Bug 592089
| Summary: | SELinux is preventing /usr/lib/cups/backend/mfp "getattr" access to device /dev/mfpports/probe. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Simon <simon> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 12 | CC: | dwalsh, mgrepl, simon, twaugh |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:173a8df32f4b34a4cbc346add9deedbcf0459c369cc937d0e348882b7358a8b4 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-11-03 13:52:35 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
What kind of device is dev/mfpports/probe? I could try /dev/mfpports/.* -c gen_context(system_u:object_r:printer_device_t,s0) Sorry to take so long to answer. I have a Samsung SCX-4216F multifunction fax-scanner-printer attached from the parallel port on the printer to a usb port on the fedora box via a parallel to usb converter cable. I downloaded and installed Samsung's official driver for linux to this machine and I'm trying to get the gui system-config-printer program to recognise it. Just when I thought I was getting somewhere selinux blocked the probe. Thanks for your help on this, what does the /dev/mfpports/.* -c gen_context(system_u:object_r:printer_device_t,s0) do? Hello again, I installed the driver package which reported a couple of errors, and tried the command, this was the output:-
Installing mfpcommon...
Copyright Samsung Software Center, Moscow 2001-2003 (c)
Software license silently accepted via command-line option.
Backing up old versions of non-shared files to be installed...
Backing up old versions of shared files to be installed...
Creating installation directories...
Installing software...
Running post-install commands...
MFPLDProgress=100
MFPLDStep=Running scripts...
ERROR: Module mfpportprobe does not exist in /proc/modules
ERROR: Module mfpport does not exist in /proc/modules
Updating module dependencies. Please wait...
Initializing CUPS drivers (Please wait. This can take several minutes)...
done.
Installation is complete.
MFPLDProgress=100
MFPLDStep=Installing MFP drivers...
#########################################################################################
Installing MFP drivers package...
Copyright Samsung Software Center, Moscow 2001-2003 (c)
Software license silently accepted via command-line option.
Backing up old versions of shared files to be installed...
Installing software...
Running post-install commands...
Adding printer...
DEBUG: scx4x16.post.sh: DEVICE_LINE=
DEBUG: scx4x16.post.sh: DEVICE_PORT=
DEBUG: Printer install string=lpadmin -p scx4x16 -m samsung/scx4x16.ppd.gz -v mfp:/dev/mfp0
DEBUG: Setting SCALING option to printer=scx4x16
Initializing CUPS drivers...
DEBUG: CUPS_SCRIPT=/etc/rc.d/init.d/cups
DEBUG: scx4x16.post.sh: MENU dir: MFP_APPLNKS_DIR=/usr/share/applnk-mdk - menu to be installed
DEBUG: scx4x16.post.sh: MENU dir: MFP_APPLNKS_DIR=/etc/X11/applnk - menu to be installed
DEBUG: scx4x16.post.sh: MENU dir: MFP_APPLNKS_DIR=/etc/X11/applnk - MENU IS INSTALLED
DEBUG: scx4x16.post.sh: MENU dir: MFP_APPLNKS_DIR=/usr/share/applnk - menu to be installed
DEBUG: scx4x16.post.sh: MENU dir: MFP_APPLNKS_DIR=/usr/share/applnk - MENU IS INSTALLED
DEBUG: scx4x16.post.sh: MENU dir: MFP_APPLNKS_DIR=/usr/share/applnk-mdk - menu to be installed
DEBUG: scx4x16.post.sh: MENU dir: MFP_APPLNKS_DIR=/opt/kde/share/applnk - menu to be installed
DEBUG: scx4x16.post.sh: MENU dir: MFP_APPLNKS_DIR=/opt/kde/share/applnk-mdk - menu to be installed
DEBUG: scx4x16.post.sh: MENU dir: MFP_APPLNKS_DIR=/opt/kde2/share/applnk - menu to be installed
DEBUG: scx4x16.post.sh: MENU dir: MFP_APPLNKS_DIR=/opt/kde2/share/applnk-mdk - menu to be installed
DEBUG: scx4x16.post.sh: MENU dir: MFP_APPLNKS_DIR=/opt/kde3/share/applnk - menu to be installed
DEBUG: scx4x16.post.sh: MENU dir: MFP_APPLNKS_DIR=/opt/kde3/share/applnk-mdk - menu to be installed
DEBUG: scx4x16.post.sh: MENU dir: MFP_APPLNKS_DIR=/etc/opt/kde/share/applnk/SuSE - menu to be installed
DEBUG: scx4x16.post.sh: MENU dir: MFP_APPLNKS_DIR=/etc/opt/kde2/share/applnk/SuSE - menu to be installed
DEBUG: scx4x16.post.sh: MENU dir: MFP_APPLNKS_DIR=/etc/opt/kde3/share/applnk/SuSE - menu to be installed
Installation is complete.
