This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 509087 - SELinux is preventing gs (cupsd_t) "execstack" cupsd_t.
SELinux is preventing gs (cupsd_t) "execstack" cupsd_t.
Status: CLOSED WORKSFORME
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
11
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-01 05:24 EDT by Hai Au Bui
Modified: 2009-08-21 17:38 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-08-21 17:38:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Hai Au Bui 2009-07-01 05:24:42 EDT
Description of problem:
I conneted to a Windows network printer Canon LBP3300. When I tried to print a test page, the message appeared: "SELinux is preventing gs (cupsd_t) "execstack" cupsd_t" and the test page could not be printed.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Source Context:  system_u:system_r:cupsd_t:s0-s0:c0.c1023Target Context:  system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Objects:  None [ process ]
Source:  gs
Source Path:  /usr/bin/gs
Port:  <Unknown>
Host:  vatlyhatnhan
Source RPM Packages:  ghostscript-8.64-6.fc11
Target RPM Packages:  
Policy RPM:  selinux-policy-3.6.12-39.fc11Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  catchall
Host Name:  vatlyhatnhan
Platform:  Linux vatlyhatnhan 2.6.29.5-191.fc11.i586 #1 SMP Tue Jun 16 23:11:39 EDT 2009 i686 i686
Alert Count:  20
First Seen:  Wed 01 Jul 2009 02:43:14 PM ICT
Last Seen:  Wed 01 Jul 2009 03:45:46 PM ICT
Local ID:  7f34632d-bccf-47f6-ad76-0ac6d4e1f4d4
Comment 1 Daniel Walsh 2009-07-01 09:05:35 EDT
Did you install some third party software to make this work?

Look for a library marked execstack

# find / -exec execstack -q {} \; 2> /dev/null | grep ^X

You can add this for now if you just want the print job to work by adding custom policy 

# grep cupsd /var/log/audit/audit.log | audit2allow -M mycups
# semodule -i mycups.pp

execstack is considered fairly dangerous, it is explained here.

http://people.redhat.com/~drepper/selinux-mem.html
Comment 2 Hai Au Bui 2009-07-01 22:33:33 EDT
Thank you very much. It works now like a charm.
Comment 3 Daniel Walsh 2009-07-05 22:06:29 EDT
What did you do, just add the policy or did you find the library with the execstack flag?
Comment 4 Hai Au Bui 2009-07-06 00:08:57 EDT
I just added a new policy and everything worked.I don't understand about the library marked execstack.
Comment 5 Daniel Walsh 2009-07-06 13:50:49 EDT
Can you just run this command to look for execstack libraries on your system

# find / -exec execstack -q {} \; 2> /dev/null | grep ^X

Note You need to log in before you can comment on or make changes to this bug.