Bug 476975 - SELinux denied access requested by tpprint (TurboPrint2)
SELinux denied access requested by tpprint (TurboPrint2)
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
9
All Linux
low Severity low
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-18 07:15 EST by Diccon Spain
Modified: 2009-06-10 04:12 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-06-10 04:12:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Diccon Spain 2008-12-18 07:15:41 EST
Description of problem:
SELinux denied various accesses requested by tpprint (TurboPrint2):

1) SELinux is preventing tpprint (cupsd_t) "write" to ./tp0.ink (var_t).
2) SELinux is preventing tpprint (cupsd_t) "setattr" to ./tp0.ink (var_t).
3) SELinux is preventing tpprint (cupsd_t) "write" to ./tp0.job (var_t).
4) SELinux is preventing tpprint (cupsd_t) "setattr" to ./tp0.job (var_t).
5) SELinux is preventing tpprint (cupsd_t) "unlink" to ./5.zmf (var_t).

Version-Release number of selected component (if applicable):
selinux-policy-3.3.1-111.fc9

How reproducible:
Print to printer that has been setup to use TurboPrint2 

Steps to Reproduce:
1.
2.
3.
  
Actual results:
Printing still successful but several denials generated by SELinux (detailed below):

1) Summary:

SELinux is preventing tpprint (cupsd_t) "write" to ./tp0.ink (var_t).

Detailed Description:

SELinux denied access requested by tpprint. It is not expected that this access
is required by tpprint and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./tp0.ink,

restorecon -v './tp0.ink'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_t:s0
Target Objects                ./tp0.ink [ file ]
Source                        tpprint
Source Path                   /usr/bin/tpprint
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           turboprint-2.06-1
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-111.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.27.7-53.fc9.i686
                              #1 SMP Thu Nov 27 02:29:03 EST 2008 i686 i686
Alert Count                   27
First Seen                    Thu 18 Dec 2008 10:37:07 GMT
Last Seen                     Thu 18 Dec 2008 12:03:23 GMT
Local ID                      d373e8ae-e0db-4e1d-abe0-fe453f0cfc00
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1229601803.98:146): avc:  denied  { write } for  pid=8053 comm="tpprint" name="tp0.ink" dev=dm-1 ino=623319 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1229601803.98:146): arch=40000003 syscall=5 success=no exit=-13 a0=bfc772d0 a1=241 a2=1b6 a3=240 items=0 ppid=8034 pid=8053 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="tpprint" exe="/usr/bin/tpprint" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)

2) Summary:

SELinux is preventing tpprint (cupsd_t) "setattr" to ./tp0.ink (var_t).

Detailed Description:

SELinux denied access requested by tpprint. It is not expected that this access
is required by tpprint and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./tp0.ink,

restorecon -v './tp0.ink'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_t:s0
Target Objects                ./tp0.ink [ file ]
Source                        tpprint
Source Path                   /usr/bin/tpprint
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           turboprint-2.06-1
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-111.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.27.7-53.fc9.i686
                              #1 SMP Thu Nov 27 02:29:03 EST 2008 i686 i686
Alert Count                   27
First Seen                    Thu 18 Dec 2008 10:37:07 GMT
Last Seen                     Thu 18 Dec 2008 12:03:23 GMT
Local ID                      826841d4-dde3-4c60-914d-c0b5861bdd13
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1229601803.99:147): avc:  denied  { setattr } for  pid=8053 comm="tpprint" name="tp0.ink" dev=dm-1 ino=623319 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1229601803.99:147): arch=40000003 syscall=15 success=no exit=-13 a0=bfc772d0 a1=1b6 a2=4 a3=8fa4038 items=0 ppid=8034 pid=8053 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="tpprint" exe="/usr/bin/tpprint" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)


3) Summary:

SELinux is preventing tpprint (cupsd_t) "write" to ./tp0.job (var_t).

