Reception of incoming faxes is problematic as long as selinux policies are being enforced. In addition to this, the new_fax script in /etc/mgetty+sendfax cannot be executed as well: 07/16 23:41:18 yI1 start fax receiver... 07/16 23:41:18 yI1 fax_wait_for(OK) 07/16 23:41:22 yI1 transmission par.: '+FDCS:0,5,0,2,3,2,0,0'** found ** 07/16 23:41:22 yI1 fax_get_pages: can't write to '/var/spool/fax/incoming': Permission denied 07/16 23:41:22 yI1 fax_send: 'AT+FDR' 07/16 23:41:22 yI1 fax_wait_for(CONNECT) 07/16 23:41:22 yI1 fax_id: '+FTSI:" +49 1234 5678"' 07/16 23:41:22 yI1 transmission par.: '+FDCS:0,5,0,2,0,2,0,0'** found ** 07/16 23:41:25 yI1 fax_get_page_data: receiving /tmp/fn4bab26eI1-49-7033-4007950.01... 07/16 23:41:32 yI1 fax_get_page_data: page end, bytes received: 17360 07/16 23:41:32 yI1 fax_wait_for(OK) 07/16 23:41:32 yI1 page status: +FPTS:1** found ** 07/16 23:41:32 yI1 fax_send: 'AT+FDR' 07/16 23:41:32 yI1 fax_wait_for(CONNECT) 07/16 23:41:35 yI1 connection hangup: '+FHNG:0'** found ** 07/16 23:41:35 yI1 fax_notify_mail: mailer exit status: 32512 (127) 07/16 23:41:35 yI1 system() failed: Permission denied 07/16 23:41:35 ##### fax dev=ttyI1, pid=2136, caller='35', name='', id='+49 1234 5678', +FHNG=000, pages=1/0, time=00:00:33 The audit log states: type=AVC msg=audit(1153086082.315:51): avc: denied { search } for pid=2136 comm="mgetty" name="spool" dev=md2 ino=1572905 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir type=SYSCALL msg=audit(1153086082.315:51): arch=40000003 syscall=33 success=no exit=-13 a0=bfa62ac8 a1=2 a2=17 a3=805b776 items=1 pid=2136 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyI1 comm="mgetty" exe="/sbin/mgetty" subj=system_u:system_r:getty_t:s0 type=CWD msg=audit(1153086082.315:51): cwd="/" type=PATH msg=audit(1153086082.315:51): item=0 name="/var/spool/fax/incoming" obj=system_u:object_r:wtmp_t:s0 type=AVC msg=audit(1153086095.856:52): avc: denied { read } for pid=2137 comm="mgetty" name="sh" dev=md2 ino=1212421 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1153086095.856:52): arch=40000003 syscall=11 success=no exit=-13 a0=4b4556 a1=bfa61d10 a2=bfa638e4 a3=400 items=1 pid=2137 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyI1 comm="mgetty" exe="/sbin/mgetty" subj=system_u:system_r:getty_t:s0 type=CWD msg=audit(1153086095.856:52): cwd="/" type=PATH msg=audit(1153086095.856:52): item=0 name="/bin/sh" parent=0 dev=00:00 mode=00 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1153086095.860:53): avc: denied { getattr } for pid=2136 comm="mgetty" name="[7592]" dev=pipefs ino=7592 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:getty_t:s0 tclass=fifo_file type=SYSCALL msg=audit(1153086095.860:53): arch=40000003 syscall=197 success=no exit=-13 a0=6 a1=bfa62694 a2=4ccff4 a3=954c858 items=0 pid=2136 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyI1 comm="mgetty" exe="/sbin/mgetty" subj=system_u:system_r:getty_t:s0 type=AVC_PATH msg=audit(1153086095.860:53): path="pipe:[7592]" type=AVC msg=audit(1153086095.860:54): avc: denied { write } for pid=2136 comm="mgetty" name="[7592]" dev=pipefs ino=7592 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:getty_t:s0 tclass=fifo_file type=SYSCALL msg=audit(1153086095.860:54): arch=40000003 syscall=4 success=no exit=-13 a0=6 a1=b7f14000 a2=20b a3=20b items=0 pid=2136 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyI1 comm="mgetty" exe="/sbin/mgetty" subj=system_u:system_r:getty_t:s0 type=AVC_PATH msg=audit(1153086095.860:54): path="pipe:[7592]" type=AVC msg=audit(1153086095.872:55): avc: denied { setpgid } for pid=2138 comm="mgetty" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:getty_t:s0 tclass=process type=SYSCALL msg=audit(1153086095.872:55): arch=40000003 syscall=57 success=no exit=-13 a0=0 a1=0 a2=954c858 a3=1 items=0 pid=2138 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyI1 comm="mgetty" exe="/sbin/mgetty" subj=system_u:system_r:getty_t:s0 type=AVC msg=audit(1153086095.876:56): avc: denied { read } for pid=2139 comm="mgetty" name="sh" dev=md2 ino=1212421 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1153086095.876:56): arch=40000003 syscall=11 success=no exit=-13 a0=4b4556 a1=bfa62e64 a2=954d8f0 a3=bfa62e84 items=1 pid=2139 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyI1 comm="mgetty" exe="/sbin/mgetty" subj=system_u:system_r:getty_t:s0 type=CWD msg=audit(1153086095.876:56): cwd="/" type=PATH msg=audit(1153086095.876:56): item=0 name="/bin/sh" parent=0 dev=00:00 mode=00 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1153086160.724:57): avc: denied { search } for pid=2140 comm="mgetty" name="spool" dev=md2 ino=1572905 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:var_spool_t:s0 tclass=dir
