Bug 590577 - SELinux is preventing /bin/bash "append" access on /usr/local/Brother/fax/txreport.log.
SELinux is preventing /bin/bash "append" access on /usr/local/Brother/fa...
Status: CLOSED CANTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
12
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:c5e5cf04a7a...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-10 04:33 EDT by dweb98
Modified: 2010-07-25 20:38 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-05-24 11:05:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
brfaxfilter for printer BRFAX has insecure permissions (101.83 KB, text/plain)
2010-07-25 20:23 EDT, dweb98
no flags Details
65-libsane-bk-brother-mfc-295cn-scanner-works.rules,65-libsane-original-bk.rules.html (136.09 KB, text/html)
2010-07-25 20:26 EDT, dweb98
no flags Details
BRFAX file locations in Krusader (341.31 KB, image/png)
2010-07-25 20:27 EDT, dweb98
no flags Details
65-libsane-bk-brother-mfc-295cn-scanner-works.rules (72.47 KB, application/octet-stream)
2010-07-25 20:31 EDT, dweb98
no flags Details
Brother-Product-Registration-Test-Sheet-Scanned.ps (10.84 MB, application/postscript)
2010-07-25 20:38 EDT, dweb98
no flags Details

  None (edit)
Description dweb98 2010-05-10 04:33:18 EDT
Summary:

SELinux is preventing /bin/bash "append" access on
/usr/local/Brother/fax/txreport.log.

Detailed Description:

SELinux denied access requested by sh. It is not expected that this access is
required by sh and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:bin_t:s0
Target Objects                /usr/local/Brother/fax/txreport.log [ file ]
Source                        sh
Source Path                   /bin/bash
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           bash-4.0.35-3.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-113.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.32.11-99.fc12.i686 #1 SMP Mon Apr 5 16:32:08
                              EDT 2010 i686 athlon
Alert Count                   54
First Seen                    Mon 10 May 2010 03:27:36 AM CDT
Last Seen                     Mon 10 May 2010 03:31:36 AM CDT
Local ID                      7412f879-4162-4d42-ae4e-52893cd94f3b
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1273480296.32:152): avc:  denied  { append } for  pid=3692 comm="sh" name="txreport.log" dev=dm-0 ino=1720916 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1273480296.32:152): arch=40000003 syscall=5 success=no exit=-13 a0=8fe7570 a1=8401 a2=0 a3=ffffffff items=0 ppid=3625 pid=3692 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,sh,cupsd_t,bin_t,file,append
audit2allow suggests:

#============= cupsd_t ==============
allow cupsd_t bin_t:file append;
Comment 1 Daniel Walsh 2010-05-10 09:41:22 EDT
Is this a standard setup?  Can you move the log file to a better location, like under /var/log/cups?
Comment 2 dweb98 2010-05-14 15:14:30 EDT
I might be able to. But I am having such a fight with SELinux on all of my Fedora Machines. And I haven't learned how to create and add new Rules yet. I guess I'm going to have to soon. I have been just setting the machines to Permisive mode so far. But that doesn't let me install and run all the Apps that I want to. On this Box, I figured out another problem that I am fixing right now. Bug 590330 - [abrt] crash in kmplayer-0.11.2a-1.fc12: yuv444_to_yuy2_mmx: Process /usr/bin/kphononplayer was killed by signal 11 (SIGSEGV). That's my Bug report and here's what I Realized from the reply on it...

dweb98@charter.net      2010-05-11 03:25:43 EDT

(In reply to comment #2)
> This sounds like a bug in the xine-lib package. My guess is, xine-lib was
> compiled with Intel MMX instructions on i686, and your CPU can't handle this.
>
> What is your CPU? I thought all CPUs since Pentium 3 (maybe even Pentium 2)
> were capable of handling MMX. I might be wrong though.
>
> Also how reproducible is the crash on your system?   

