User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.2) Gecko/2008092502 Fedora/3.0.2-1.fc10 Firefox/3.0.2 Spurious policy exceptions when printing via vendor-supplied cups drivers (installed using provided RPMs) for Brother printers. Reproducible: Always Steps to Reproduce: 1. Install vendor-supplied printer drivers (lpd and cupswrapper) from Brother 2. Configure print queue for supported Brother printer (MFC-5460CN, in my case) 3. Send a job to the printer Actual Results: SElinux is throwing policy exceptions for every job sent to the printer -- they seem to be spurious, as the job prints and I'm not able to discern any loss of functionality due to the failures. But if nothing else, it'd be nice to stop spamming setroubleshooter when printing. Summary: SELinux is preventing brprintconf_mfc (cupsd_t) "write" to ./inf (bin_t). Detailed Description: SELinux denied access requested by brprintconf_mfc. It is not expected that this access is required by brprintconf_mfc and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./inf, restorecon -v './inf' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Context system_u:object_r:bin_t:s0 Target Objects ./inf [ dir ] Source brprintconf_mfc Source Path /usr/bin/brprintconf_mfc5460cn Port <Unknown> Host teevey.localdomain Source RPM Packages mfc5460cnlpr-1.0.1-1 Target RPM Packages Policy RPM selinux-policy-3.5.9-1.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall_file Host Name teevey.localdomain Platform Linux teevey.localdomain 2.6.27-0.370.rc8.fc10.x86_64 #1 SMP Mon Sep 29 23:33:23 EDT 2008 x86_64 x86_64 Alert Count 18 First Seen Wed Oct 1 04:09:37 2008 Last Seen Wed Oct 1 04:09:37 2008 Local ID 89aaea0d-fd9c-466a-b8d1-ea083b8aeda8 Line Numbers Raw Audit Messages node=teevey.localdomain type=AVC msg=audit(1222848577.382:631): avc: denied { write } for pid=16272 comm="brprintconf_mfc" name="inf" dev=dm-0 ino=139422 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=dir node=teevey.localdomain type=SYSCALL msg=audit(1222848577.382:631): arch=40000003 syscall=38 per=400000 success=no exit=-13 a0=ff97b6e0 a1=ff97b2d0 a2=804a540 a3=ff97b6e0 items=0 ppid=16253 pid=16272 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="brprintconf_mfc" exe="/usr/bin/brprintconf_mfc5460cn" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) Expected Results: Job is printed successfully (which is currently the case), but without failures popping up in setroubleshooter. The problem is bad labeling under the /usr/local/Brother/ path that the Brother RPMs install their drivers at. Brother's drivers want to write to various files below that path. Specifically, the "./inf" referenced in the selinux message is, for my printer, the directory: /usr/local/Brother/Printer/mfc5460cn/inf It appears there's already a line in the selinux file contexts that's intended to address this -- it's slightly mis-specified, though, so the labeling doesn't get applied correctly. The current policy specifies labeling for this location as: /usr/local/Brother/[^/]*/inf(/.*)? system_u:object_r:cupsd_rw_etc_t:s0 ...however, at least for some Brother machines, the path is one level deeper than expected, so that rule has no effect. The rule can be corrected to: /usr/local/Brother/[^/]*/[^/]*/inf(/.*)? system_u:object_r:cupsd_rw_etc_t:s0 (or, if the old labeling is still correct in some cases) /usr/local/Brother(/[^/]*)?/[^/]*/inf(/.*)? system_u:object_r:cupsd_rw_etc_t:s0 Applying the corrected rule results in restorecon labeling the needed paths as indicated, and eliminates the setroubleshooter alerts during printing.
Changing to /usr/local/Brother/(.*/)?inf(/.*)? gen_context(system_u:object_r:cupsd_rw_etc_t,s0) Should fix all situations. Fixed in selinux-policy-3.5.9-3.fc10
selinux-policy-3.5.9-4.fc10 hit my system this evening, and fixes the labeling issues completely. Thanks for the quick response!
This doesn't seem to apply for the MFC-620CN and brprintconfij2 tool: type=AVC msg=audit(1228031340.225:86): avc: denied { write } for pid=4798 comm="brprintconfij2" name="inf" dev=dm-0 ino=2051 24 scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:usr_t:s0 tclass=dir type=SYSCALL msg=audit(1228031340.225:86): arch=40000003 syscall=38 per=400000 success=no exit=-13 a0=bfb02190 a1=bfb01d80 a2=8 04a4c8 a3=bfb02190 items=0 ppid=4789 pid=4798 auid=500 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=1 comm="brprintconfij2" exe="/usr/bin/brprintconfij2" subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
restorecon -R -v /usr/local