Bug 541379 - SELinux is preventing cupsd (cupsd_t) "execute" to /usr/lib/cups/filter/rastertosamsungspl (user_home_t).
Summary: SELinux is preventing cupsd (cupsd_t) "execute" to /usr/lib/cups/filter/raste...
Keywords:
Status: CLOSED DUPLICATE of bug 538428
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:a76415a5f5b...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-25 18:10 UTC by Maupertuis Quentin
Modified: 2009-11-25 19:04 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2009-11-25 19:04:11 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Maupertuis Quentin 2009-11-25 18:10:01 UTC 
Résumé:

SELinux is preventing cupsd (cupsd_t) "execute" to
/usr/lib/cups/filter/rastertosamsungspl (user_home_t).

Description détaillée:

SELinux denied access requested by cupsd.
/usr/lib/cups/filter/rastertosamsungspl may be a mislabeled.
/usr/lib/cups/filter/rastertosamsungspl default SELinux type is bin_t, but its
current type is user_home_t. Changing this file back to the default type, may
fix your problem.

File contexts can be assigned to a file in the following ways.

  * Files created in a directory receive the file context of the parent
    directory by default.
  * The SELinux policy might override the default label inherited from the
    parent directory by specifying a process running in context A which creates
    a file in a directory labeled B will instead create the file with label C.
    An example of this would be the dhcp client running with the dhclient_t type
    and creates a file in the directory /etc. This file would normally receive
    the etc_t type due to parental inheritance but instead the file is labeled
    with the net_conf_t type because the SELinux policy specifies this.
  * Users can change the file context on a file using tools such as chcon, or
    restorecon.

This file could have been mislabeled either by user error, or if an normally
confined application was run under the wrong domain.

However, this might also indicate a bug in SELinux because the file should not
have been labeled with this type.

If you believe this is a bug, please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Autoriser l'accès:

You can restore the default system context to this file by executing the
restorecon command. restorecon '/usr/lib/cups/filter/rastertosamsungspl', if
this file is a directory, you can recursively restore using restorecon -R
'/usr/lib/cups/filter/rastertosamsungspl'.

Commande de correction:

restorecon '/usr/lib/cups/filter/rastertosamsungspl'

Informations complémentaires:

Contexte source               system_u:system_r:cupsd_t:s0-s0:c0.c1023
Contexte cible                unconfined_u:object_r:user_home_t:s0
Objets du contexte            /usr/lib/cups/filter/rastertosamsungspl [ file ]
source                        cupsd
Chemin de la source           /usr/sbin/cupsd
Port                          <Inconnu>
Hôte                         (removed)
Paquetages RPM source         cups-1.4.1-4.fc11
Paquetages RPM cible          
Politique RPM                 selinux-policy-3.6.12-85.fc11
Selinux activé               True
Type de politique             targeted
Mode strict                   Enforcing
Nom du plugin                 restorecon
Nom de l'hôte                (removed)
Plateforme                    Linux (removed) 2.6.30.9-90.fc11.i686.PAE #1 SMP Sat
                              Oct 17 11:24:32 EDT 2009 i686 i686
Compteur d'alertes            1
Première alerte              mar. 03 nov. 2009 10:09:59 CET
Dernière alerte              mar. 03 nov. 2009 10:09:59 CET
ID local                      e069c020-f50a-45bd-b993-f85d9c10482a
Numéros des lignes           

Messages d'audit bruts        

node=(removed) type=AVC msg=audit(1257239399.51:150): avc:  denied  { execute } for  pid=3055 comm="cupsd" name="rastertosamsungspl" dev=sda5 ino=125199 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1257239399.51:150): arch=40000003 syscall=11 success=no exit=-13 a0=bfcea396 a1=2280938 a2=bfce8c9c a3=bfcea396 items=0 ppid=1648 pid=3055 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="cupsd" exe="/usr/sbin/cupsd" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.12-85.fc11,restorecon,cupsd,cupsd_t,user_home_t,file,execute
audit2allow suggests:

#============= cupsd_t ==============
allow cupsd_t user_home_t:file execute;
Comment 1 Maupertuis Quentin 2009-11-25 18:23:53 UTC 
Hello,

These alert seems to say that the file is labelled "user_home_t"

/usr/lib/cups/filter/rastertosamsungspl default SELinux type is bin_t, but its
current type is user_home_t

but :

ls -lZ /usr/lib/cups/filter/rastertosamsungspl

returns:

-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/lib/cups/filter/rastertosamsungspl*


The alert appears when i try to use my samsung scx-4200 as a scan. The applications (samsung's application or scanimage ) cant find the scan then.
I use the samsung's official driver.

I hope something in these report could be helpful.


PS: I'm very sorry for my English... :)
Comment 2 Daniel Walsh 2009-11-25 19:04:11 UTC 
The AVC is for an F11 policy.  Which has been updated. So you are reporting an old bug that has been cleaned up in F12.

*** This bug has been marked as a duplicate of bug 538428 ***
Note You need to log in before you can comment on or make changes to this bug.