Bug 505748

Summary: selinux is preventing fprintd (fprintd_t) "read" to / (usbfs_t)
Product: [Fedora] Fedora Reporter: wirechief <silvermachineman>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 11   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-06-17 14:21:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
copy of dmesg text none

Description wirechief 2009-06-13 14:16:52 UTC 
Created attachment 347741 [details]
copy of dmesg text

Description of problem: I am getting an alert from selinux that it is preventing fprint (fprintd_t) "read to / (usbfs_t) it goes on to say that / may be mislabeled.
I am using virtualbox 2.2.4 R47978 with a host of Kanotix 32bit and guest of Fedora 11 (I am not sure if this is part of the problem)
I tried to print a text file in my /home/wirechief/text/ folder, I used restorecon '/' however it does not stop the alert, the file gets printed anyways. This may not be a Fedora 11 or selinux bug but rather because I am using a VM to use Fedora 11 it is getting some confusion. however I am filing
this report for review.
I made a fpaste of the details http://fpaste.org/paste/15002


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. enter a file and select "print"

2.
3.
  
Actual results:selinux issues an alert with the icon appearing on the desktop


Expected results: my file to print without errors or warnings.


Additional info:
uname -a
Linux localhost.localdomain 2.6.29.4-167.fc11.i586 #1 SMP Wed May 27 17:14:37 EDT 2009 i686 i686 i386 GNU/Linux

my infogash:
infobash -v3 0
Host/Kernel/OS "localhost.localdomain" running Linux 2.6.29.4-167.fc11.i586 i386 [ fc11.i586 ]
CPU Info       Intel Core2 Duo T7300 @ 4096 KB cache flags( sse3 ) clocked at [ 745.107 MHz ]
Videocard      InnoTek Systemberatung GmbH VirtualBox Graphics Adapter  X.Org 1.6.1.901  [ 1256x670 ]
Network cards  Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE], at port: c020 
Processes 150 | Uptime 2days | Memory 269.0/498.9MB | HDD VBOX HARDDISK Size 21GB (24%used) | GLX Renderer Software Rasterizer | GLX Version Yes | Client Shell | Infobash v3.22







ausearch -m avc -ts today

time->Fri Jun 12 17:05:09 2009
type=SYSCALL msg=audit(1244840709.594:23485): arch=40000003 syscall=38 per=400000 success=no exit=-13 a0=bf91fae0 a1=bf91f6d0 a2=804a4c8 a3=bf91fae0 items=0 ppid=6079 pid=7088 auid=500 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=1 comm="brprintconfij2" exe="/usr/bin/brprintconfij2" subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1244840709.594:23485): avc:  denied  { write } for  pid=7088 comm="brprintconfij2" name="inf" dev=dm-0 ino=181 scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:usr_t:s0 tclass=dir
Comment 1 Daniel Walsh 2009-06-17 14:21:36 UTC 
The first error you report should be fixed in selinux-policy-3.6.12-45.fc11 

yum upgrade selinux-policy-targeted

THe second error is a dir which is mislabeled I believe.  

Where is your Brother software installed?

restorecon -R -v /usr/local

Should fix it if it installed in /usr/local.
Comment 2 wirechief 2009-06-17 18:45:33 UTC 
# yum upgrade selinux-policy-targeted
Loaded plugins: refresh-packagekit
updates/metalink                                                          |  12 kB     00:00     
Setting up Upgrade Process
No Packages marked for Update

# restorecon -R -v /usr/local
restorecon reset /usr/local/Brother/lpd context unconfined_u:object_r:usr_t:s0->system_u:object_r:bin_t:s0
restorecon reset /usr/local/Brother/inf context unconfined_u:object_r:usr_t:s0->system_u:object_r:cupsd_rw_etc_t:s0
restorecon reset /usr/local/Brother/inf/brMFC420CNrc context unconfined_u:object_r:usr_t:s0->system_u:object_r:cupsd_rw_etc_t:s0

I am now able to print without a selinux error, thank you for your help.