Bug 378671 - Samsung SCX-4200 Printer Blocked By SELinux
Samsung SCX-4200 Printer Blocked By SELinux
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-12 15:16 EST by Michael Appleyard
Modified: 2008-01-30 14:19 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 14:19:25 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Output from SETroubleshooter (1.92 KB, application/octet-stream)
2007-11-12 15:16 EST, Michael Appleyard
no flags Details
SELinux is preventing mfp (cupsd_t) "create" to <Unknown> (cupsd_t). (1.85 KB, text/plain)
2007-11-21 19:34 EST, Michael Appleyard
no flags Details
SELinux is preventing modprobe (cupsd_t) "getattr" to /lib/modules/2.6.23.1-49.fc8/kernel/drivers/char/lp.ko (modules_object_t). (2.45 KB, text/plain)
2007-12-06 06:25 EST, Michael Appleyard
no flags Details
SELinux is preventing modprobe (cupsd_t) "lock" to /lib/modules/2.6.23.1-49.fc8/kernel/drivers/parport/parport.ko (modules_object_t). (2.49 KB, text/plain)
2007-12-06 06:26 EST, Michael Appleyard
no flags Details
SELinux is preventing sh (cupsd_t) "read" to <Unknown> (insmod_exec_t). (2.11 KB, text/plain)
2007-12-06 06:26 EST, Michael Appleyard
no flags Details
SELinux is preventing /sbin/modprobe (cupsd_t) "read" to <Unknown> (modules_object_t). (2.35 KB, text/plain)
2007-12-06 06:26 EST, Michael Appleyard
no flags Details
SELinux is preventing modprobe (cupsd_t) "read" to <Unknown> (modules_dep_t). (2.15 KB, text/plain)
2007-12-06 06:27 EST, Michael Appleyard
no flags Details
SELinux is preventing /sbin/rmmod (cupsd_t) "sys_nice" to <Unknown> (cupsd_t). (2.08 KB, text/plain)
2007-12-06 06:27 EST, Michael Appleyard
no flags Details
SELinux is preventing mfp (cupsd_t) "sys_rawio" to <Unknown> (cupsd_t). (1.87 KB, text/plain)
2007-12-06 06:28 EST, Michael Appleyard
no flags Details
SELinux is preventing /sbin/modprobe (cupsd_t) "write" to <Unknown> (modules_object_t). (2.35 KB, text/plain)
2007-12-06 06:28 EST, Michael Appleyard
no flags Details
Policy module that should allow this to work. (94 bytes, application/octet-stream)
2007-12-06 10:54 EST, Daniel Walsh
no flags Details
mycups.te:5:ERROR 'syntax error' at token 'allow' on line 1014: allow cupsd_t self:capability sys_rawio; (8.58 KB, application/octet-stream)
2007-12-06 16:02 EST, Michael Appleyard
no flags Details

  None (edit)
Description Michael Appleyard 2007-11-12 15:16:15 EST
Description of problem:
I have a Samsung SCX-4200 MFP for which I downloaded the latest Linux drivers
from Samsung from:

http://www.samsung.com/uk/support/productsupport/download/Model_Select2.aspx?type=Print+Solutions&subtype=Multi+Function+Products&model=SCX%2D4200&fileType=DR&LSSI=%2Fuk%2Fmodule%2Fssi%2Fleft%2Flmenu%5Fprintsolutions%5Fmultifunctionproducts%2Esec&RSSI=%2Fuk%2Fmodule%2Fssi%2Fright%2Frmenu%5Fprintsolutions%2Esec

The installation went OK, but when I try to print, SETroubleshooter gives an
error (see attachment). I used to be able to fix this by running:

[root@lambert ~]# restorecon /usr/lib64/cups/filter/rastertosamsung*
[root@lambert ~]# chown root:root /usr/lib64/cups/filter/rastertosamsung*

but not anymore.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.Download Samsung driver from link above
2.Extract and, as root, run ./cdroot/autorun
3.Follow the GUI installation
4.Try to print a test page
  
Actual results:
SELinux blocks the printer.

Expected results:
A page to be printed out.

