1246898 – selinux avcs using brother printer drivers

Bug 1246898 - selinux avcs using brother printer drivers

Summary: selinux avcs using brother printer drivers

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	22
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1248755 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-07-26 18:34 UTC by Brian J. Murrell
Modified:	2015-08-27 17:23 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2015-08-27 17:23:17 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Brian J. Murrell 2015-07-26 18:34:19 UTC

Description of problem:
When using the Brother printer drivers from http://support.brother.com/g/s/id/linux/en/index.html?c=us_ot&lang=en&comple=on&redirect=on I get a lot of selinux avcs

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-128.6.fc22.noarch

How reproducible:
100%

Steps to Reproduce:
1. Install Brother printer
2. Install Brother printer drivers
3. Try to print with selinux enforcing

Actual results:
selinux avcs and segfaults in the brother drivers

Expected results:
should print

Additional info:
if I set selinux to permissive mode, printing works.  see below for AVCs

type=AVC msg=audit(1437851765.545:18393): avc:  denied  { execmem } for  pid=19171 comm="brcupsconfig3" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1437851765.715:18395): avc:  denied  { execmem } for  pid=19203 comm="rawtobr2" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1437851860.512:18399): avc:  denied  { execmem } for  pid=19379 comm="brcupsconfig3" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1437851860.539:18401): avc:  denied  { execmem } for  pid=19409 comm="rawtobr2" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1437851984.656:18405): avc:  denied  { execmem } for  pid=19643 comm="brcupsconfig3" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1437851984.678:18407): avc:  denied  { execmem } for  pid=19675 comm="rawtobr2" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1437929383.972:19992): avc:  denied  { execmem } for  pid=3104 comm="brcupsconfig3" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1437929384.103:19994): avc:  denied  { execmem } for  pid=3135 comm="rawtobr2" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1437931454.948:20218): avc:  denied  { execmem } for  pid=16747 comm="brcupsconfig3" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1437931454.976:20220): avc:  denied  { execmem } for  pid=16777 comm="rawtobr2" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1437931897.701:20343): avc:  denied  { execmem } for  pid=20612 comm="brcupsconfig3" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1437931897.730:20345): avc:  denied  { execmem } for  pid=20642 comm="rawtobr2" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1437933396.859:20403): avc:  denied  { execmem } for  pid=32497 comm="brcupsconfig3" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1437933396.888:20405): avc:  denied  { execmem } for  pid=32528 comm="rawtobr2" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1437933647.533:20422): avc:  denied  { execmem } for  pid=2641 comm="brcupsconfig3" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1437933647.631:20424): avc:  denied  { execmem } for  pid=2679 comm="rawtobr2" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1437933745.539:20449): avc:  denied  { execmem } for  pid=3564 comm="brcupsconfig3" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1437933891.107:20464): avc:  denied  { execmem } for  pid=4828 comm="brcupsconfig3" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=process permissive=0
type=AVC msg=audit(1437934228.569:20571): avc:  denied  { execmem } for  pid=8141 comm="brcupsconfig3" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=process permissive=1
type=AVC msg=audit(1437934228.570:20572): avc:  denied  { execute } for  pid=8141 comm="brcupsconfig3" path="/etc/ld.so.cache" dev="dm-2" ino=65830 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ld_so_cache_t:s0 tclass=file permissive=1
type=AVC msg=audit(1437934299.775:20582): avc:  denied  { execmem } for  pid=8822 comm="brcupsconfig3" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=process permissive=1
type=AVC msg=audit(1437934299.776:20583): avc:  denied  { execute } for  pid=8822 comm="brcupsconfig3" path="/etc/ld.so.cache" dev="dm-2" ino=65830 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ld_so_cache_t:s0 tclass=file permissive=1
type=AVC msg=audit(1437934681.175:20604): avc:  denied  { execmem } for  pid=12030 comm="brcupsconfig3" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=process permissive=1
type=AVC msg=audit(1437934681.177:20605): avc:  denied  { execute } for  pid=12030 comm="brcupsconfig3" path="/etc/ld.so.cache" dev="dm-2" ino=65830 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ld_so_cache_t:s0 tclass=file permissive=1
type=AVC msg=audit(1437934852.506:20623): avc:  denied  { execmem } for  pid=14050 comm="brcupsconfig3" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=process permissive=1
type=AVC msg=audit(1437934852.507:20624): avc:  denied  { execute } for  pid=14050 comm="brcupsconfig3" path="/etc/ld.so.cache" dev="dm-2" ino=65830 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ld_so_cache_t:s0 tclass=file permissive=1
type=AVC msg=audit(1437934902.947:20625): avc:  denied  { execmem } for  pid=14589 comm="brcupsconfig3" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=process permissive=1
type=AVC msg=audit(1437934902.949:20626): avc:  denied  { execute } for  pid=14589 comm="brcupsconfig3" path="/etc/ld.so.cache" dev="dm-2" ino=65830 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ld_so_cache_t:s0 tclass=file permissive=1
type=AVC msg=audit(1437935022.740:20628): avc:  denied  { execmem } for  pid=15588 comm="brcupsconfig3" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=process permissive=1

