User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.6) Gecko/2009020410 Fedora/3.0.6-1.fc10 Firefox/3.0.6 default install of printer driver doesnt print because selinux gives avc system: with samsung scx-4725fn printer/scanner with selinux-policy-3.5.13-45.fc10 (noarch) with samsung unified linux driver samsung common ver 2.00.97 samsung printer ver 2.00.52 samsung scanner ver 2.00.61 samsung build# 362 (URI: mfp: /dev/mfp4) currently connected via usb cable not ethernet port problem similar to: bug id=483395 where selinux prevents access hpijs cups bug id=476975 where selinux prevents access until change context bug id=378671 where used audit2allow and semodule until policy 3.08 release bug http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385 where used ls -alZ /path/to/file where used restorecon -v /path/to/file will try audit2allow for now but consider updating selinux-policy and-or make suggestion to samsung about driver for future? ---------------------------------------------- >Summary: > >SELinux is preventing mfp (cupsd_t) "unix_read unix_write" unconfined_t. > >Detailed Description: > >SELinux denied access requested by mfp. It is not expected that this access is >required by mfp and this access may signal an intrusion attempt. It is also >possible that the specific version or configuration of the application is >causing it to require additional access. > >Allowing Access: > >You can generate a local policy module to allow this access - see FAQ >(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable >SELinux protection altogether. Disabling SELinux protection is not recommended. >Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) >against this package. > >Additional Information: > >Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023 >Target Context unconfined_u:unconfined_r:unconfined_t:s0 >Target Objects None [ shm ] >Source mfp >Source Path /usr/lib64/cups/backend/mfp >Port <Unknown> >Host localhost.localdomain >Source RPM Packages >Target RPM Packages >Policy RPM selinux-policy-3.5.13-45.fc10 >Selinux Enabled True >Policy Type targeted >MLS Enabled True >Enforcing Mode Enforcing >Plugin Name catchall >Host Name localhost.localdomain >Platform Linux localhost.localdomain > 2.6.27.15-170.2.24.fc10.x86_64 #1 SMP Wed Feb 11 > 23:14:31 EST 2009 x86_64 x86_64 >Alert Count 50 >First Seen Thu 19 Feb 2009 11:59:51 AM EST >Last Seen Fri 20 Feb 2009 03:15:21 PM EST >Local ID 6b1446ac-89dd-4780-8256-828773b79f16 >Line Numbers > >Raw Audit Messages > >node=localhost.localdomain type=AVC msg=audit(1235160921.297:42): avc: denied { unix_read unix_write } for pid=3333 comm="mfp" key=-324508629 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=shm > >node=localhost.localdomain type=SYSCALL msg=audit(1235160921.297:42): arch=c000003e syscall=29 success=yes exit=0 a0=eca8642b a1=1000 a2=3b6 a3=345376da70 items=0 ppid=2397 pid=3333 auid=4294967295 uid=4 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="mfp" exe="/usr/lib64/cups/backend/mfp" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) > > the following is a top snipet from audit2allow -a -w >type=AVC msg=audit(1234641266.092:80): avc: denied { mmap_zero } for pid=5017 > comm="ld-linux-x86-64" scontext=system_u:system_r:prelink_t:s0 tcontext=system_ >u:system_r:prelink_t:s0 tclass=memprotect > Was caused by: > Unknown - would be allowed by active policy > Possible mismatch between this policy and the one under which the audit message was generated. > > Possible mismatch between current in-memory boolean settings vs. permanent ones. > >type=AVC msg=audit(1235060592.842:549): avc: denied { read write } for >pid=18205 comm="portrelease" path="socket:[91579]" dev=sockfs ino=91579 >scontext=unconfined_u:system_r:portreserve_t:s0 >tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=unix_stream_socket > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module to allow this access. > > where 'audit2allow -a -m scx4725fnCupsdFix0 >> scx4725fnCupsdFix0.te' gives: >module scx4725fnCupsdFix0 1.0; > >require { > type unconfined_t; > type lib_t; > type prelink_t; > type modules_conf_t; > type cupsd_t; > type modules_dep_t; > type insmod_exec_t; > type system_map_t; > type user_tmpfs_t; > type modules_object_t; > type portreserve_t; > class unix_stream_socket { read write }; > class memprotect mmap_zero; > class capability sys_module; > class file { write getattr read lock execute execute_no_trans }; > class shm { unix_read read write unix_write associate }; > class dir search; >} > >#============= cupsd_t ============== >allow cupsd_t insmod_exec_t:file { read execute execute_no_trans }; >allow cupsd_t lib_t:file execute_no_trans; >allow cupsd_t modules_conf_t:file { read getattr }; >allow cupsd_t modules_dep_t:file { read getattr }; >allow cupsd_t modules_object_t:dir search; >allow cupsd_t modules_object_t:file { read write getattr lock }; >allow cupsd_t self:capability sys_module; >allow cupsd_t system_map_t:file getattr; >allow cupsd_t unconfined_t:shm { unix_read read write unix_write associate }; >allow cupsd_t unconfined_t:unix_stream_socket { read write }; >allow cupsd_t user_tmpfs_t:file { read write }; > >#============= portreserve_t ============== >allow portreserve_t unconfined_t:unix_stream_socket { read write }; > >#============= prelink_t ============== >allow prelink_t self:memprotect mmap_zero; > > which goes into 'checkmodule -M -m -o scx4725fnCupsdFix0.mod scx4725fnCupsdFix0.te' which goes into 'semodule_package -o scx4725fnCupsdFix0.pp -m scx4725fnCupsdFix0.mod' which goes into 'semodule -i scx4725fnCupsdFix0.pp which seems to fix the problem until the next kernel update? Reproducible: Always Steps to Reproduce: 1. install the Samsung Unified Linux Printer/Scanner driver 2. try to print but get nothing out of printer 3. set the selinux for cupsd to permissive and print comes out (note that the multi-function-printer device scans without changes to selinux, its the printing that is the problem requiring tweak of selinux) Actual Results: wont print the page unless selinux for cupsd is set permissive or unless run the audit2allow to do the ignore the access privelege problem Expected Results: expect printer to print set audit2allow for now but is this the right way to do this for the long term? will there be an updated policy package to address this or is the driver doing things the wrong way for long term plans? i cant wait for the next kernel release to see if i remember that i had to do this ;')
>node=localhost.localdomain type=AVC msg=audit(1235160921.297:42): avc: denied { unix_read unix_write } for pid=3333 comm="mfp" key=-324508629 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=shm This shows cupsd trying to communicate with a service run by a user? This seems strange. What is the mfp command? Prelink bug is covered in other bugzilla's we are trying to figure out what is going on. The policy snippet that you added allows cups to modify the running kernel. Looks like a cups script is loading a kernel module. This is not a good idea, since someone could trick cups into loading something into the kernel to take over the machine. Tim do you have any idea what is going on?
Looks like mfp is a 3rd party CUPS backend from Samsung, not something we ship.
I am just going to mark this as closed current release since most of these are fixed in the currentrelease and We will not fix the other problems which should be handled by fixes in the package, which Fedora does not ship.