Bug 486679 - SELinux policy gives AVC of cupsd_t access attempt of Samsung SCX-4725FN printer/scanner (MFP) unless cupsd set permissive
SELinux policy gives AVC of cupsd_t access attempt of Samsung SCX-4725FN prin...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2009-02-20 19:01 EST by collura
Modified: 2009-04-13 10:28 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-04-13 10:28:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description collura 2009-02-20 19:01:16 EST
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv: Gecko/2009020410 Fedora/3.0.6-1.fc10 Firefox/3.0.6

default install of printer driver doesnt print because selinux gives avc

with samsung scx-4725fn printer/scanner
with selinux-policy-3.5.13-45.fc10 (noarch)
with samsung unified linux driver 
          samsung common ver 2.00.97
          samsung printer ver 2.00.52  
          samsung scanner ver 2.00.61  
          samsung build# 362
          (URI: mfp: /dev/mfp4)
          currently connected via usb cable not ethernet port

problem similar to:
    bug id=483395 where selinux prevents access hpijs cups
    bug id=476975 where selinux prevents access until change context
    bug id=378671 where used audit2allow and semodule until policy 3.08 release
    bug http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385 
           where used ls -alZ /path/to/file
           where used restorecon -v /path/to/file

will try audit2allow for now but consider updating selinux-policy and-or make suggestion to samsung about driver for future?

>SELinux is preventing mfp (cupsd_t) "unix_read unix_write" unconfined_t.
>Detailed Description:
>SELinux denied access requested by mfp. It is not expected that this access is
>required by mfp and this access may signal an intrusion attempt. It is also
>possible that the specific version or configuration of the application is
>causing it to require additional access.
>Allowing Access:
>You can generate a local policy module to allow this access - see FAQ
>(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
>SELinux protection altogether. Disabling SELinux protection is not recommended.
>Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>against this package.
>Additional Information:
>Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
>Target Context                unconfined_u:unconfined_r:unconfined_t:s0
>Target Objects                None [ shm ]
>Source                        mfp
>Source Path                   /usr/lib64/cups/backend/mfp
>Port                          <Unknown>
>Host                          localhost.localdomain
>Source RPM Packages           
>Target RPM Packages           
>Policy RPM                    selinux-policy-3.5.13-45.fc10
>Selinux Enabled               True
>Policy Type                   targeted
>MLS Enabled                   True
>Enforcing Mode                Enforcing
>Plugin Name                   catchall
>Host Name                     localhost.localdomain
>Platform                      Linux localhost.localdomain
>                     #1 SMP Wed Feb 11
>                              23:14:31 EST 2009 x86_64 x86_64
>Alert Count                   50
>First Seen                    Thu 19 Feb 2009 11:59:51 AM EST
>Last Seen                     Fri 20 Feb 2009 03:15:21 PM EST
>Local ID                      6b1446ac-89dd-4780-8256-828773b79f16
>Line Numbers                  
>Raw Audit Messages            
>node=localhost.localdomain type=AVC msg=audit(1235160921.297:42): avc:  denied  { unix_read unix_write } for  pid=3333 comm="mfp" key=-324508629 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=shm
>node=localhost.localdomain type=SYSCALL msg=audit(1235160921.297:42): arch=c000003e syscall=29 success=yes exit=0 a0=eca8642b a1=1000 a2=3b6 a3=345376da70 items=0 ppid=2397 pid=3333 auid=4294967295 uid=4 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="mfp" exe="/usr/lib64/cups/backend/mfp" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)

the following is a top snipet from audit2allow -a -w 

>type=AVC msg=audit(1234641266.092:80): avc:  denied  { mmap_zero } for  pid=5017
> comm="ld-linux-x86-64" scontext=system_u:system_r:prelink_t:s0 tcontext=system_
>u:system_r:prelink_t:s0 tclass=memprotect
>        Was caused by:
>                Unknown - would be allowed by active policy
>                Possible mismatch between this policy and the one under which the audit message was generated.
>                Possible mismatch between current in-memory boolean settings vs. permanent ones.
>type=AVC msg=audit(1235060592.842:549): avc:  denied  { read write } for  >pid=18205 comm="portrelease" path="socket:[91579]" dev=sockfs ino=91579 >scontext=unconfined_u:system_r:portreserve_t:s0 >tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket
>        Was caused by:
>                Missing type enforcement (TE) allow rule.
>                You can use audit2allow to generate a loadable module to allow this access.