Additional info:
Comment 1 Michael Appleyard 2007-11-12 15:16:15 EST
Created attachment 255721 [details]
Output from SETroubleshooter
Comment 2 Michael Appleyard 2007-11-12 15:17:45 EST
This is the original Bugzilla report that helped me get it working:
https://bugzilla.redhat.com/show_bug.cgi?id=214189
Comment 3 Daniel Walsh 2007-11-13 15:09:35 EST
Fixed in selinux-policy-3.0.8-54.fc8
Comment 4 Michael Appleyard 2007-11-21 19:34:40 EST
Created attachment 266401 [details]
SELinux is preventing mfp (cupsd_t) "create" to <Unknown> (cupsd_t).
Comment 5 Michael Appleyard 2007-11-21 19:37:00 EST
Hi,
I just received an update from selinux-policy-3.0.8-53.fc8 to
selinux-policy-3.0.8-56.fc8 and I still cannot print, I've attached the output
from SETroubleshoot.
Comment 6 Daniel Walsh 2007-11-26 12:59:49 EST
Could you put the machine in permissive mode and then run the print job.  Then
collect all of the avc messages and attach.
Comment 7 Michael Appleyard 2007-12-06 06:25:35 EST
Created attachment 279581 [details]
SELinux is preventing modprobe (cupsd_t) "getattr" to /lib/modules/2.6.23.1-49.fc8/kernel/drivers/char/lp.ko (modules_object_t).
Comment 8 Michael Appleyard 2007-12-06 06:26:10 EST
Created attachment 279591 [details]
SELinux is preventing modprobe (cupsd_t) "lock" to    /lib/modules/2.6.23.1-49.fc8/kernel/drivers/parport/parport.ko    (modules_object_t).
Comment 9 Michael Appleyard 2007-12-06 06:26:37 EST
Created attachment 279601 [details]
SELinux is preventing sh (cupsd_t) "read" to <Unknown> (insmod_exec_t).
Comment 10 Michael Appleyard 2007-12-06 06:26:59 EST
Created attachment 279611 [details]
SELinux is preventing /sbin/modprobe (cupsd_t) "read" to <Unknown>    (modules_object_t).
Comment 11 Michael Appleyard 2007-12-06 06:27:19 EST
Created attachment 279621 [details]
SELinux is preventing modprobe (cupsd_t) "read" to <Unknown>    (modules_dep_t).
Comment 12 Michael Appleyard 2007-12-06 06:27:41 EST
Created attachment 279631 [details]
SELinux is preventing /sbin/rmmod (cupsd_t) "sys_nice" to <Unknown>    (cupsd_t).
Comment 13 Michael Appleyard 2007-12-06 06:28:05 EST
Created attachment 279641 [details]
SELinux is preventing mfp (cupsd_t) "sys_rawio" to <Unknown> (cupsd_t).
Comment 14 Michael Appleyard 2007-12-06 06:28:28 EST
Created attachment 279651 [details]
SELinux is preventing /sbin/modprobe (cupsd_t) "write" to <Unknown>    (modules_object_t).
Comment 15 Daniel Walsh 2007-12-06 10:54:30 EST
Created attachment 279811 [details]
Policy module that should allow this to work.

Ok this looks like cups is loading a kernel module  in order to print the job.

In order to compile and install this,  You need to do the following

Extract attachment to a directory
# yum -y install selinux-policy-devel
# make -f /usr/share/selinux/devel/Makefile
# semodule -i mycups.pp

Try to print again.
Comment 16 Michael Appleyard 2007-12-06 13:47:55 EST
Hi,
I did that and it went fine, rebooted, but it still will not let me print. So I
rebooted into passive mode, and only get one message, another instance of:
https://bugzilla.redhat.com/attachment.cgi?id=279641
Comment 17 Daniel Walsh 2007-12-06 15:31:44 EST
Ok I can add sys_rawio.

You can add it yourself by executing

# grep sys_raw /var/log/audit/audit.log | audit2allow >> mycups.te
# make -f /usr/share/selinux/devel/Makefile
# semodule -i mycups.pp

Tim is there any reason for this tool to be loading kernel modules rather then
just doing it in an init script.  I really would prefer not to allow cups to
modify the kernel.


Comment 18 Michael Appleyard 2007-12-06 16:02:04 EST
Created attachment 280191 [details]
mycups.te:5:ERROR 'syntax error' at token 'allow' on line 1014: allow cupsd_t self:capability sys_rawio;

It seems to fail at the make stage:

[root@lambert ~]# make -f /usr/share/selinux/devel/Makefile
Compiling targeted mycups module
/usr/bin/checkmodule:  loading policy configuration from tmp/mycups.tmp
mycups.te:5:ERROR 'syntax error' at token 'allow' on line 1014:
allow cupsd_t self:capability sys_rawio;
#============= cupsd_t ==============
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make: *** [tmp/mycups.mod] Error 1

I've attached tmp/mycups.tmp, in case you need it.
Thanks for all your help by the way.
Comment 19 Daniel Walsh 2007-12-06 16:42:07 EST
That is strange.

If you just do 

# grep sys_raw /var/log/audit/audit.log | audit2allow -M mycups1
# semodule -i mycupsi.pp

Does that work?

Please attach the mycups.te 
Comment 20 Michael Appleyard 2007-12-06 16:56:17 EST
YES!
That fixed it, thanks so much.
Here's mycups.te anyway:

#============= cupsd_t ==============
allow cupsd_t self:capability sys_rawio;


#============= cupsd_t ==============
allow cupsd_t self:capability sys_rawio;
Comment 21 Daniel Walsh 2007-12-12 17:04:51 EST
Fixed in selinux-policy-3.0.8-68
Comment 22 Daniel Walsh 2008-01-30 14:19:25 EST
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.

Note You need to log in before you can comment on or make changes to this bug.