Bug 2052639 - SELinux prevents gs access map on file
Summary: SELinux prevents gs access map on file
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 35
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2022-02-09 17:05 UTC by Alberto Chiodi
Modified: 2022-06-23 03:14 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-35.18-1.fc35
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2022-06-23 03:14:01 UTC
Type: Bug

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1137 0 None open Add file map permission to lpd_manage_spool() interface 2022-04-08 13:36:09 UTC

Description Alberto Chiodi 2022-02-09 17:05:01 UTC
I think it can affect many users.

When I print a document from libreoffice (In this case specific from libreoffice-calc), the printing takes place but I receive this warning from selinux.

My Os Fedora 35; kernel 5.16.5-200.fc35.x86_64 
Printer  on  socket://
Ricoh Aficio MP C2050 with  driver Ricoh Aficio MP C2050 PXL

SELinux prevents gs access map on file /var/spool/cups/tmp/.cache/fontconfig/3830d5c3ddfd5cd38a049b759396e72e-le64.cache-7.

***** Plugin catchall_boolean(89.3 confidence) suggests ******************

If allow domain to can mmap files
It’s necessary inform SELinux enabling boolean 'domain_can_mmap_files' .

setsebool -P domain_can_mmap_files 1

***** Plugin catchall(11.6 confidence) suggest **************************
# ausearch -c 'gs' --raw | audit2allow -M my-$MODULE_NOME
# semodule -X 300 -i miei-gs.pp

Additional information:
source       system_u:system_r:cupsd_t:s0-s0:c0.c1023
Contest target               system_u:object_r:print_spool_t:s0
Objects target                /var/spool/cups/tmp/.cache/fontconfig/3830d5c3ddfd
                              5cd38a049b759396e72e-le64.cache-7 [ file ]
Source                      gs
Source path      gs
Porta                         <Sconosciuto>
Host                          Asus
Packet source RPM        
SELinux Policy RPM            selinux-policy-targeted-35.13-1.fc35.noarch
Local Policy RPM              selinux-policy-targeted-35.13-1.fc35.noarch
Selinux abilited             True
Policy              targeted
Modalità            Enforcing

Piattaforma                   Linux Asus 5.16.5-200.fc35.x86_64 #1
                              SMP PREEMPT Tue Feb 1 21:37:11 UTC 2022 x86_64
Messages Raw Audit
type=AVC msg=audit(1644424427.220:242): avc:  denied  { map } for  pid=2610 comm="gs" path="/var/spool/cups/tmp/.cache/fontconfig/3830d5c3ddfd5cd38a049b759396e72e-le64.cache-7" dev="sdb1" ino=785820 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:print_spool_t:s0 tclass=file permissive=0

Comment 1 Zdenek Pytela 2022-02-09 19:09:09 UTC
The map permission needs to be added:
f35# sesearch -A -s cupsd_t -t print_spool_t -c file
allow cups_domain print_spool_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };
allow cupsd_t print_spool_t:file { relabelfrom relabelto };
allow domain file_type:file map; [ domain_can_mmap_files ]:True

Comment 2 Fedora Update System 2022-06-07 09:25:37 UTC
FEDORA-2022-9e53cb5027 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-9e53cb5027

Comment 3 Fedora Update System 2022-06-08 01:20:26 UTC
FEDORA-2022-9e53cb5027 has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-9e53cb5027`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-9e53cb5027

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 4 Fedora Update System 2022-06-23 03:14:01 UTC
FEDORA-2022-9e53cb5027 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.