MFP driver package installation succedded.
MFPLDProgress=100
MFP driver package has been installed successfully.
[root@www Linux]# /dev/mfpports/.* -c gen_context(system_u:object_r:printer_device_t,s0)
bash: syntax error near unexpected token `('
[root@www Linux]# /dev/mfpports/.* -c gen_context(system_u:object_r:printer_device_t,s0
bash: syntax error near unexpected token `('
[root@www Linux]# /dev/mfpports/.* -c gen_context system_u:object_r:printer_device_t,s0
bash: /dev/mfpports/.: is a directory
[root@www Linux]# /dev/mfpports/.* -c gen_context (system_u:object_r:printer_device_t,s0)
bash: syntax error near unexpected token `('
[root@www Linux]#
Selinux is preventing access and stating that the file name is wrong, but the file name is the same as selinux expected(?)
Summary:
SELinux is preventing /usr/lib/cups/backend/mfp "unix_read unix_write" access to
<Unknown>.
Detailed Description:
SELinux denied access requested by /usr/lib/cups/backend/mfp.
/usr/lib/cups/backend/mfp is mislabeled. /usr/lib/cups/backend/mfp default
SELinux type is bin_t, but its current type is bin_t. Changing this file back to
the default type, may fix your problem.
If you believe this is a bug, please file a bug report against this package.
Allowing Access:
You can restore the default system context to this file by executing the
restorecon command. restorecon '/usr/lib/cups/backend/mfp'.
Fix Command:
/sbin/restorecon '/usr/lib/cups/backend/mfp'
Additional Information:
Source Context unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects None [ shm ]
Source mfp
Source Path /usr/lib/cups/backend/mfp
Port <Unknown>
Host www.
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.6.32-113.fc12
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name restore_source_context
Host Name www.
Platform Linux www.
2.6.32.11-99.fc12.i686.PAE #1 SMP Mon Apr 5
16:15:03 EDT 2010 i686 i686
Alert Count 216
First Seen Thu 13 May 2010 08:47:18 PM BST
Last Seen Sat 15 May 2010 03:53:08 PM BST
Local ID 05b6aeda-f04a-48b5-8519-13b82c6f6874
Line Numbers
Raw Audit Messages
node=www. type=AVC msg=audit(1273935188.51:39791): avc: denied { unix_read unix_write } for pid=20258 comm="mfp" key=-324508629 scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=shm
node=www. type=SYSCALL msg=audit(1273935188.51:39791): arch=40000003 syscall=117 per=400000 success=no exit=-13 a0=17 a1=eca8642b a2=1000 a3=3b6 items=0 ppid=20248 pid=20258 auid=500 uid=4 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=22 comm="mfp" exe="/usr/lib/cups/backend/mfp" subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
When I Successfully ran /sbin/restorecon '/usr/lib/cups/backend/mfp' I still cannot print from either system-config-printer, or the Samsung program, and GtlLP reports an internal program error then exits when I click OK.
I have installed the samsung driver without errors now and system-config-printer is seeing Samsung SCX-4x16 at location parallel:/dev/lp0 and saying it is idle but online. I cannot print a test page though and selinux says:-
Summary:
SELinux is preventing /lib/ld-2.11.1.so "execmod" access to
/usr/lib/libqt-mt.samsung-mfp.so.3.0.4.
Detailed Description:
SELinux denied access requested by ld-linux.so.2.
/usr/lib/libqt-mt.samsung-mfp.so.3.0.4 may be a mislabeled.
/usr/lib/libqt-mt.samsung-mfp.so.3.0.4 default SELinux type is lib_t, but its
current type is bin_t. Changing this file back to the default type, may fix your
problem.
File contexts can be assigned to a file in the following ways.
* Files created in a directory receive the file context of the parent
directory by default.
* The SELinux policy might override the default label inherited from the
parent directory by specifying a process running in context A which creates
a file in a directory labeled B will instead create the file with label C.
An example of this would be the dhcp client running with the dhclient_t type
and creating a file in the directory /etc. This file would normally receive
the etc_t type due to parental inheritance but instead the file is labeled
with the net_conf_t type because the SELinux policy specifies this.
* Users can change the file context on a file using tools such as chcon, or
restorecon.
This file could have been mislabeled either by user error, or if an normally
confined application was run under the wrong domain.
However, this might also indicate a bug in SELinux because the file should not
have been labeled with this type.
If you believe this is a bug, please file a bug report against this package.
Allowing Access:
You can restore the default system context to this file by executing the
restorecon command. restorecon '/usr/lib/libqt-mt.samsung-mfp.so.3.0.4', if this
file is a directory, you can recursively restore using restorecon -R
'/usr/lib/libqt-mt.samsung-mfp.so.3.0.4'.