Detailed Description:

SELinux denied access requested by tpprint. It is not expected that this access
is required by tpprint and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./tp0.job,

restorecon -v './tp0.job'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_t:s0
Target Objects                ./tp0.job [ file ]
Source                        tpprint
Source Path                   /usr/bin/tpprint
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           turboprint-2.06-1
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-111.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.27.7-53.fc9.i686
                              #1 SMP Thu Nov 27 02:29:03 EST 2008 i686 i686
Alert Count                   7
First Seen                    Thu 18 Dec 2008 10:37:07 GMT
Last Seen                     Thu 18 Dec 2008 12:03:23 GMT
Local ID                      6c0f9b58-a08b-45d2-826c-11811eaa41d7
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1229601803.157:148): avc:  denied  { write } for  pid=8053 comm="tpprint" name="tp0.job" dev=dm-1 ino=623316 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1229601803.157:148): arch=40000003 syscall=5 success=no exit=-13 a0=bfc776ec a1=241 a2=1b6 a3=240 items=0 ppid=8034 pid=8053 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="tpprint" exe="/usr/bin/tpprint" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)


4) Summary:

SELinux is preventing tpprint (cupsd_t) "setattr" to ./tp0.job (var_t).

Detailed Description:

SELinux denied access requested by tpprint. It is not expected that this access
is required by tpprint and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./tp0.job,

restorecon -v './tp0.job'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_t:s0
Target Objects                ./tp0.job [ file ]
Source                        tpprint
Source Path                   /usr/bin/tpprint
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           turboprint-2.06-1
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-111.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.27.7-53.fc9.i686
                              #1 SMP Thu Nov 27 02:29:03 EST 2008 i686 i686
Alert Count                   7
First Seen                    Thu 18 Dec 2008 10:37:07 GMT
Last Seen                     Thu 18 Dec 2008 12:03:23 GMT
Local ID                      e593d3a7-87bd-47dd-8b05-53318661544d
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1229601803.157:149): avc:  denied  { setattr } for  pid=8053 comm="tpprint" name="tp0.job" dev=dm-1 ino=623316 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1229601803.157:149): arch=40000003 syscall=15 success=no exit=-13 a0=bfc776ec a1=1b6 a2=bfc777ec a3=8d0d608 items=0 ppid=8034 pid=8053 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="tpprint" exe="/usr/bin/tpprint" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)


5) Summary:

SELinux is preventing tpprint (cupsd_t) "unlink" to ./5.zmf (var_t).

Detailed Description:

SELinux denied access requested by tpprint. It is not expected that this access
is required by tpprint and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./5.zmf,

restorecon -v './5.zmf'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_t:s0
Target Objects                ./5.zmf [ file ]
Source                        tpprint
Source Path                   /usr/bin/tpprint
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           turboprint-2.06-1
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-111.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.27.7-53.fc9.i686
                              #1 SMP Thu Nov 27 02:29:03 EST 2008 i686 i686
Alert Count                   15
First Seen                    Thu 18 Dec 2008 10:36:59 GMT
Last Seen                     Thu 18 Dec 2008 12:01:50 GMT
Local ID                      a60c493a-e1ae-4c67-a70b-15993fe1a73a
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1229601710.986:143): avc:  denied  { unlink } for  pid=8053 comm="tpprint" name="5.zmf" dev=dm-1 ino=622595 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1229601710.986:143): arch=40000003 syscall=10 success=no exit=-13 a0=bfc77538 a1=bfc771a0 a2=8d08008 a3=bfc77198 items=0 ppid=8034 pid=8053 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="tpprint" exe="/usr/bin/tpprint" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)


Expected results:
No SELinux denials for above typical print activities of TurboLinux2

Additional info:
TurboPrint website: http://www.turboprint.info/
TurboPrint contact details:
Contact

ZEDOnet GmbH
Meinrad-Spieß-Platz 2
D-87660 Irsee
Germany
Tel. +49 8341 908 3 905
Fax +49 8341 908 3 906

E-Mail: mail (a) zedonet (dot) de
 
HRB 7805 Registergericht Kempten
Management: Stefan Donhauser, Florian Zeiler
Comment 1 Daniel Walsh 2008-12-18 10:30:34 EST
What directory under /var is cups/turboprint trying to write to?

