Bug 244765 - AVC Denials for CPUs using MFC420CN Printer
AVC Denials for CPUs using MFC420CN Printer
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
7
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-18 22:20 EDT by Mark Phipps
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 10:11:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
six AVC alert messages from the SELinux debugger (14.55 KB, text/plain)
2007-06-18 22:22 EDT, Mark Phipps
no flags Details

  None (edit)
Description Mark Phipps 2007-06-18 22:20:23 EDT
Description of problem:
Installed MFC420CN lpr drivers with cupswrapper rpm from manufacturer website here:

http://solutions.brother.com/linux/sol/printer/linux/lpr_drivers.html
and here:

http://solutions.brother.com/linux/sol/printer/linux/cups_drivers.html

Will not print at all with SELinux Enforcing. Will print perfectly fine with
SELinux disabled or permissive. In permissive, you get many AVC denial errors.
Manufacturers site lists instructions to edit the file_contexts, but they don't
work.

Version-Release number of selected component (if applicable):
selinux-policy-2.6.4-14.fc7 
CUPS 1.2.10-10.fc7.x86_64
MFC420CNlpr-1.0.2-1.i386.rpm (no x86_64 rpm available)
cupswrapperMFC420CN-1.0.0-1.i386.rpm (no x86_64 rpm available)

I *do not* have cups-lpd or cups-pdf installed

How reproducible:
Very reproducible by turning SE Linux on and off (permissive mode)


Steps to Reproduce:
1. Start with clean fc7 install.
2. install lpr and cupswrapper packages with instructions at:
http://solutions.brother.com/linux/sol/printer/linux/cups_wrapper_install.html
3. Verify SELinux policy is enforcing
4. Print a test page...no printing
5. Set SELinux to permissive
6. Print a test page
7. See AVC denials

Actual results:
Many AVC denials (see attachment)

Expected results:
No AVC denials

Additional info: See attachment
Comment 1 Mark Phipps 2007-06-18 22:22:28 EDT
Created attachment 157341 [details]
six AVC alert messages from the SELinux debugger
Comment 2 Daniel Walsh 2007-06-19 08:42:25 EDT
Do you know what directory it is trying to create files in?

/usr/local/Brother/cupswrapper?

Did you run it in permissive mode?  When you run it a second time, does it try
to unlink the file again?
Comment 3 Mark Phipps 2007-06-20 22:45:10 EDT
Yes, I ran it in permissive mode in order to see the denials--in enforcing mode
it would not print at all.

It appears to be attempting to modify the file "brMFC420CNrc" which is in the
/usr/local/Brother/inf directory. The brMFC420CNrc file has information like the
print resolution, paper type, etc.

When trying different file-contexts, I did full system re-boots just to be sure
everything was reset. It may require that I create a local policy to avoid the
situation, but I haven't gotten that far yet.
Comment 4 Daniel Walsh 2007-06-21 08:55:27 EDT
See if 

#chcon -R -t cups_rw_etc_t /usr/local/Brother/inf

Makes it work.

This should be brought up as a bug to Brother that they should not have r/w
files under /usr.  They should be under /var or /etc/.  (Preferably /var).  If
this works for you I will change the default policy to label this directory.
Comment 5 Mark Phipps 2007-06-24 21:48:38 EDT
That takes care of most of the issues. I think you really meant chcon -R -t
cupsd_rw_etc_t (cupsd instead of cups).  The only denials now concern the
cupswrapper file trying to do various things (lock, get_addr, etc)with
/var/run/utmp.  It will now print in enforcing mode, but you still get a few
denials regarding /var/run/utmp.

The file that is trying to access /var/run/utmp is brlpdwrapperMFC and is
located in the usr/lib/cups/filter folder.  By default it has the following
context: system_u:object_r:bin_t

Whatever it is trying to do doesn't stop the print job from execution, even in
enforcing mode, but does pop up with AVC denials.

Comment 6 Daniel Walsh 2007-06-25 06:36:34 EDT
Ok, I will add a dontaudit rule for the next selinux-policy update along with
fixing the labeling of that directory.

fixed in selinux-policy-2.6.4-23
Comment 7 Daniel Walsh 2007-08-22 10:11:03 EDT
Closing as fixes are in the current release

Note You need to log in before you can comment on or make changes to this bug.