access requested by gs. It is not expected that this access is
required by gs and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:fonts_t:s0
Target Objects                fontconfig [ dir ]
Source                        gs
Source Path                   /usr/bin/gs
Port                          <Unknown>
Host                          getafix.research.bell-labs.com
Source RPM Packages           ghostscript-8.64-6.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-34.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     getafix.research.bell-labs.com
Platform                      Linux getafix.research.bell-labs.com
                              2.6.29.3-140.fc11.i586 #1 SMP Tue May 12 10:30:21
                              EDT 2009 i686 i686
Alert Count                   42
First Seen                    Mon May 11 08:48:57 2009
Last Seen                     Mon May 18 10:57:03 2009
Local ID                      7f6a92de-a7ff-47f4-9ba8-46b722bdd053
Line Numbers                  

Raw Audit Messages            

node=getafix.research.bell-labs.com type=AVC msg=audit(1242658623.209:25604): avc:  denied  { setattr } for  pid=3859 comm="gs" name="fontconfig" dev=dm-0 ino=13725 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=dir

node=getafix.research.bell-labs.com type=SYSCALL msg=audit(1242658623.209:25604): arch=40000003 syscall=15 success=no exit=-13 a0=87530a0 a1=1ed a2=d966e8 a3=87530a0 items=0 ppid=3857 pid=3859 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="gs" exe="/usr/bin/gs" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)

Comment 1 Daniel Walsh 2009-05-18 18:41:16 UTC
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.12-38.fc11.noarch

Comment 2 Peter F. Patel-Schneider 2009-05-18 23:45:54 UTC
Works.  Can be closed as you wish.

Comment 3 Bug Zapper 2009-06-09 16:03:51 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 4 Peter F. Patel-Schneider 2009-11-03 09:23:36 UTC
Closing - has been fixed for a while.