Bug 789577

Summary: SELinux is preventing /bin/bash from 'execute_no_trans' accesses on the file /opt/brother/Printers/dcp195c/lpd/filterdcp195c.
Product: [Fedora] Fedora Reporter: fabio congiu <congiu.f>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: ajschult784, dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Unspecified   
Whiteboard: abrt_hash:8ac657acbb50b1a71a32806fe7f20c2097e90fb5fdfdacbdf479d50b7212c6b4
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-13 10:13:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
File: troubleshoot.txt none

Description fabio congiu 2012-02-11 13:43:36 UTC 
libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.2.1-3.fc16.i686
reason:         SELinux is preventing /bin/bash from 'execute_no_trans' accesses on the file /opt/brother/Printers/dcp195c/lpd/filterdcp195c.
time:           sab 11 feb 2012 14:41:03 CET

troubleshoot.txt: Text file, 59885 bytes

description:
:SELinux is preventing /bin/bash from 'execute_no_trans' accesses on the file /opt/brother/Printers/dcp195c/lpd/filterdcp195c.
:
:*****  Plugin catchall_labels (83.8 confidence) suggests  ********************
:
:If you want to allow bash to have execute_no_trans access on the filterdcp195c file
:Then you need to change the label on /opt/brother/Printers/dcp195c/lpd/filterdcp195c
:Do
:# semanage fcontext -a -t FILE_TYPE '/opt/brother/Printers/dcp195c/lpd/filterdcp195c'
:where FILE_TYPE is one of the following: lpr_exec_t, cupsd_interface_t, bin_t, lib_t, ifconfig_exec_t, initrc_exec_t, shell_exec_t, cupsd_exec_t, hostname_exec_t. 
:Then execute: 
:restorecon -v '/opt/brother/Printers/dcp195c/lpd/filterdcp195c'
:
:
:*****  Plugin catchall (17.1 confidence) suggests  ***************************
:
:If you believe that bash should be allowed execute_no_trans access on the filterdcp195c file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep brlpdwrapperdcp /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
:Target Context                system_u:object_r:usr_t:s0
:Target Objects                /opt/brother/Printers/dcp195c/lpd/filterdcp195c [
:                              file ]
:Source                        brlpdwrapperdcp
:Source Path                   /bin/bash
:Port                          <Sconosciuto>
:Host                          (removed)
:Source RPM Packages           bash-4.2.20-1.fc16
:Target RPM Packages           dcp195clpr-1.1.3-1
:Policy RPM                    selinux-policy-3.10.0-69.fc16
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.2.1-3.fc16.i686 #1
:                              SMP Mon Jan 23 15:44:05 UTC 2012 i686 i686
:Alert Count                   8
:First Seen                    sab 14 gen 2012 13:11:29 CET
:Last Seen                     ven 10 feb 2012 12:24:16 CET
:Local ID                      20eac769-a695-49a0-b7d3-73b6c129914d
:
:Raw Audit Messages
:type=AVC msg=audit(1328873056.482:82): avc:  denied  { execute_no_trans } for  pid=2120 comm="brlpdwrapperdcp" path="/opt/brother/Printers/dcp195c/lpd/filterdcp195c" dev=dm-1 ino=393940 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1328873056.482:82): arch=i386 syscall=execve success=no exit=EACCES a0=9148370 a1=91481e8 a2=9144438 a3=9144438 items=0 ppid=2103 pid=2120 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm=brlpdwrapperdcp exe=/bin/bash subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
:
:Hash: brlpdwrapperdcp,cupsd_t,usr_t,file,execute_no_trans
:
:audit2allow
:
:#============= cupsd_t ==============
:allow cupsd_t usr_t:file execute_no_trans;
:
:audit2allow -R
:
:#============= cupsd_t ==============
:allow cupsd_t usr_t:file execute_no_trans;
:
Comment 1 fabio congiu 2012-02-11 13:43:41 UTC 
Created attachment 561090 [details]
File: troubleshoot.txt
Comment 2 Miroslav Grepl 2012-02-13 10:13:16 UTC 
You need to change labeling for this file

Either

$ chcon -t bin_t /opt/brother/Printers/dcp195c/lpd/filterdcp195c

or using semanage to make this as permanent

$ semanage fcontext -a -t bin_t
'/opt/brother/Printers/dcp195c/lpd/filterdcp195c'
$ restorecon -R -v '/opt/brother/Printers/dcp195c/lpd/filterdcp195c'
Comment 3 Andrew Schultz 2012-03-21 18:31:55 UTC 
How is this NOTABUG if bug 660016 was a bug?  It seems this is broken now in part simply because Brother moved things around in their new packages.

I was able to add similar rules to get their new drivers working:

$ semanage fcontext -a -t bin_t "/opt/brother(/.*)?"
$ semanage fcontext -a -t cupsd_rw_etc_t "/opt/brother/(.*/)?inf(/.*)?"
$ semanage fcontext -a -t bin_t -f -- "/opt/brother/(.*/)?inf/setup.*"