This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1478602 - SELinux is preventing brcupsconfpt1 from 'execute' accesses on the file /etc/ld.so.cache.
SELinux is preventing brcupsconfpt1 from 'execute' accesses on the file /etc/...
Status: POST
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
26
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
abrt_hash:81e21f553896b7909d45e810194...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-04 20:18 EDT by Jonathon Poppleton
Modified: 2017-09-24 21:42 EDT (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jonathon Poppleton 2017-08-04 20:18:12 EDT
Description of problem:
I was using either Brother Printer hll2360 or hl3170 when the error appeared. 
SELinux is preventing brcupsconfpt1 from 'execute' accesses on the file /etc/ld.so.cache.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that brcupsconfpt1 should be allowed execute access on the ld.so.cache file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'brcupsconfpt1' --raw | audit2allow -M my-brcupsconfpt1
# semodule -X 300 -i my-brcupsconfpt1.pp

Additional Information:
Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:ld_so_cache_t:s0
Target Objects                /etc/ld.so.cache [ file ]
Source                        brcupsconfpt1
Source Path                   brcupsconfpt1
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           glibc-2.25-7.fc26.x86_64 glibc-2.25-7.fc26.i686
Policy RPM                    selinux-policy-3.13.1-260.1.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 4.11.11-300.fc26.x86_64 #1 SMP Mon
                              Jul 17 16:32:11 UTC 2017 x86_64 x86_64
Alert Count                   2
First Seen                    2017-07-29 09:15:07 AEST
Last Seen                     2017-07-29 09:22:27 AEST
Local ID                      0d5f1099-5e5a-4d92-b949-d61aa8ceeebc

Raw Audit Messages
type=AVC msg=audit(1501284147.393:288): avc:  denied  { execute } for  pid=4644 comm="brcupsconfpt1" path="/etc/ld.so.cache" dev="sda4" ino=656471 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:ld_so_cache_t:s0 tclass=file permissive=1


Hash: brcupsconfpt1,cupsd_t,ld_so_cache_t,file,execute

Version-Release number of selected component:
selinux-policy-3.13.1-260.1.fc26.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.1
hashmarkername: setroubleshoot
kernel:         4.11.11-300.fc26.x86_64
type:           libreport

Potential duplicate: bug 1415414
Comment 1 Oudry 2017-08-22 10:19:18 EDT
Description of problem:
Impossible d'imprimer sur une imprimante paramètrée en réseau, via un petit serveur d'impression. Le gestionnaire d'impression me signale que l'imprimante est "arrêtée", mais dans les propriétés de l'imprimante, la case à cocher "active" est bien cochée.
Je précise que cette imprimante fonctionne de cette manière depuis bien des années, et qu'il est possible d'imprimer dessus via un autre PC (portable) sur lequel la même version de fédora est installée (fédora 26_64) (mais SeLinux est désactivé)

Version-Release number of selected component:
selinux-policy-3.13.1-259.fc26.noarch

Additional info:
reporter:       libreport-2.9.1
hashmarkername: setroubleshoot
kernel:         4.11.8-300.fc26.x86_64
type:           libreport
Comment 2 Villy Kruse 2017-08-29 07:21:42 EDT
Only Brother can fix this and the Brother recommended fix is to disable selinux.

The program brcupsconfpt1 is missing the STACK segment and you can therefore not mark it with a read-only stack using the execstack utility.

The source for brcupsconfpt1 is not available.
Comment 3 Timur Kristóf 2017-09-10 12:17:54 EDT
Description of problem:
I tried to print with a Brother MFC-J6520DW printer, using its driver from the manufacturer. The print succeeded but I got this SELinux error.

Version-Release number of selected component:
selinux-policy-3.13.1-260.8.fc26.noarch

Additional info:
reporter:       libreport-2.9.1
hashmarkername: setroubleshoot
kernel:         4.13.0-0.rc7.git4.2.local.fc28.x86_64
type:           libreport
Comment 4 António 2017-09-13 12:11:25 EDT
Description of problem:
After installing Brother printer, following instructions in their website for linux drivers, I couldn't print and got a SELinux notification (which I reported previously).
After dealing with that notification, I followed the instructions (which didn't explain I needed to open a terminal) to run "setsebool -P cups_execmem 1" (which didn't actually work: "Cannot set persistent booleans, please try as root").
Fortunately, I'm experienced enough to know I just had to prefix that command with "sudo", but many people would have given up at that point and looked for ways to disable SELinux.

So I managed to run that and now I can print a document, but I got a new SELinux notification anyway asking to report another bug, so, I'm doing it now. I hope this helps.