where 'audit2allow -a -m scx4725fnCupsdFix0 >> scx4725fnCupsdFix0.te' gives:

>module scx4725fnCupsdFix0 1.0;
>require {
>	type unconfined_t;
>	type lib_t;
>	type prelink_t;
>	type modules_conf_t;
>	type cupsd_t;
>	type modules_dep_t;
>	type insmod_exec_t;
>	type system_map_t;
>	type user_tmpfs_t;
>	type modules_object_t;
>	type portreserve_t;
>	class unix_stream_socket { read write };
>	class memprotect mmap_zero;
>	class capability sys_module;
>	class file { write getattr read lock execute execute_no_trans };
>	class shm { unix_read read write unix_write associate };
>	class dir search;
>#============= cupsd_t ==============
>allow cupsd_t insmod_exec_t:file { read execute execute_no_trans };
>allow cupsd_t lib_t:file execute_no_trans;
>allow cupsd_t modules_conf_t:file { read getattr };
>allow cupsd_t modules_dep_t:file { read getattr };
>allow cupsd_t modules_object_t:dir search;
>allow cupsd_t modules_object_t:file { read write getattr lock };
>allow cupsd_t self:capability sys_module;
>allow cupsd_t system_map_t:file getattr;
>allow cupsd_t unconfined_t:shm { unix_read read write unix_write associate };
>allow cupsd_t unconfined_t:unix_stream_socket { read write };
>allow cupsd_t user_tmpfs_t:file { read write };
>#============= portreserve_t ==============
>allow portreserve_t unconfined_t:unix_stream_socket { read write };
>#============= prelink_t ==============
>allow prelink_t self:memprotect mmap_zero;

which goes into 'checkmodule -M -m -o scx4725fnCupsdFix0.mod scx4725fnCupsdFix0.te'

which goes into 'semodule_package -o scx4725fnCupsdFix0.pp -m scx4725fnCupsdFix0.mod'

which goes into 'semodule -i scx4725fnCupsdFix0.pp

which seems to fix the problem until the next kernel update?

Reproducible: Always

Steps to Reproduce:
1. install the Samsung Unified Linux Printer/Scanner driver
2. try to print but get nothing out of printer
3. set the selinux for cupsd to permissive and print comes out
(note that the multi-function-printer device scans without changes to selinux, its the printing that is the problem requiring tweak of selinux)
Actual Results:  
wont print the page unless selinux for cupsd is set permissive or unless run the audit2allow to do the ignore the access privelege problem

Expected Results:  
expect printer to print

set audit2allow for now but is this the right way to do this for the long term?

will there be an updated policy package to address this or is the driver doing things the wrong way for long term plans?

i cant wait for the next kernel release to see if i remember that i had to do this ;')
Comment 1 Daniel Walsh 2009-02-23 09:56:35 EST
>node=localhost.localdomain type=AVC msg=audit(1235160921.297:42): avc:  denied  { unix_read unix_write } for  pid=3333 comm="mfp" key=-324508629 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=shm

This shows cupsd trying to communicate with a service run by a user?  This seems strange.  What is the mfp command?

Prelink bug is covered in other bugzilla's  we are trying to figure out what is going on.

The policy snippet that you added allows cups to modify the running kernel.  Looks like a cups script is loading a kernel module.  This is not a good idea, since someone could trick cups into loading something into the kernel to take over the machine.  

Tim do you have any idea what is going on?
Comment 2 Tim Waugh 2009-02-23 12:21:26 EST
Looks like mfp is a 3rd party CUPS backend from Samsung, not something we ship.
Comment 3 Daniel Walsh 2009-04-13 10:28:48 EDT
I am just going to mark this as closed current release since most of these are fixed in the currentrelease and We will not fix the other problems which should be handled by fixes in the package, which Fedora does not ship.

Note You need to log in before you can comment on or make changes to this bug.