Fix Command:
/sbin/restorecon '/usr/lib/libqt-mt.samsung-mfp.so.3.0.4'
Additional Information:
Source Context system_u:system_r:prelink_t:s0-s0:c0.c1023
Target Context unconfined_u:object_r:bin_t:s0
Target Objects /usr/lib/libqt-mt.samsung-mfp.so.3.0.4 [ file ]
Source ld-linux.so.2
Source Path /lib/ld-2.11.1.so
Port <Unknown>
Host www.conditional-fee.co.uk
Source RPM Packages glibc-2.11.1-6
Target RPM Packages
Policy RPM selinux-policy-3.6.32-113.fc12
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name restorecon
Host Name www.conditional-fee.co.uk
Platform Linux www.conditional-fee.co.uk
2.6.32.11-99.fc12.i686.PAE #1 SMP Mon Apr 5
16:15:03 EDT 2010 i686 i686
Alert Count 1
First Seen Fri 14 May 2010 03:34:12 AM BST
Last Seen Fri 14 May 2010 03:34:12 AM BST
Local ID a9db3258-e8eb-4f4c-b201-074fe8888e5e
Line Numbers
Raw Audit Messages
node=www.conditional-fee.co.uk type=AVC msg=audit(1273804452.677:39363): avc: denied { execmod } for pid=1233 comm="ld-linux.so.2" path="/usr/lib/libqt-mt.samsung-mfp.so.3.0.4" dev=dm-2 ino=300044 scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:bin_t:s0 tclass=file
node=www.conditional-fee.co.uk type=SYSCALL msg=audit(1273804452.677:39363): arch=40000003 syscall=125 success=no exit=-13 a0=731000 a1=807000 a2=5 a3=bfaeb320 items=0 ppid=32479 pid=1233 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=205 comm="ld-linux.so.2" exe="/lib/ld-2.11.1.so" subj=system_u:system_r:prelink_t:s0-s0:c0.c1023 key=(null)
AND
Summary:
SELinux is preventing /usr/lib/cups/backend/mfp "unix_read unix_write" access to
<Unknown>.
Detailed Description:
SELinux denied access requested by /usr/lib/cups/backend/mfp.
/usr/lib/cups/backend/mfp is mislabeled. /usr/lib/cups/backend/mfp default
SELinux type is bin_t, but its current type is bin_t. Changing this file back to
the default type, may fix your problem.
If you believe this is a bug, please file a bug report against this package.
Allowing Access:
You can restore the default system context to this file by executing the
restorecon command. restorecon '/usr/lib/cups/backend/mfp'.
Fix Command:
/sbin/restorecon '/usr/lib/cups/backend/mfp'
Additional Information:
Source Context unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects None [ shm ]
Source mfp
Source Path /usr/lib/cups/backend/mfp
Port <Unknown>
Host www.conditional-fee.co.uk
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.6.32-113.fc12
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name restore_source_context
Host Name www.conditional-fee.co.uk
Platform Linux www.conditional-fee.co.uk
2.6.32.11-99.fc12.i686.PAE #1 SMP Mon Apr 5
16:15:03 EDT 2010 i686 i686
Alert Count 336
First Seen Thu 13 May 2010 08:47:18 PM BST
Last Seen Sun 16 May 2010 04:23:36 PM BST
Local ID 05b6aeda-f04a-48b5-8519-13b82c6f6874
Line Numbers
Raw Audit Messages
node=www.conditional-fee.co.uk type=AVC msg=audit(1274023416.143:36822): avc: denied { unix_read unix_write } for pid=8837 comm="mfp" key=-324508629 scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=shm
node=www.conditional-fee.co.uk type=SYSCALL msg=audit(1274023416.143:36822): arch=40000003 syscall=117 per=400000 success=no exit=-13 a0=17 a1=eca8642b a2=1000 a3=3b6 items=0 ppid=8827 pid=8837 auid=500 uid=4 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=1 comm="mfp" exe="/usr/lib/cups/backend/mfp" subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
What can I do to get access to the printer, restorecon commands don't seem to help?
Lost this bug in the flood, Are you still seeing this problem? Please reopen the bug if this still happens. This message is a reminder that Fedora 12 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 12. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '12'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 12's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 12 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Hello again,
I bought a samsung CLX-6220FX which prints OK but each time I try to use the smatpanel or unified driver configurater selinux block it:-
SELinux is preventing /opt/Samsung/mfp/bin/Configurator from using the execstack access on a process.
***** Plugin allow_execstack (53.1 confidence) suggests ********************
If you believe that
None
should not require execstack
Then you should clear the execstack flag and see if /opt/Samsung/mfp/bin/Configurator works correctly.
Report this as a bug on None.
You can clear the exestack flag by executing:
Do
execstack -c None
***** Plugin catchall_boolean (42.6 confidence) suggests *******************
If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
Then you must tell SELinux about this by enabling the 'allow_execstack' boolean.
