Description of problem: I was using either Brother Printer hll2360 or hl3170 when the error appeared. SELinux is preventing brcupsconfpt1 from 'execute' accesses on the file /etc/ld.so.cache. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that brcupsconfpt1 should be allowed execute access on the ld.so.cache file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'brcupsconfpt1' --raw | audit2allow -M my-brcupsconfpt1 # semodule -X 300 -i my-brcupsconfpt1.pp Additional Information: Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:ld_so_cache_t:s0 Target Objects /etc/ld.so.cache [ file ] Source brcupsconfpt1 Source Path brcupsconfpt1 Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages glibc-2.25-7.fc26.x86_64 glibc-2.25-7.fc26.i686 Policy RPM selinux-policy-3.13.1-260.1.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.11.11-300.fc26.x86_64 #1 SMP Mon Jul 17 16:32:11 UTC 2017 x86_64 x86_64 Alert Count 2 First Seen 2017-07-29 09:15:07 AEST Last Seen 2017-07-29 09:22:27 AEST Local ID 0d5f1099-5e5a-4d92-b949-d61aa8ceeebc Raw Audit Messages type=AVC msg=audit(1501284147.393:288): avc: denied { execute } for pid=4644 comm="brcupsconfpt1" path="/etc/ld.so.cache" dev="sda4" ino=656471 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:ld_so_cache_t:s0 tclass=file permissive=1 Hash: brcupsconfpt1,cupsd_t,ld_so_cache_t,file,execute Version-Release number of selected component: selinux-policy-3.13.1-260.1.fc26.noarch Additional info: component: selinux-policy reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.11.11-300.fc26.x86_64 type: libreport Potential duplicate: bug 1415414
Description of problem: Impossible d'imprimer sur une imprimante paramètrée en réseau, via un petit serveur d'impression. Le gestionnaire d'impression me signale que l'imprimante est "arrêtée", mais dans les propriétés de l'imprimante, la case à cocher "active" est bien cochée. Je précise que cette imprimante fonctionne de cette manière depuis bien des années, et qu'il est possible d'imprimer dessus via un autre PC (portable) sur lequel la même version de fédora est installée (fédora 26_64) (mais SeLinux est désactivé) Version-Release number of selected component: selinux-policy-3.13.1-259.fc26.noarch Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.11.8-300.fc26.x86_64 type: libreport
Only Brother can fix this and the Brother recommended fix is to disable selinux. The program brcupsconfpt1 is missing the STACK segment and you can therefore not mark it with a read-only stack using the execstack utility. The source for brcupsconfpt1 is not available.
Description of problem: I tried to print with a Brother MFC-J6520DW printer, using its driver from the manufacturer. The print succeeded but I got this SELinux error. Version-Release number of selected component: selinux-policy-3.13.1-260.8.fc26.noarch Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.13.0-0.rc7.git4.2.local.fc28.x86_64 type: libreport
Description of problem: After installing Brother printer, following instructions in their website for linux drivers, I couldn't print and got a SELinux notification (which I reported previously). After dealing with that notification, I followed the instructions (which didn't explain I needed to open a terminal) to run "setsebool -P cups_execmem 1" (which didn't actually work: "Cannot set persistent booleans, please try as root"). Fortunately, I'm experienced enough to know I just had to prefix that command with "sudo", but many people would have given up at that point and looked for ways to disable SELinux. So I managed to run that and now I can print a document, but I got a new SELinux notification anyway asking to report another bug, so, I'm doing it now. I hope this helps. Version-Release number of selected component: selinux-policy-3.13.1-260.8.fc26.noarch Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.12.9-300.fc26.x86_64 type: libreport
(In reply to António from comment #4) > Description of problem: > After installing Brother printer, following instructions in their website > for linux drivers, I couldn't print and got a SELinux notification (which I > reported previously). > After dealing with that notification, I followed the instructions (which > didn't explain I needed to open a terminal) to run "setsebool -P > cups_execmem 1" (which didn't actually work: "Cannot set persistent > booleans, please try as root"). > Fortunately, I'm experienced enough to know I just had to prefix that > command with "sudo", but many people would have given up at that point and > looked for ways to disable SELinux. > > So I managed to run that and now I can print a document, but I got a new > SELinux notification anyway asking to report another bug, so, I'm doing it > now. I hope this helps. > > Version-Release number of selected component: > selinux-policy-3.13.1-260.8.fc26.noarch > > Additional info: > reporter: libreport-2.9.1 > hashmarkername: setroubleshoot > kernel: 4.12.9-300.fc26.x86_64 > type: libreport You will get two selinux issues, neither of them fatal to the program. The first is execute denied for ld_so_cache_t and the other is execute denied for locale_t You can allow both using the procedure suggested by selinux troubleshouter. The resulting .te file would then become: module my-brcupsconfpt1 1.0; require { type locale_t; type cupsd_t; type ld_so_cache_t; class file execute; } #============= cupsd_t ============== allow cupsd_t ld_so_cache_t:file execute; allow cupsd_t locale_t:file execute; The failing instruction is actually mmap of ld_so_cache_t for read-only. Recompiling the Brother programs would have solved the problem properly, if we had the source code available.