Fixed in selinux-policy-2.3.14-4
Problem occurs in FC6, selinux-policy-2.4.6-13.fc6: Dec 24 14:11:24 kirk mgetty[30642]: cannot set controlling tty (ioctl): Operation not permitted Dec 24 14:11:33 kirk kernel: audit(1166998293.240:9): avc: denied { write } for pid=30642 comm="mgetty" name="incoming" dev=dm-0 ino=14189979 scontext=system_u:system_r:getty_t:s0 tcontext=user_u:object_r:var_spool_t:s0 tclass=dir Dec 24 14:11:33 kirk mgetty[30642]: fax_get_pages: can't write to '/var/spool/fax/incoming': Permission denied Dec 24 14:13:34 kirk kernel: audit(1166998414.021:10): avc: denied { read } for pid=32142 comm="mgetty" name="sh" dev=dm-0 ino=14974981 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file Dec 24 14:13:34 kirk kernel: audit(1166998414.022:11): avc: denied { getattr } for pid=30642 comm="mgetty" name="[2303518]" dev=pipefs ino=2303518 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:getty_t:s0 tclass=fifo_file Dec 24 14:13:34 kirk kernel: audit(1166998414.022:12): avc: denied { write } for pid=30642 comm="mgetty" name="[2303518]" dev=pipefs ino=2303518 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:getty_t:s0 tclass=fifo_file Dec 24 14:13:34 kirk kernel: audit(1166998414.022:13): avc: denied { setpgid } for pid=32143 comm="mgetty" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:system_r:getty_t:s0 tclass=process Dec 24 14:13:34 kirk kernel: audit(1166998414.022:14): avc: denied { read } for pid=32144 comm="mgetty" name="sh" dev=dm-0 ino=14974981 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file Dec 24 14:13:34 kirk mgetty[30642]: fax dev=ttyS0, pid=30642, caller='none', name='', id='', +FHNG=000, pages=4/0, time=00:02:10 Dec 24 14:13:34 kirk mgetty[32143]: system() failed: Permission denied
In addition, /var/spool/fax/incoming didn't exist until I created it just now. Am I missing a package? Also, what command installs an updated selinux-policy?
Amendment to previous comment: I hadn't installed mgetty-sendfax yet, so /var/spool/fax/{incoming,outgoing} hadn't been created. That package has been installed now, then removed, then installed again, in the hopes of resetting everything to what it should be. Didn't work. This command updates the selinux attributes for an rpm package's files: fixfiles -R mgetty-sendfax restore Didn't fix anything here. Additionally, /var/spool/fax/incoming should be created as part of the mgetty rpm instead of mgetty+sendfax package, as mgetty can receive faxes without 'sendfax' being present. Instead, mgetty will put the faxes in /tmp.
If /var/spool/fax is used by mgetty package without sendfax, it should be created and owned by mgetty package. This will cause the labeling to happen correctly. restorecon -R -v /var/spool/ Should fix the labeling. For other fixes you can use audit2allow -M mygetty -i /var/log/audit/audit.log (or /var/log/messages) To customize policy.
Fedora apologizes that these issues have not been resolved yet. We're sorry it's taken so long for your bug to be properly triaged and acted on. We appreciate the time you took to report this issue and want to make sure no important bugs slip through the cracks. If you're currently running a version of Fedora Core between 1 and 6, please note that Fedora no longer maintains these releases. We strongly encourage you to upgrade to a current Fedora release. In order to refocus our efforts as a project we are flagging all of the open bugs for releases which are no longer maintained and closing them. http://fedoraproject.org/wiki/LifeCycle/EOL If this bug is still open against Fedora Core 1 through 6, thirty days from now, it will be closed 'WONTFIX'. If you can reporduce this bug in the latest Fedora version, please change to the respective version. If you are unable to do this, please add a comment to this bug requesting the change. Thanks for your help, and we apologize again that we haven't handled these issues to this point. The process we are following is outlined here: http://fedoraproject.org/wiki/BugZappers/F9CleanUp We will be following the process here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this doesn't happen again. And if you'd like to join the bug triage team to help make things better, check out http://fedoraproject.org/wiki/BugZappers
This bug is open for a Fedora version that is no longer maintained and will not be fixed by Fedora. Therefore we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen thus bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.