Oh No!:O I may be in Big trouble with this Machine. I just built this one from
a Brand New Bared Bones Kit. It's an AMD Athlon 64 X2 5000. I noticed a couple
of weeks after I installed Fedora 12, that I had forgotten and used the wrong
CD for my install. All my other machines are Intel's and I just popped in the
Fedora 12 i686 CD and did the install with it. Then a couple of weeks later, I
saw my Fedora 12 x86-64 CD. I thought Oh No! What have I done. But, then I
thought... well it's running great, no warnings during the install either, so
maybe the i686 CD supports AMD's too. Guess not though... I thought there would
be big problems on a machine with the wrong Architecture installed on it. I did
this one time before and installed Fedora 12 i686 on a an i586 and that thing
is all messed up and buggy. Everything crashes in it. So, I plan on
re-installing it with the i386 CD later. So, now I'm wondering... hoping. Since
I have been building up the Apps and setting up the Printer Scanner Fax for
about a Month now and I am almost done. Could I use a Kernel Upgrade install to
change to the AMD Architecture on this new Box? Or will I have to completely
start over from scratch?

I have now re-installed Fedora 12 from the x86-64 CD and am now working on getting all of my Apps installed again. Then I will test the Brother Fax App again...

Thanks,

Don
Comment 3 dweb98 2010-05-23 17:30:25 EDT
Ok, I'm back to working on this system. I was having a bad couple of weeks, not feeling well and my thinking was off. I was thinking that the Fedora 12 x86_64 CD was for the AMD Processors. Until I remembered that it is the 64 Bit OS!:O And it turns out that the 64 Bit Fedora 12 does not yet have several of the Apps and drivers that I need on this machine ready and working yet. So, I'm back working on this 32 bit System. I can't find a way to change any settings in the brfax app. So, I can't move the /usr/local/Brother/fax/txreport.log to /var/log/cups like you suggested. Looks to me like the simplest way to fix this is to generate a local policy module to allow this access. I'm trying to do this right now with the SELinux Policy Generation Tool. But when it gets to the last window and I click Apply... Nothing happens, it just sets there and gives no response nor errors. What can I do to fix this denied access problem?

Don
Comment 4 Daniel Walsh 2010-05-24 11:05:40 EDT
# semanage fcontext -a -t cupsd_log_t '/usr/local/Brother/fax/.*\.log'
# restorecon -R -v /usr/local/Brother

Should change the labels on all of the log files to be writeable by cups.
Comment 5 Daniel Walsh 2010-05-24 11:21:44 EDT
I will make this a default label in the next policy release.
Comment 6 dweb98 2010-05-26 17:43:02 EDT
Ok, thanks Daniel. I did this and SELinux stopped squaking. But the BRFax still just sits there and does nothing. Guess I'll have to contact their Support now. '

Don
Comment 7 Daniel Walsh 2010-05-27 14:51:03 EDT
If you put the machine into permissive mode does it work?
Comment 8 dweb98 2010-05-28 21:12:31 EDT
Replied on the Site...

Nope, I tried that at the beginning of the problem. But it had no effect. I just now used the SELinux Management App to set the  Current Enforcing mode to Permissive and left the System Default to Enforcing. I checked the Relabel on next reboot and Rebooted the system. But this had no effect on the the brfax dialing app. The print seems successful, but the dialing app never comes up. And when I log into the CUPS Web interface, it even reports that the print job was completed. Any ideas on that?
BRFAX-101  	Fwd: [Bug 590577] SELinux is preventing /bin/bash "append" access on /usr/local/Brother/fax/txreport.log.  	Theda  	80k  	Unknown  	completed at
Fri 28 May 2010 08:03:12 PM CDT 

Don
Comment 9 Daniel Walsh 2010-06-01 10:51:24 EDT
If this does not work when SELinux is in permissive mode, then it is most likely NOT and SELinux issue.  I don't think I can help you.  THe append problem can be fixed by changing the label of the log file as described above.  I guess you need to contact Brother?
Comment 10 dweb98 2010-07-25 20:17:58 EDT
Finally, I got brpcfax working!:) First off, I Reformatted the HD and installed Fedora 13. Still, had the same problems as with Fedora 12. But I knew the steps to go through to fix brpcfax. Not necessarily in this order though...