(In reply to Villy Kruse from comment #5) > You can allow both using the procedure suggested by selinux troubleshouter. The troubleshouter didn't actually suggest any procedure to allow it this time. Only the option to report a bug was available. I hope it gives me the required terminal command next time. > The failing instruction is actually mmap of ld_so_cache_t for read-only. > Recompiling the Brother programs would have solved the problem properly, if > we had the source code available. Thanks for the detailed explanation. However, I'm sorry, I don't have the expertise to understand the whole of it. From what I understand this is a bug in Brother's proprietary software. However, is it a security bug? If not, is there anything SELinux can do to avoid annoying other users about this? I don't want other people to be driven into instructions to disable SELinux just because they must use a Brother printer.
(In reply to António from comment #6) > (In reply to Villy Kruse from comment #5) > > You can allow both using the procedure suggested by selinux troubleshouter. > > The troubleshouter didn't actually suggest any procedure to allow it this > time. Only the option to report a bug was available. I hope it gives me the > required terminal command next time. > I would expect you would get these from the troubleshooter. You should report this as a bug. You can generate a local policy module to allow this access. Allow this access for now by executing: # ausearch -c 'newprog' --raw | audit2allow -M my-newprog # semodule -X 300 -i my-newprog.pp You should report this as a bug. You can generate a local policy module to allow this access. Allow this access for now by executing: # ausearch -c 'sh' --raw | audit2allow -M my-sh # semodule -X 300 -i my-sh.pp The last one comes from the shell which is started from the Brother program. > > The failing instruction is actually mmap of ld_so_cache_t for read-only. > > Recompiling the Brother programs would have solved the problem properly, if > > we had the source code available. > > Thanks for the detailed explanation. However, I'm sorry, I don't have the > expertise to understand the whole of it. > > From what I understand this is a bug in Brother's proprietary software. > However, is it a security bug? > > If not, is there anything SELinux can do to avoid annoying other users about > this? I don't want other people to be driven into instructions to disable > SELinux just because they must use a Brother printer. "setsebool -P cups_execmem 1" is where you weaken the security. Allowing executing of ld_so_cache_t would not make it even more insecure. The cups_execmem setting disables the protection against certain buffer overrun attacks for programs running in a cups context. I did some experiment. If I compile a very simple program using RH6.2 (Not the RH enterprise but the original from about year 2000) and run this in a cups context the selinux issue is triggered. If I compile the same simple program on a Fedora system, the selinux issue is not triggered. The difference is the "execstack" settings of the ELF program file.
Description of problem: Printer HL-3170CDW caused the error. Normally i use setenforce 0 before i print with brother printers. Version-Release number of selected component: selinux-policy-3.13.1-260.9.fc26.noarch Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.12.13-300.fc26.x86_64 type: libreport
selinux-policy-3.13.1-260.14.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d312739a4e
selinux-policy-3.13.1-260.14.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.