Do
setsebool -P allow_execstack 1
***** Plugin catchall (5.76 confidence) suggests ***************************
If you believe that Configurator should be allowed execstack access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep Configurator /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects Unknown [ process ]
Source Configurator
Source Path /opt/Samsung/mfp/bin/Configurator
Port <Unknown>
Host www.conditional-fee.co.uk
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.9.7-44.fc14
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name www.conditional-fee.co.uk
Platform Linux www.conditional-fee.co.uk
2.6.35.14-97.fc14.i686.PAE #1 SMP Sat Sep 17
00:22:29 UTC 2011 i686 i686
Alert Count 1
First Seen Sat 15 Oct 2011 17:11:32 BST
Last Seen Sat 15 Oct 2011 17:11:32 BST
Local ID b1f3562c-ec3e-48c8-9798-73102216119f
Raw Audit Messages
type=AVC msg=audit(1318695092.132:2519): avc: denied { execstack } for pid=14265 comm="Configurator" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1318695092.132:2519): arch=i386 syscall=mprotect success=no exit=EACCES a0=bfb02000 a1=1000 a2=1000007 a3=bfb020ec items=0 ppid=1 pid=14265 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=268 comm=Configurator exe=/opt/Samsung/mfp/bin/Configurator subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Hash: Configurator,unconfined_t,unconfined_t,process,execstack
audit2allow
#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'allow_execstack'
allow unconfined_t self:process execstack;
audit2allow -R
#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'allow_execstack'
I want to use the scanning capability but not if the method involves any security risk (I've got another scanner -not as good)
What are the implications of using execstack -c None
please?
You could look for libraries that are marked as requiring execstack
# find /lib -exec execstack -q {} \; -print 2> /dev/null | grep ^X
# find /usr/lib -exec execstack -q {} \; -print 2> /dev/null | grep ^X
or
# find /lib64 -exec execstack -q {} \; -print 2> /dev/null | grep ^X
# find /usr/lib64 -exec execstack -q {} \; -print 2> /dev/null | grep ^X
Then try to turn off the flag of any libraries that require execstack
execstack -c
And see if the apps work.
If you can not find the problem library or the libraray does not work without
the execstack flag turned on, your only option is to tell SELinux to stop
checking for execstack using the boolean
setsebool -P allow_execstack 1
|
Summary: SELinux is preventing /usr/lib/cups/backend/mfp "getattr" access to device /dev/mfpports/probe. Detailed Description: SELinux has denied mfp "getattr" access to device /dev/mfpports/probe. /dev/mfpports/probe is mislabeled, this device has the default label of the /dev directory, which should not happen. All Character and/or Block Devices should have a label. You can attempt to change the label of the file using restorecon -v '/dev/mfpports/probe'. If this device remains labeled device_t, then this is a bug in SELinux policy. Please file a bg report. If you look at the other similar devices labels, ls -lZ /dev/SIMILAR, and find a type that would work for /dev/mfpports/probe, you can use chcon -t SIMILAR_TYPE '/dev/mfpports/probe', If this fixes the problem, you can make this permanent by executing semanage fcontext -a -t SIMILAR_TYPE '/dev/mfpports/probe' If the restorecon changes the context, this indicates that the application that created the device, created it without using SELinux APIs. If you can figure out which application created the device, please file a bug report against this application. Allowing Access: Attempt restorecon -v '/dev/mfpports/probe' or chcon -t SIMILAR_TYPE '/dev/mfpports/probe' Additional Information: Source Context unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:device_t:s0 Target Objects /dev/mfpports/probe [ chr_file ] Source mfp Source Path /usr/lib/cups/backend/mfp Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.6.32-113.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name device Host Name (removed) Platform Linux (removed) 2.6.32.11-99.fc12.i686.PAE #1 SMP Mon Apr 5 16:15:03 EDT 2010 i686 i686 Alert Count 60 First Seen Thu 13 May 2010 08:47:18 PM BST Last Seen Thu 13 May 2010 08:57:01 PM BST Local ID 18fa773d-996e-459d-9218-10ae0e7cee83 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1273780621.475:39263): avc: denied { getattr } for pid=27830 comm="mfp" path="/dev/mfpports/probe" dev=devtmpfs ino=412872 scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file node=(removed) type=SYSCALL msg=audit(1273780621.475:39263): arch=40000003 syscall=195 per=400000 success=no exit=-13 a0=bffd1240 a1=bffd112c a2=699ff4 a3=3 items=0 ppid=27818 pid=27830 auid=500 uid=4 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=22 comm="mfp" exe="/usr/lib/cups/backend/mfp" subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) Hash String generated from device,mfp,cupsd_t,device_t,chr_file,getattr audit2allow suggests: #============= cupsd_t ============== allow cupsd_t device_t:chr_file getattr;