For Brother MFC-295CN Printer Scanner Fax Machine. After installing all of the Brother Drivers and Apps, my scanner still didn't work. I found this on the Brother Support Site along with the drivers and apps (that is where I downloaded them all and installed them from the RPM's). Later I saw them listed in  in Add/Remove Programs too. But I didn't see them in the list until after I did the manual downloads and installs. There are other Distros shown there too. It worked for me. The info is at...
    http://welcome.solutions.brother.com/bsc/public_s/id/linux/en/instruction_scn1c.html#f12


Fedora 12 and 13 to make the Scanner Work...
    1. Open"/lib/udev/rules.d/65-libsane.rules"
    2. Add the following 2 lines at the last of the device entry. (just before "# The following rule...").

    # Brother
       ATTR{idVendor}=="04f9", ENV{libsane_matched}="yes"

    3. Restart the OS.

Brother's Driver Pages

Brother MFC-295CN Printer Scanner Fax Linux Drivers
    Brother Solutions Center : Brother Driver for Linux Distributions 
    Brother Solutions Center : Brother Driver for Linux Distributions 
    Brother Solutions Center : Brother Driver for Linux Distributions 
    Brother Solutions Center : Brother Driver for Linux Distributions 
    Brother Solutions Center : Brother Driver for Linux Distributions 


To make BRPCFAX Work...
1. I made sure that the Printer and Fax setup on my computer were ok from these instructions on the Brother BRFAX Setup info from web site...

    4-5. Check status of the LPR driver and cupswrapper driver

        Command (for dpkg):  dpkg  -l  |  grep  Brother
        Command (for rpm):  rpm  -qa  |  grep  -e  brmfcfaxlpd-1.0.0-1.i386.rpm  -e  brmfcfaxcups-1.0.0-1.i386.rpm
        Example(for dpkg) | Example(for rpm)

Step 5a. (USB Connection) Check your fax device on the CUPS web interface
    5a-1. Open a web browser and go to "http://localhost:631/printers". 
    5a-2. Click "Modify Printer" of "BRFAX" and set following parameters.

    - Your PC-FAX device 	     	for Device Selection
    - Brother 	     	for Make/Manufacturer Selection
    - Brother BRMFCFAX for CUPS(en) 	     	for Model/Driver Selection
        Device URI is supposed to be "usb://Brother/(your printer's model name)"
        Example of a USB PC-FAX entry


Step 6. Try a test fax. Without the () I used the Brother Registration Fax number here. If it works right, you will get a Fax Call Back in just a few minutes. I did the second time, any way, but nothing called back even though the fax reported to go through, the first time I used direct dial on the machine it's self... 

        Command:  brpcfax  -o  fax-number=18772689575  (your .ps file)
        Example
        Available file format: .ps

http://welcome.solutions.brother.com/bsc/public_s/id/linux/en/instruction_pcf1a.html

2. I ran these commands from... Daniel Walsh 2010-05-24 11:05:40 EDT

# semanage fcontext -a -t cupsd_log_t '/usr/local/Brother/fax/.*\.log'
# restorecon -R -v /usr/local/Brother

Should change the labels on all of the log files to be writeable by cups.   

3. I went to follow these instructions again on the new Fedora 13 system. When by shear accident I noticed that I didn't need to change mine at all. I accidentally double clicked on the /usr/bin/brpcfax file when I was trying to right click and open it to edit the file. Well... the brpcfax Dialer Opened up! So, I decided that there was no fix needed here. I figure that I must have installed Java Jre before the Brother Drivers and that is why mine is working now. But, I'm not sure and can't remember what I did first on the Fedora 12 System either.
# Set up Brother PC-FAX interface
    1. Install sun-java and check the full path of the sun-java's path

    Example : /usr/lib/jvm/java-6-sun/bin/java (sun-java6-jre with Ubuntu 8.04)

    2. Edit "/usr/bin/brpcfax" script

    Edit the java's path in the following line in "/usr/bin/brpcfax"
    *** the line is located around 37th line in the file.