All we need is to label it correctly
Comment 2 Diccon Spain 2008-12-18 13:00:17 EST
Hi Daniel,

Here is a walk around the directory structure under /var into the /var/turboprint (this looks like the target that cups/turboprint is trying to write to) directory and sub directories:

[dicconspain@localhost var]$ ls
... turboprint ...
[dicconspain@localhost var]$ cd turboprint

[dicconspain@localhost turboprint]$ ls
dicconspain  ink  tpstatus
-- n.b. tpstatus is a text file --

[dicconspain@localhost turboprint]$ cd ink
[dicconspain@localhost ink]$ ls
tp0.ink
-- tp0.ink is a file mentioned in the SELinux denial --

[dicconspain@localhost ink]$ cd ../

[dicconspain@localhost turboprint]$ cd dicconspain
[dicconspain@localhost dicconspain]$ ls
b0  b1  b2  b3  b4  b5  b6  b7  fd  m0  m1  m2  m3  m4  m5  m6  m7  prv  sml  tp0.ink  tp0.job  zmf
-- prv sml and zmf are three further sub directories --
-- tp0.ink tp0.job mentioned in the SELinux denial --

[dicconspain@localhost dicconspain]$ cd prv
[dicconspain@localhost prv]$ ls
-- nothing here! --

[dicconspain@localhost prv]$ cd ..
[dicconspain@localhost dicconspain]$ cd sml
[dicconspain@localhost sml]$ ls
-- nothing here! --

[dicconspain@localhost sml]$ cd ..
[dicconspain@localhost dicconspain]$ cd zmf
[dicconspain@localhost zmf]$ ls
324.zmf  5.zmf

Hope this is what you were after.
Comment 3 Daniel Walsh 2008-12-18 14:36:50 EST
Execute 

chcon -R -t cupsd_rw_etc_t /var/turboprint

See if this fixes the problem, if so we will make it the default.
Comment 4 Diccon Spain 2008-12-19 04:56:26 EST
Ran command and this reduces the SELinux denials to one:


Summary:

SELinux is preventing tpprint (cupsd_t) "read" cupsd_rw_etc_t.

Detailed Description:

SELinux denied access requested by tpprint. It is not expected that this access
is required by tpprint and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:cupsd_rw_etc_t:s0
Target Objects                fd [ fifo_file ]
Source                        tpprint
Source Path                   /usr/bin/tpprint
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           turboprint-2.06-1
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-111.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.27.7-53.fc9.i686
                              #1 SMP Thu Nov 27 02:29:03 EST 2008 i686 i686
Alert Count                   1
First Seen                    Fri 19 Dec 2008 09:49:06 GMT
Last Seen                     Fri 19 Dec 2008 09:49:06 GMT
Local ID                      1a8373eb-5ee9-4a92-83d6-bfe60c92d655
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1229680146.373:26): avc:  denied  { read } for  pid=2976 comm="tpprint" name="fd" dev=dm-1 ino=622644 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cupsd_rw_etc_t:s0 tclass=fifo_file

node=localhost.localdomain type=SYSCALL msg=audit(1229680146.373:26): arch=40000003 syscall=5 success=no exit=-13 a0=813d6a0 a1=800 a2=0 a3=9cad548 items=0 ppid=2957 pid=2976 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="tpprint" exe="/usr/bin/tpprint" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)

so nearly there...
Comment 5 Daniel Walsh 2008-12-19 11:41:18 EST
Ok lets change it a little.

chcon -R -t cupsd_var_run_t /var/turboprint

WHich will allow both activities.
Comment 6 Diccon Spain 2008-12-28 07:00:21 EST
Excellent - this has solved it - no SELinux errors generated.  Thanks for resolving this.
Comment 7 Daniel Walsh 2009-01-04 12:38:17 EST
Ok I have made this change in F10 and Rawhide, Miroslav can you make this change in F9
Comment 8 Miroslav Grepl 2009-01-05 07:46:58 EST
Fixed in selinux-policy-3.3.1-117.fc9.noarch
Comment 9 Bug Zapper 2009-06-09 23:26:27 EDT
This message is a reminder that Fedora 9 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 9.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '9'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 9's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 9 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.