Bug 247225 - Brother DCP-130C SELinux blocking
Brother DCP-130C SELinux blocking
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
i386 Linux
low Severity urgent
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
: Reopened
: 466143 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2007-07-06 00:36 EDT by Daryl Thompson
Modified: 2008-10-20 10:55 EDT (History)
2 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-10-20 10:55:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Daryl Thompson 2007-07-06 00:36:06 EDT
Description of problem:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:

    SELinux is preventing /usr/bin/brprintconf_dcp130c (cupsd_t) "write" to inf

Detailed Description
    SELinux denied access requested by /usr/bin/brprintconf_dcp130c. It is not
    expected that this access is required by /usr/bin/brprintconf_dcp130c and
    this access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for inf, restorecon -v inf If this
    does not work, there is currently no automatic way to allow this access.
    Instead,  you can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                user_u:system_r:cupsd_t:SystemLow-SystemHigh
Target Context                user_u:object_r:usr_t
Target Objects                inf [ dir ]
Affected RPM Packages         dcp130clpr-1.0.0-9 [application]
Policy RPM                    selinux-policy-2.6.4-23.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     editor.netcastaustralia.com
Platform                      Linux editor.netcastaustralia.com
                              2.6.21-1.3228.fc7 #1 SMP Tue Jun 12 15:37:31 EDT
                              2007 i686 athlon
Alert Count                   36
First Seen                    Fri 06 Jul 2007 01:42:03 PM EST
Last Seen                     Fri 06 Jul 2007 02:22:31 PM EST
Local ID                      27f6f6d0-f626-4b57-b1a7-9b8f0e0ae67a
Line Numbers                  

Raw Audit Messages            

avc: denied { write } for comm="brprintconf_dcp" dev=dm-0 egid=7 euid=4
exe="/usr/bin/brprintconf_dcp130c" exit=-13 fsgid=7 fsuid=4 gid=7 items=0
name="inf" pid=4128 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=7
subj=user_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=4 tclass=dir
tcontext=user_u:object_r:usr_t:s0 tty=(none) uid=4
Comment 1 Daniel Walsh 2007-07-06 10:57:14 EDT
Fixed in selinux-policy-2.6.4-25.fc7

chcon -R -t cupsd_rw_etc_t /usr/local/Brother/inf

Should allow this to work
Comment 2 Daniel Walsh 2007-08-22 10:09:45 EDT
Closing as fixes are in the current release
Comment 3 Tim Waugh 2008-10-20 09:38:02 EDT
*** Bug 466143 has been marked as a duplicate of this bug. ***
Comment 4 Tim Waugh 2008-10-20 09:39:31 EDT
Seems like this needs fixing again in Fedora 9.
Comment 5 Daniel Walsh 2008-10-20 10:55:56 EDT
Why the SELinux context on the system is correct, the problem is the rpm does not specify the directory so it must be created in the post install and not labeled correctly.  So there is nothing I can do to fix this.   

Brother either needs to include  /usr/local/Brother/*/inf
 In the rpm payload or run restorecon in the post install script.

Note You need to log in before you can comment on or make changes to this bug.