    Before the edit;
    extarg="'java -jar /usr/local/Brother/fax/brmfcfax.jar 2>/dev/null'"

    After the edit;
    extarg="'/usr/lib/jvm/java-6-sun/bin/java -jar /usr/local/Brother/fax/brmfcfax.jar 2>/dev/null'"
          

    3. Run Brother PC-FAX interface

    Command  :  brpcfax  (file name)

Go there...
http://welcome.solutions.brother.com/bsc/public_s/id/linux/en/instruction_pcf2.html

4. I still had one more problem. Still getting errors when I tried to use the BRFAX Printer from the Printer Menu. I kept getting this error...
 Filter "/usr/lib/cups/filter/brfaxfilter" for printer "BRFAX" has insecure permissions (0100777)'],
 'error_log_debug_logging_unset': True}
Page 12 (Printer state reasons):
{'printer-state-message': u'Filter "/usr/lib/cups/filter/brfaxfilter" for printer "BRFAX" has insecure permissions (0100777)',
 'printer-state-reasons': [u'cups-insecure-filter-warning']}

So, I went to the file in Krusader, in root mode. and changed the file permissions from all read write execute, to only allowing viewing to others. This stopped the error message and now if you try to print with BRFAX it says it goes through ok. Which I think is helpful in the whole Faxing Process. Still, I kept forgetting that this is not how you send a fix with brpcfax. What you have to do is, Print the file by using "Print to File". This will convert and save your file to a .ps Image file, (Note, the file Can Not have any Spaces in the file Name or it will not work in the Terminal or by opening the file with brpcfax in Krusader. Probably, in no file manager ether). Then open the .ps file with brpcfax. This will open up the Dialing Program. From there, just put in the Fax Recipients Telephone number and hit Send. It took allot of Research on the Web and the Brother Web site to figure all of this out. And the never answered my request tor help on there Support Page at... https://secure6.brother.co.jp/LinuxContactUs/contact/Linuxform.html It's been over 2 months since I sent in a detailed Support Request! So, I'm posting all this in hopes of helping others from going through all of this trouble again with the Brother MFC-295CN Printer Scanner Fax Machine. I will attache my files that show these changes to this But Report too.


Here's how to Send a Fax with brpcfax...
I cannot find the section to enter the BRFAX command in my application.


After the driver installation, you will have a printer called "BRFAX." This printer is NOT used to print faxes directly. Instead, this printer is used by the " brpcfax" utility.
To actually send a fax, you must use the "brpcfax" utility to process your print jobs. Some programs (like the old Mozilla default installation) allow you to specify the print program, in which case you can specify "brpcfax" (in place of lpr for example).
This is NOT possible with most current applications including Firefox and Openoffice as distributed in popular distributions including SuSE 10.1.

To print to fax with SuSE 10.1, for example:
1)Use "Print to file" from your application to generate a postscript file.
2) Right-click the file and select "Open with" using the executable "SendAsFax"
command configured below.

Configure konqueror to have an option to Open postscript files with brpcfax

1. Open Konqueror.
2. Select "Settings" -> "Configure Konqueror".
3. Click "File Associations".
4. Type "ps" in the search box and select "Application" -> "Postscript" from
the list below.
5. Click "add" and type "brpcfax" then click OK.
6. Click the new "brpcfax" option and click "Edit".
7. Select the "Application" tab.
8. For the "Command:" line, enter: brpcfax -P BRFAX -o Paper=Letter
9. For the "Name:' enter: SendAsFax
10. Click OK to save

Read more...
http://solutions.brother.com/linux/sol/printer/linux/linux_faq-3.html#4

What I do is, Print the file by using "Print to File". This will convert and save your file to a .ps Image file, (Note, the file Can Not have any Spaces in the file Name or it will not work in the Terminal or by opening the file with brpcfax in Krusader. Probably, in no file manager ether). Then open the .ps file with brpcfax. I set my Krusader to open a .ps file by default and I will do the same with other file managers on this system. This will open up the Dialing Program when you click on any .ps file. From there, just put in the Fax Recipients Telephone number and hit Send.

