Description of problem: This problem occurred while printing to a Brother HL-2270DW via the Brother-supplied drivers; the user-visible symptom of this issue is that the duplex and paper-tray settings are ignored. Note that this problem does not occur with the version of selinux-policy that ships with F20's install media. Steps to reproduce: * Go to http://support.brother.com/g/b/downloadlist.aspx?c=au&lang=en&prod=hl2270dw_all&os=127 * Download "LPR printer driver (rpm package)" [hl2270dwlpr-2.1.0-1.i386.rpm] * Download "CUPSwrapper printer driver (rpm package)" [cupswrapperHL2270DW-2.0.4-2.i386.rpm] * Install 64-bit Fedora 20 from downloaded install media * yum -y install glibc.i686 * yum -y localinstall *2270*.rpm * If printing via network, use CUPS' web interface to change the printer's address to dnssd://Brother%20HL-2270DW%20series._pdl-datastream._tcp.local/ * Print a 2-page PDF twice: once using single-sided, once using duplex (to show that the duplex setting works) * yum -y update selinux-policy ; reboot * Again print a 2-page PDF twice: once using single-sided, once using duplex This time, both prints will be either single-sided or double-sided, ignoring your setting. Also, you will see an AVC denial message. SELinux is preventing /usr/local/Brother/Printer/HL2270DW/inf/brprintconflsr3 from 'write' accesses on the file . ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow brprintconflsr3 to have write access on the file Then you need to change the label on $FIX_TARGET_PATH Do # semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH' where FILE_TYPE is one of the following: afs_cache_t, anon_inodefs_t, cupsd_interface_t, cupsd_lock_t, cupsd_log_t, cupsd_rw_etc_t, cupsd_tmp_t, cupsd_var_lib_t, cupsd_var_run_t, faillog_t, initrc_tmp_t, krb5_host_rcache_t, print_spool_t, puppet_tmp_t, samba_var_t, security_t, tmpfs_t, usbfs_t, user_cron_spool_t. Then execute: restorecon -v '$FIX_TARGET_PATH' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that brprintconflsr3 should be allowed write access on the file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep brprintconflsr3 /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Context system_u:object_r:usr_t:s0 Target Objects [ file ] Source brprintconflsr3 Source Path /usr/local/Brother/Printer/HL2270DW/inf/brprintcon flsr3 Port <Unknown> Host (removed) Source RPM Packages hl2270dwlpr-2.1.0-1.i386 Target RPM Packages Policy RPM selinux-policy-3.12.1-158.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.14.2-200.fc20.x86_64 #1 SMP Mon Apr 28 14:40:57 UTC 2014 x86_64 x86_64 Alert Count 513 First Seen 2014-04-25 22:15:13 WST Last Seen 2014-05-08 23:46:27 WST Local ID 48ff401a-761d-4c30-be99-80a05f2bebbf Raw Audit Messages type=AVC msg=audit(1399563987.141:391): avc: denied { write } for pid=2736 comm="brprintconflsr3" name="brHL2270DWrc" dev="dm-2" ino=529797 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1399563987.141:391): arch=i386 syscall=fstat per=400000 success=no exit=EACCES a0=ffb3b1af a1=241 a2=1b6 a3=8735008 items=0 ppid=2725 pid=2736 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm=brprintconflsr3 exe=/usr/local/Brother/Printer/HL2270DW/inf/brprintconflsr3 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) Hash: brprintconflsr3,cupsd_t,usr_t,file,write Additional info: reporter: libreport-2.2.2 hashmarkername: setroubleshoot kernel: 3.14.2-200.fc20.x86_64 type: libreport
Not sure where this file is, but I believe it is mislabeled. restorecon -R -v /usr /opt /etc Should change the label, Probably in a brother directory.
