This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1298726 - third-party (Brother) drivers blocked by SELinux [NEEDINFO]
third-party (Brother) drivers blocked by SELinux
Status: NEW
Product: Fedora
Classification: Fedora
Component: cups (Show other bugs)
25
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Zdenek Dohnal
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-14 15:18 EST by Jehan
Modified: 2017-07-25 16:02 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
bmason: needinfo? (bjmason)


Attachments (Terms of Use)
Troubleshoot logs from one of my many tests. (35.03 KB, text/plain)
2016-01-14 15:18 EST, Jehan
no flags Details
SELinux alert: brcupsconfpt1 tries to execute /etc/ld.so.cache (63.79 KB, image/png)
2016-02-12 10:05 EST, Jehan
no flags Details
Text when clicking on "Details" button in SELinux dialog. (2.06 KB, text/plain)
2016-02-12 10:07 EST, Jehan
no flags Details
SELinux alert: brprintconf_mc tries to execute /etc/ld.so.cache (62.08 KB, image/png)
2016-02-19 10:35 EST, Jehan
no flags Details
Contents of "Details" with the second alert. (1.89 KB, text/plain)
2016-02-19 10:37 EST, Jehan
no flags Details

  None (edit)
Description Jehan 2016-01-14 15:18:54 EST
Created attachment 1114946 [details]
Troubleshoot logs from one of my many tests.

Description of problem:

I cannot print with my brand new Brother MFC-J6920DW on Fedora 23 (from 2 computers both under Fedora 23) as a network printer (I have not tried USB and don't intend to. I am only interested into it working as a network printer shared for all machine on my locale network).

I tried with bare Fedora, and also installed the drivers from Brother: http://support.brother.com/g/b/downloadlist.aspx?c=fr&lang=fr&prod=mfcj6920dw_us_eu_as&os=127&flang=English

The rpm driver installation went all fine (i.e. no error displayed), but it just won't print anything (neither the test print, nor any random file I could try). No error would be ever displayed. If I try the "Print Test Page" button for instance, I get a "Processing" and "Jobs 1 active" for maybe half a second, then it goes back to "Read" and "0 active" as if all went fine.

`journalctl -u cups -e --boot` shows no visible error:

-----------------------------------
Jan 14 21:06:16 darkmarmot cupsd[2333]: [Job ???] Request file type is application/vnd.cups-pdf-banner.
Jan 14 21:06:16 darkmarmot cupsd[2333]: Adding start banner page "none".
Jan 14 21:06:16 darkmarmot cupsd[2333]: Adding end banner page "none".
Jan 14 21:06:16 darkmarmot cupsd[2333]: File of type application/vnd.cups-pdf-banner queued by "jehan".
Jan 14 21:06:16 darkmarmot cupsd[2333]: Queued on "MFC-J6920DW" by "jehan".
Jan 14 21:06:16 darkmarmot systemd[1]: Started CUPS Scheduler.
Jan 14 21:06:16 darkmarmot cupsd[2333]: Started filter /usr/lib/cups/filter/bannertopdf (PID 5456)
Jan 14 21:06:16 darkmarmot cupsd[2333]: Started filter /usr/lib/cups/filter/pdftopdf (PID 5457)
Jan 14 21:06:16 darkmarmot cupsd[2333]: Started filter /usr/lib/cups/filter/pdftops (PID 5458)
Jan 14 21:06:16 darkmarmot cupsd[2333]: Started filter /usr/lib/cups/filter/brother_lpdwrapper_mfcj6920dw (PID 5459)
Jan 14 21:06:16 darkmarmot cupsd[2333]: Started backend /usr/lib/cups/backend/dnssd (PID 5460)
Jan 14 21:06:16 darkmarmot cupsd[2333]: REQUEST localhost - - "POST /printers/MFC-J6920DW HTTP/1.1" 200 413 Print-Job successful-ok
Jan 14 21:06:17 darkmarmot cupsd[2333]: REQUEST localhost - - "POST / HTTP/1.1" 200 4732020 CUPS-Get-PPDs -
Jan 14 21:06:17 darkmarmot cupsd[2333]: Job completed.
-------------------------------------

I also tried the Help > Troubleshoot from system-config-printer which did not help much except from the logs (attached), which showed up this error:

>                                     'missing     /var/spool/cups/tmp '
>                                    '(Permission denied)'],

Not sure, but could it be the problem?
Checking the directory, it does exist:

> # ls /var/spool/cups/tmp -ltr
> total 0
> -rw-------. 1 lp lp 0 Jan 14 20:59 cups-dbus-notifier-lockfile
> [root@darkmarmot Devis]# ls /var/spool/cups/tmp -ltrd
> drwxrwx--T. 2 root lp 4096 Jan 14 21:07 /var/spool/cups/tmp

For information, I also tried in a live Fedora, and it did not work either. I tried on a live Ubuntu though, and it worked fine.
Also the network scanner works fine on both Ubuntu and Fedora. Only the printer is a problem here.
I would appreciate a fix, and a workaround as well for the time being. I even tried something as dirty as `chmod o+rwx` on this directory, but this change seems to be overridden immediately at the next print attempt.
Comment 1 Jehan 2016-02-12 10:05 EST
Created attachment 1123533 [details]
SELinux alert: brcupsconfpt1 tries to execute /etc/ld.so.cache

Ok. After weeks, I finally understood what was the problem. The print jobs were blocked by SELinux. I understood this after noticing an alert icon appearing in the bottom left bar (GNOME 3).

Following indications in details, I fixed by running:

> sudo setsebool -P cups_execmem 1

Following indications of SELinux which says "If you believe that brcupsconfpt1 should be allowed execmem access on processes labeled cupsd_t by default." I leave the bug report opened though because this is not user-friendly, especially when you buy a printer with linux drivers!
I have installed official Brother drivers, which has explicit support of Linux. This is rare and cool enough in printer makers for Linux distributions to not block these, right?

So I know these RPM are not made by the Fedora community, hence they are not in the official package repository. But it would be great if they were, and if not, could we "plan" for the possibility of these being installed by the user, and having SELinux not blocking its normal functioning?

Also I will note that the CUPSWrapper printer drivers is GPLv2.
All other drivers (LPR printer, scanner, scan-key tool, fax…) use some kind of "AS IS" license. I can't see if it corresponds to any known Free license (I don't know them all by heart) but it seems to be pretty much some kind of Free license anyway. Extract from it:

>  Brother grants User a non-exclusive license: to reproduce and/or distribute (via Internet or in any other manner) the Software. Further, Brother grants User a non-exclusive license to modify, alter, translate or otherwise prepare derivative works of the Software and to reproduce and distribute (via Internet or in any other manner) such modification, alteration, translation or other derivative works for any purpose. 

Disclaimer: I'm not a lawyer. I propose you have a look at any of the official Brother RPMs. Just before every download, the license is displayed.

In any case, it looks to me like we could have these redistributed in the Fedora package repository. No?
Comment 2 Jehan 2016-02-12 10:07 EST
Created attachment 1123534 [details]
Text when clicking on "Details" button in SELinux dialog.

Attached the text from SELinux when clicking "Details" button after receiving the alert. In case it is useful.
Comment 3 Jehan 2016-02-19 10:35 EST
Created attachment 1128570 [details]
SELinux alert: brprintconf_mc tries to execute /etc/ld.so.cache

Additional info: even though now, I can print, I noticed that SELinux outputted another alert when trying to print, this time on brprintconf_mc, which also tried to execute /etc/ld.so.cache.

It did not prevent printing, but maybe it blocks some of my printer feature which I would discover later along the road?
Anyway I leave here the info for you to evaluate what brprintconf_mc does.
Thanks!
Comment 4 Jehan 2016-02-19 10:37 EST
Created attachment 1128571 [details]
Contents of "Details" with the second alert.

And the contents when clicking "Details" button on this second alert.
Comment 5 Fedora Admin XMLRPC Client 2016-06-24 06:30:55 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 6 Jehan 2016-09-27 06:58:04 EDT
Note: I installed Fedora 24 and the problem still exists there.
Comment 7 Fedora End Of Life 2016-11-24 09:57:31 EST
This message is a reminder that Fedora 23 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 23. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '23'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 23 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 8 Bryan Mason 2016-12-15 11:46:06 EST
Moving to Fedora 24 based on Comment #6.
Comment 10 Fedora End Of Life 2017-07-25 15:46:50 EDT
This message is a reminder that Fedora 24 is nearing its end of life.
Approximately 2 (two) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 24. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '24'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 24 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
Comment 11 Jehan 2017-07-25 16:02:19 EDT
Moving to Fedora 25.

Note You need to log in before you can comment on or make changes to this bug.