Bug 715481

Summary: SELinux is preventing /usr/libexec/colord from 'read' accesses on the directory /media/OS.
Product: [Fedora] Fedora Reporter: Vincint Zangari <vincint_zangari>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:446b8b1ac9a74a77f3917803371ca772410884c385d01225de0bde3252d71a29
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-23 13:22:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Vincint Zangari 2011-06-23 02:44:41 UTC 
SELinux is preventing /usr/libexec/colord from 'read' accesses on the directory /media/OS.

*****  Plugin restorecon (99.5 confidence) suggests  *************************

If you want to fix the label. 
/media/OS default label should be mnt_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /media/OS

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If you believe that colord should be allowed read access on the OS directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep colord /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:colord_t:s0-s0:c0.c1023
Target Context                system_u:object_r:fusefs_t:s0
Target Objects                /media/OS [ dir ]
Source                        colord
Source Path                   /usr/libexec/colord
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           colord-0.1.7-1.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-26.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.38.6-26.rc1.fc15.i686 #1 SMP
                              Mon May 9 20:43:14 UTC 2011 i686 i686
Alert Count                   1
First Seen                    Wed 22 Jun 2011 05:32:16 PM MST
Last Seen                     Wed 22 Jun 2011 05:32:16 PM MST
Local ID                      98b156ce-7d68-4123-b787-40c0b373927d

Raw Audit Messages
type=AVC msg=audit(1308789136.638:529): avc:  denied  { read } for  pid=18588 comm="colord" name="/" dev=sda1 ino=5 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fusefs_t:s0 tclass=dir


type=SYSCALL msg=audit(1308789136.638:529): arch=i386 syscall=access success=yes exit=0 a0=996d4e0 a1=5 a2=4b07a328 a3=996d4c8 items=0 ppid=1 pid=18588 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=colord exe=/usr/libexec/colord subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null)

Hash: colord,colord_t,fusefs_t,dir,read

audit2allow

#============= colord_t ==============
allow colord_t fusefs_t:dir read;

audit2allow -R

#============= colord_t ==============
allow colord_t fusefs_t:dir read;
Comment 1 Vincint Zangari 2011-06-23 02:52:17 UTC 
I have an EPSON STYLUS CX7000F all in one printer-scanner-fax. I had previously been able to use it with Windows, but have transitioned to Fedora from Mandriva last night. I wanted to see if I could plug it in and turn it on to see if it would work, but when I turned on the scanner's power, I received the above message. 

I have tried to find a place inside the SEAlert where I could allow the device to have access to the OS and thereby try to find the correct drivers for it, but have not had any success. SEAlert informed me to report this as a bug, and hopefully there is something that I can do to resolve this. This is one of the last things that I need the Windows partition for, and hope that there is a working resolution to this problem so that I can completely remove Windows.
Comment 2 Daniel Walsh 2011-06-23 13:22:33 UTC 
Looks like this is fixed in the latest policy

yum -y update selinux-policy-targeted --enablerepo=updates-testing
Comment 3 Vincint Zangari 2011-06-23 23:05:16 UTC 
Daniel, I will try the update, but seeing as it was a brand new install and all the updated had all ready been done, I am rather perplexed. I will run that command when I am back behind Fedora this evening. Hopefully it does resolve the issue. Thanks for the info.