Bug 661372

Summary: SELinux is preventing /bin/bash "getattr" access on /usr/lib/httpd.
Product: [Fedora] Fedora Reporter: Mark Myatt <mark>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: dwalsh, mgrepl, twaugh
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:21bac275a352ba3df8e59f574792b67ba0925b8f76a6f9c37253806cf58ec2a3
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-09 10:58:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mark Myatt 2010-12-08 16:55:30 UTC 
Summary:

SELinux is preventing /bin/bash "getattr" access on /usr/lib/httpd.

Detailed Description:

SELinux denied access requested by Samsung-ML-1660. It is not expected that this
access is required by Samsung-ML-1660 and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:httpd_modules_t:s0
Target Objects                /usr/lib/httpd [ dir ]
Source                        Samsung-ML-1660
Source Path                   /bin/bash
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           bash-4.1.7-3.fc14
Target RPM Packages           httpd-2.2.17-1.fc14
Policy RPM                    selinux-policy-3.9.7-14.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35.9-64.fc14.i686.PAE #1 SMP Fri
                              Dec 3 12:28:00 UTC 2010 i686 i686
Alert Count                   1
First Seen                    Wed 08 Dec 2010 16:51:57 GMT
Last Seen                     Wed 08 Dec 2010 16:51:57 GMT
Local ID                      3e91515a-55c3-498e-8d7c-37f3d5f6ed89
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1291827117.374:40): avc:  denied  { getattr } for  pid=2810 comm="Samsung-ML-1660" path="/usr/lib/httpd" dev=dm-0 ino=1710680 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_modules_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1291827117.374:40): arch=40000003 syscall=195 success=no exit=-13 a0=8cac5c8 a1=bfc46370 a2=4b7ff4 a3=8ca2dd0 items=0 ppid=2798 pid=2810 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="Samsung-ML-1660" exe="/bin/bash" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,Samsung-ML-1660,cupsd_t,httpd_modules_t,dir,getattr
audit2allow suggests:

#============= cupsd_t ==============
allow cupsd_t httpd_modules_t:dir getattr;
Comment 1 Miroslav Grepl 2010-12-08 17:31:59 UTC 
Do you know what were you doing when this happened?
Comment 2 Tim Waugh 2010-12-09 10:28:34 UTC 
This looks like something the 3rd party Samsung driver is trying to do, perhaps in a CUPS backend or filter.  It is not expected that CUPS backends or filters would do something like that.
Comment 3 Miroslav Grepl 2010-12-09 10:58:31 UTC 
Mark was trying to install Samsung Laser printer ML-1665.

I think this won't happen again. 

Mark,
if yes, please reopen the bug.
Comment 4 Mark Myatt 2010-12-09 11:39:35 UTC 
09/12/2010 11.35 GMT

Just a thought - it may not have worked as it appears to have initially choked on SElinux. I have since deleted SELinux but the problem still remains. Printer USB connected and recognised by Fedora 14 with correct and recommended driver (foomatic/PXL mono) but will still not print test page or anything else. Nothing seen in print queue. Any ideas ?

M J Myatt
Comment 5 Tim Waugh 2010-12-09 12:13:06 UTC 
Try the printing troubleshooter.
https://fedoraproject.org/wiki/Printing/Debugging
Comment 6 Mark Myatt 2010-12-09 19:40:36 UTC 
(In reply to comment #5)
> Try the printing troubleshooter.
> https://fedoraproject.org/wiki/Printing/Debugging

Thank you time for your suggestion. Unhappily there is no text or advice of any kind on that site. It is yet to be activated and not clear whether there is any work in progress.

M J Myatt
Comment 7 Tim Waugh 2010-12-10 12:31:53 UTC 
(In reply to comment #6)
> (In reply to comment #5)
> > Try the printing troubleshooter.
> > https://fedoraproject.org/wiki/Printing/Debugging
> 
> Thank you time for your suggestion. Unhappily there is no text or advice of any
> kind on that site. It is yet to be activated and not clear whether there is any
> work in progress.

You don't see a page entitled "How to debug printing problems"?  It certainly works when I view it.