Bug 464898 - SELinux is preventing brprintconf_mfc (cupsd_t) "write" to ./inf (bin_t) -- printing with Brother drivers.
SELinux is preventing brprintconf_mfc (cupsd_t) "write" to ./inf (bin_t) -- p...
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2008-10-01 04:38 EDT by "FeRD" (Frank Dana)
Modified: 2008-12-02 11:42 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-10-01 07:46:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description "FeRD" (Frank Dana) 2008-10-01 04:38:42 EDT
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv: Gecko/2008092502 Fedora/3.0.2-1.fc10 Firefox/3.0.2

Spurious policy exceptions when printing via vendor-supplied cups drivers (installed using provided RPMs) for Brother printers.

Reproducible: Always

Steps to Reproduce:
1. Install vendor-supplied printer drivers (lpd and cupswrapper) from Brother
2. Configure print queue for supported Brother printer (MFC-5460CN, in my case)
3. Send a job to the printer
Actual Results:  
SElinux is throwing policy exceptions for every job sent to the printer -- they seem to be spurious, as the job prints and I'm not able to discern any loss of functionality due to the failures. But if nothing else, it'd be nice to stop spamming setroubleshooter when printing.


SELinux is preventing brprintconf_mfc (cupsd_t) "write" to ./inf (bin_t).

Detailed Description:

SELinux denied access requested by brprintconf_mfc. It is not expected that this
access is required by brprintconf_mfc and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./inf,

restorecon -v './inf'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:bin_t:s0
Target Objects                ./inf [ dir ]
Source                        brprintconf_mfc
Source Path                   /usr/bin/brprintconf_mfc5460cn
Port                          <Unknown>
Host                          teevey.localdomain
Source RPM Packages           mfc5460cnlpr-1.0.1-1
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.9-1.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     teevey.localdomain
Platform                      Linux teevey.localdomain
                              2.6.27-0.370.rc8.fc10.x86_64 #1 SMP Mon Sep 29
                              23:33:23 EDT 2008 x86_64 x86_64
Alert Count                   18
First Seen                    Wed Oct  1 04:09:37 2008
Last Seen                     Wed Oct  1 04:09:37 2008
Local ID                      89aaea0d-fd9c-466a-b8d1-ea083b8aeda8
Line Numbers                  

Raw Audit Messages            

node=teevey.localdomain type=AVC msg=audit(1222848577.382:631): avc:  denied  { write } for  pid=16272 comm="brprintconf_mfc" name="inf" dev=dm-0 ino=139422 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=dir

node=teevey.localdomain type=SYSCALL msg=audit(1222848577.382:631): arch=40000003 syscall=38 per=400000 success=no exit=-13 a0=ff97b6e0 a1=ff97b2d0 a2=804a540 a3=ff97b6e0 items=0 ppid=16253 pid=16272 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="brprintconf_mfc" exe="/usr/bin/brprintconf_mfc5460cn" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)

Expected Results:  
Job is printed successfully (which is currently the case), but without failures popping up in setroubleshooter.

The problem is bad labeling under the /usr/local/Brother/ path that the Brother RPMs install their drivers at. Brother's drivers want to write to various files below that path.

Specifically, the "./inf" referenced in the selinux message is, for my printer, the directory:


It appears there's already a line in the selinux file contexts that's intended to address this -- it's slightly mis-specified, though, so the labeling doesn't get applied correctly.

The current policy specifies labeling for this location as:

/usr/local/Brother/[^/]*/inf(/.*)?	system_u:object_r:cupsd_rw_etc_t:s0

...however, at least for some Brother machines, the path is one level deeper than expected, so that rule has no effect. The rule can be corrected to:

/usr/local/Brother/[^/]*/[^/]*/inf(/.*)?    system_u:object_r:cupsd_rw_etc_t:s0

    (or, if the old labeling is still correct in some cases)
/usr/local/Brother(/[^/]*)?/[^/]*/inf(/.*)? system_u:object_r:cupsd_rw_etc_t:s0

Applying the corrected rule results in restorecon labeling the needed paths as indicated, and eliminates the setroubleshooter alerts during printing.
Comment 1 Daniel Walsh 2008-10-01 07:46:33 EDT
Changing to

/usr/local/Brother/(.*/)?inf(/.*)?      gen_context(system_u:object_r:cupsd_rw_etc_t,s0)

Should fix all situations.

Fixed in selinux-policy-3.5.9-3.fc10
Comment 2 "FeRD" (Frank Dana) 2008-10-03 01:56:43 EDT
selinux-policy-3.5.9-4.fc10 hit my system this evening, and fixes the labeling issues completely. Thanks for the quick response!
Comment 3 James Kay 2008-12-02 06:05:17 EST
This doesn't seem to apply for the MFC-620CN and brprintconfij2 tool:

type=AVC msg=audit(1228031340.225:86): avc:  denied  { write } for  pid=4798 comm="brprintconfij2" name="inf" dev=dm-0 ino=2051
24 scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:usr_t:s0 tclass=dir
type=SYSCALL msg=audit(1228031340.225:86): arch=40000003 syscall=38 per=400000 success=no exit=-13 a0=bfb02190 a1=bfb01d80 a2=8
04a4c8 a3=bfb02190 items=0 ppid=4789 pid=4798 auid=500 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=1
 comm="brprintconfij2" exe="/usr/bin/brprintconfij2" subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
Comment 4 Daniel Walsh 2008-12-02 11:42:57 EST
restorecon -R -v /usr/local

Note You need to log in before you can comment on or make changes to this bug.