Running "restorecon -R -v /usr /opt /etc" produced the following output: restorecon reset /usr/lib64/cups context unconfined_u:object_r:lib_t:s0->unconfined_u:object_r:bin_t:s0 restorecon reset /usr/lib64/cups/filter context unconfined_u:object_r:lib_t:s0->unconfined_u:object_r:bin_t:s0 restorecon reset /usr/lib64/cups/filter/brlpdwrapperHL2270DW context unconfined_u:object_r:lib_t:s0->unconfined_u:object_r:bin_t:s0 restorecon reset /etc/pam.d/system-auth-ac context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0 restorecon reset /etc/pam.d/postlogin-ac context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0 restorecon reset /etc/pam.d/password-auth-ac context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0 restorecon reset /etc/pam.d/smartcard-auth-ac context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0 restorecon reset /etc/pam.d/fingerprint-auth-ac context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0 I'll report the results in a moment.
OK, it seems the SELinux log I reported in my initial big report was the first of four such messages. That one has gone away, but the other three remain. Also, I don't know if the first one disappeared because I changed SELinux from enforcing to permissive, or because I ran the restorecon command. Either way, here's what ends up in /var/log/audit/audit.log when I print: type=AVC msg=audit(1399766839.070:1033): avc: denied { rename } for pid=18630 comm="brprintconflsr3" name="brHL2270DWrc" dev="dm-2" ino=529797 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1399766839.070:1033): arch=40000003 syscall=38 per=400000 success=yes exit=0 a0=ffd5c6af a1=ffd5c2ae a2=415bd000 a3=0 items=0 ppid=18629 pid=18630 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="brprintconflsr3" exe="/usr/local/Brother/Printer/HL2270DW/inf/brprintconflsr3" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1399766839.070:1034): avc: denied { create } for pid=18630 comm="brprintconflsr3" name="brHL2270DWrc" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file type=AVC msg=audit(1399766839.070:1034): avc: denied { write } for pid=18630 comm="brprintconflsr3" path="/usr/local/Brother/Printer/HL2270DW/inf/brHL2270DWrc" dev="dm-2" ino=529810 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1399766839.070:1034): arch=40000003 syscall=5 per=400000 success=yes exit=7 a0=ffd5c6af a1=241 a2=1b6 a3=96d7008 items=0 ppid=18629 pid=18630 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="brprintconflsr3" exe="/usr/local/Brother/Printer/HL2270DW/inf/brprintconflsr3" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1399766839.070:1035): avc: denied { unlink } for pid=18630 comm="brprintconflsr3" name="brHL2270DWrc.old" dev="dm-2" ino=529797 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1399766839.070:1035): arch=40000003 syscall=10 per=400000 success=yes exit=0 a0=ffd5c2ae a1=96d7000 a2=415bd000 a3=ffd5c2ae items=0 ppid=18629 pid=18630 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="brprintconflsr3" exe="/usr/local/Brother/Printer/HL2270DW/inf/brprintconflsr3" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) I'll attach the three SELinux reports in a moment.
Created attachment 894354 [details] SELinux troubleshooter report 1 - rename
Created attachment 894355 [details] SELinux troubleshooter report 2 - create
Created attachment 894356 [details] SELinux troubleshooter report 3 - unlink
Please execute for now # chcon -R -t cupsd_rw_etc_t /usr/local/Brother/Printer/HL2270DW/inf/ commit 1398083df4ffadaa28ceafa9b8df02d16d4a5025 Author: Miroslav Grepl <mgrepl> Date: Mon May 12 13:06:11 2014 +0200 Add support for /usr/local/Brother labeling. We removed /usr/local equiv.
selinux-policy-3.12.1-163.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/FEDORA-2014-6084/selinux-policy-3.12.1-163.fc20
Package selinux-policy-3.12.1-163.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-163.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-6084/selinux-policy-3.12.1-163.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-163.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Created attachment 901397 [details] SELinux troubleshooter report 4 - execute
Sorry, I think I missed this: selinux is reporting an execute error (though the latest selinux-policy fixes the other issues I reported; thanks!). See attachment https://bugzilla.redhat.com/attachment.cgi?id=901397&action=edit
edd4b8cf9475d7d10e551cb886640d47f75a9c7b allows this in git.
selinux-policy-3.12.1-177.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-177.fc20
Package selinux-policy-3.12.1-177.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-177.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-8390/selinux-policy-3.12.1-177.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-177.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.