Version-Release number of selected component:
selinux-policy-3.13.1-260.8.fc26.noarch

Additional info:
reporter:       libreport-2.9.1
hashmarkername: setroubleshoot
kernel:         4.12.9-300.fc26.x86_64
type:           libreport
Comment 5 Villy Kruse 2017-09-13 13:22:47 EDT
(In reply to António from comment #4)
> Description of problem:
> After installing Brother printer, following instructions in their website
> for linux drivers, I couldn't print and got a SELinux notification (which I
> reported previously).
> After dealing with that notification, I followed the instructions (which
> didn't explain I needed to open a terminal) to run "setsebool -P
> cups_execmem 1" (which didn't actually work: "Cannot set persistent
> booleans, please try as root").
> Fortunately, I'm experienced enough to know I just had to prefix that
> command with "sudo", but many people would have given up at that point and
> looked for ways to disable SELinux.
> 
> So I managed to run that and now I can print a document, but I got a new
> SELinux notification anyway asking to report another bug, so, I'm doing it
> now. I hope this helps.
> 
> Version-Release number of selected component:
> selinux-policy-3.13.1-260.8.fc26.noarch
> 
> Additional info:
> reporter:       libreport-2.9.1
> hashmarkername: setroubleshoot
> kernel:         4.12.9-300.fc26.x86_64
> type:           libreport


You will get two selinux issues, neither of them fatal to the program.

The first is execute denied for ld_so_cache_t
and the other is execute denied for locale_t

You can allow both using the procedure suggested by selinux troubleshouter.

The resulting .te file would then become:


module my-brcupsconfpt1 1.0;

require {
        type locale_t;
        type cupsd_t;
        type ld_so_cache_t;
        class file execute;
}

#============= cupsd_t ==============
allow cupsd_t ld_so_cache_t:file execute;
allow cupsd_t locale_t:file execute;


The failing instruction is actually mmap of ld_so_cache_t for read-only.  Recompiling the Brother programs would have solved the problem properly, if we had the source code available.
Comment 6 António 2017-09-13 14:41:50 EDT
(In reply to Villy Kruse from comment #5)
> You can allow both using the procedure suggested by selinux troubleshouter.

The troubleshouter didn't actually suggest any procedure to allow it this time. Only the option to report a bug was available. I hope it gives me the required terminal command next time.

> The failing instruction is actually mmap of ld_so_cache_t for read-only. 
> Recompiling the Brother programs would have solved the problem properly, if
> we had the source code available.

Thanks for the detailed explanation. However, I'm sorry, I don't have the expertise to understand the whole of it.

From what I understand this is a bug in Brother's proprietary software. However, is it a security bug?

If not, is there anything SELinux can do to avoid annoying other users about this? I don't want other people to be driven into instructions to disable SELinux just because they must use a Brother printer.
Comment 7 Villy Kruse 2017-09-14 02:09:35 EDT
(In reply to António from comment #6)
> (In reply to Villy Kruse from comment #5)
> > You can allow both using the procedure suggested by selinux troubleshouter.
> 
> The troubleshouter didn't actually suggest any procedure to allow it this
> time. Only the option to report a bug was available. I hope it gives me the
> required terminal command next time.
> 

I would expect you would get these from the troubleshooter.

You should report this as a bug.
You can generate a local policy module to allow this access.
Allow this access for now by executing:
# ausearch -c 'newprog' --raw | audit2allow -M my-newprog
# semodule -X 300 -i my-newprog.pp


You should report this as a bug.
You can generate a local policy module to allow this access.
Allow this access for now by executing:
# ausearch -c 'sh' --raw | audit2allow -M my-sh
# semodule -X 300 -i my-sh.pp

The last one comes from the shell which is started from the Brother program.


> > The failing instruction is actually mmap of ld_so_cache_t for read-only. 
> > Recompiling the Brother programs would have solved the problem properly, if
> > we had the source code available.
> 
> Thanks for the detailed explanation. However, I'm sorry, I don't have the
> expertise to understand the whole of it.
> 
> From what I understand this is a bug in Brother's proprietary software.
> However, is it a security bug?
> 
> If not, is there anything SELinux can do to avoid annoying other users about
> this? I don't want other people to be driven into instructions to disable
> SELinux just because they must use a Brother printer.

"setsebool -P cups_execmem 1" is where you weaken the security.  Allowing executing of ld_so_cache_t would not make it even more insecure.  The cups_execmem setting disables the protection against certain buffer overrun attacks for programs running in a cups context.

I did some experiment.  If I compile a very simple program using RH6.2 (Not the RH enterprise but the original from about year 2000) and run this in a cups context the selinux issue is triggered.  If I compile the same simple program on a Fedora system, the selinux issue is not triggered.  The difference is the "execstack" settings of the ELF program file.
Comment 8 Jonathon Poppleton 2017-09-24 21:42:54 EDT
Description of problem:
Printer HL-3170CDW caused the error. Normally i use setenforce 0 before i print with brother printers. 

Version-Release number of selected component:
selinux-policy-3.13.1-260.9.fc26.noarch

Additional info:
reporter:       libreport-2.9.1
hashmarkername: setroubleshoot
kernel:         4.12.13-300.fc26.x86_64
type:           libreport

Note You need to log in before you can comment on or make changes to this bug.