Here's what I got when I registered online. I never tried to call them and I never tried to contact them again. Hope you have better luck...
Your Products
Brother MFC-295CN
Product
Warranty
Product Warranty
MFC-295CN
Color Inkjet All-in-One with Fax and Networking
Need to register a model?
Support Options for your:  MFC-295CN
Supply/Accessory Information
Frequently Asked Questions
Drivers and Software
Manuals and Guides
Material Safety Data Sheets
Visit our Support Center
Find your closest Authorized Service Center

Contact Us
Email
Please visit our "Ask Us" online email support system.
Mail
Brother International Corporation
7777 North Brother Blvd.
Bartlett, Tennessee 38133
Phone
For Multi-Function Center® (MFC and DCP series) Support, please call:
1-877-BROTHER (877-276-8437)
901-379-1215 (fax)
M-F, 9:00am to 8:00pm Eastern Time
Top 5 Setup Questions for your machine
1. What is Distinctive Ring and how do I program it?
2. How can I change the paper size, paper type and print size settings when using the PhotoCapture Center™?
3. I cannot locate the Print & Fax. Where is this found? Also how do I add my Brother machine as a printer using Mac OS® X 10.5?
4. How do I set up an answering machine (TAD) to work on the same line as my Brother machine?
5. When I load the Brother software, the installation will not continue past the instruction to connect the USB cable to the computer. What can I do?

 
For additional assistance with Setup, view our Quick Setup Guide
Top 5 Operational Questions for your machine
1. How do I configure or change the settings of the ControlCenter 2 or 3 scanning options?
2. I am using Voice Over Internet Protocol (VoIP) and I'm having problems receiving faxes. What can I do?
3. I'm using Windows®. The network scanning feature was working after I installed the driver but no longer works. What can I do?
4. One or more of my colors are not printing (blank). What can I do?
5. Caller ID information is not being displayed on my Brother machine. What can I do?
6. I'm using Windows Vista® and trying to use a network connected Brother machine, but the machine stays offline and I cannot print. What should I do?

View all Frequently Asked Questions for your model
Manage Your Account
View or Update your account profile and password
Sign up for email updates


Orders
Place an Order
The account that you have created with Brother-USA.com can be used to purchase Supplies & Accessories on our Brothermall site.
Visit Brothermall.com


http://www.brother-usa.com/myaccount/welcome.aspx?AccountType=newreg&R3ModelID=MFC295CN&BPGUID=4BDE99F9020964E5E1000000CD8620B8

If you need more details, download the files I uploaded.

Hope this all helps...

Don
Comment 11 dweb98 2010-07-25 20:23:50 EDT
Created attachment 434306 [details]
brfaxfilter for printer BRFAX has insecure permissions

If you need more details, download the files I uploaded.
Comment 12 dweb98 2010-07-25 20:26:20 EDT
Created attachment 434307 [details]
65-libsane-bk-brother-mfc-295cn-scanner-works.rules,65-libsane-original-bk.rules.html

Sending files: 65-libsane-bk-brother-mfc-295cn-scanner-works.rules,65-libsane-original-bk.rules.html
Comment 13 dweb98 2010-07-25 20:27:43 EDT
Created attachment 434308 [details]
BRFAX file locations in Krusader

BRFAX file locations in Krusader
Comment 14 dweb98 2010-07-25 20:31:06 EDT
Created attachment 434309 [details]
65-libsane-bk-brother-mfc-295cn-scanner-works.rules

65-libsane-bk-brother-mfc-295cn-scanner-works.rules This is the file I renamed and used to fix the Scanner function. I had saved it from my Fedora 12 install that I had working.
Comment 15 dweb98 2010-07-25 20:38:25 EDT
Created attachment 434310 [details]
Brother-Product-Registration-Test-Sheet-Scanned.ps

Brother-Product-Registration-Test-Sheet-Scanned.ps This is a working .ps file. I scanned it and then used Print to File to make a .ps file. If you want to see the file. Gimp will Import it and let you edit the file too. 

Don

Note You need to log in before you can comment on or make changes to this bug.