Comment 1 Kai Engert (:kaie) (inactive account) 2015-08-21 16:21:55 UTC

*** Bug 1248755 has been marked as a duplicate of this bug. ***

Comment 2 Kai Engert (:kaie) (inactive account) 2015-08-21 16:24:36 UTC

I'm affected by this, too.
Running the suggested command to allow execmem made printing work for me.

Below is the report from my system:



SELinux is preventing brcupsconfpt1 from using the execmem access on a process.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow cups to execmem
Then you must tell SELinux about this by enabling the 'cups_execmem' boolean.
You can read 'None' man page for more details.
Do
setsebool -P cups_execmem 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that brcupsconfpt1 should be allowed execmem access on processes labeled cupsd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep brcupsconfpt1 /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Objects                Unknown [ process ]
Source                        brcupsconfpt1
Source Path                   brcupsconfpt1
Port                          <Unknown>
Host                          localhost
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.8.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost
Platform                      Linux localhost 4.1.4-200.fc22.x86_64+debug #1 SMP
                              Tue Aug 4 02:57:14 UTC 2015 x86_64 x86_64
Alert Count                   8
First Seen                    2015-08-19 20:32:47 CEST
Last Seen                     2015-08-19 20:38:04 CEST

Raw Audit Messages
type=AVC msg=audit(1440009484.534:894): avc:  denied  { execmem } for  pid=23163 comm="brmfcj6710dwfil" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=process permissive=0


Hash: brcupsconfpt1,cupsd_t,cupsd_t,process,execmem

Comment 3 Kai Engert (:kaie) (inactive account) 2015-08-21 16:51:48 UTC

Hi mgrepl - do you think the required fix could be applied to the default policy we ship, or is that a bad idea?

Comment 4 BZ 2015-08-23 01:31:44 UTC

This problem appeared in Fedora 21 with the selinux-policy-3.13.1-105.20 update on 20 August (my time). Unless multiple people have had their driver's hacked, it seems like the new policy must either be disallowing something that was previously allowed OR there was no policy related to the Brother drivers until now. It would be useful to know which. It's also not clear why the driver needs to create executable memory regions. I imagine code that really NEEDS execmem or execstack is pretty rare...

Comment 5 Rob Riggs 2015-08-27 02:04:57 UTC

Please fix.  Had to downgrade and exclude selinux-policy until fixed.  Not good.

Comment 6 Miroslav Grepl 2015-08-27 17:23:17 UTC

There is a boolean for this.

setsebool -P cups_execmem 1

which will allow it. We don't want to allow execmem by default.

Note You need to log in before you can comment on or make changes to this bug.