Summary: SELinux is preventing /bin/bash "append" access on /usr/local/Brother/fax/txreport.log. Detailed Description: SELinux denied access requested by sh. It is not expected that this access is required by sh and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Context system_u:object_r:bin_t:s0 Target Objects /usr/local/Brother/fax/txreport.log [ file ] Source sh Source Path /bin/bash Port <Unknown> Host (removed) Source RPM Packages bash-4.0.35-3.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-113.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.32.11-99.fc12.i686 #1 SMP Mon Apr 5 16:32:08 EDT 2010 i686 athlon Alert Count 54 First Seen Mon 10 May 2010 03:27:36 AM CDT Last Seen Mon 10 May 2010 03:31:36 AM CDT Local ID 7412f879-4162-4d42-ae4e-52893cd94f3b Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1273480296.32:152): avc: denied { append } for pid=3692 comm="sh" name="txreport.log" dev=dm-0 ino=1720916 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1273480296.32:152): arch=40000003 syscall=5 success=no exit=-13 a0=8fe7570 a1=8401 a2=0 a3=ffffffff items=0 ppid=3625 pid=3692 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) Hash String generated from catchall,sh,cupsd_t,bin_t,file,append audit2allow suggests: #============= cupsd_t ============== allow cupsd_t bin_t:file append;
Is this a standard setup? Can you move the log file to a better location, like under /var/log/cups?
I might be able to. But I am having such a fight with SELinux on all of my Fedora Machines. And I haven't learned how to create and add new Rules yet. I guess I'm going to have to soon. I have been just setting the machines to Permisive mode so far. But that doesn't let me install and run all the Apps that I want to. On this Box, I figured out another problem that I am fixing right now. Bug 590330 - [abrt] crash in kmplayer-0.11.2a-1.fc12: yuv444_to_yuy2_mmx: Process /usr/bin/kphononplayer was killed by signal 11 (SIGSEGV). That's my Bug report and here's what I Realized from the reply on it... dweb98 2010-05-11 03:25:43 EDT (In reply to comment #2) > This sounds like a bug in the xine-lib package. My guess is, xine-lib was > compiled with Intel MMX instructions on i686, and your CPU can't handle this. > > What is your CPU? I thought all CPUs since Pentium 3 (maybe even Pentium 2) > were capable of handling MMX. I might be wrong though. > > Also how reproducible is the crash on your system? Oh No!:O I may be in Big trouble with this Machine. I just built this one from a Brand New Bared Bones Kit. It's an AMD Athlon 64 X2 5000. I noticed a couple of weeks after I installed Fedora 12, that I had forgotten and used the wrong CD for my install. All my other machines are Intel's and I just popped in the Fedora 12 i686 CD and did the install with it. Then a couple of weeks later, I saw my Fedora 12 x86-64 CD. I thought Oh No! What have I done. But, then I thought... well it's running great, no warnings during the install either, so maybe the i686 CD supports AMD's too. Guess not though... I thought there would be big problems on a machine with the wrong Architecture installed on it. I did this one time before and installed Fedora 12 i686 on a an i586 and that thing is all messed up and buggy. Everything crashes in it. So, I plan on re-installing it with the i386 CD later. So, now I'm wondering... hoping. Since I have been building up the Apps and setting up the Printer Scanner Fax for about a Month now and I am almost done. Could I use a Kernel Upgrade install to change to the AMD Architecture on this new Box? Or will I have to completely start over from scratch? I have now re-installed Fedora 12 from the x86-64 CD and am now working on getting all of my Apps installed again. Then I will test the Brother Fax App again... Thanks, Don
Ok, I'm back to working on this system. I was having a bad couple of weeks, not feeling well and my thinking was off. I was thinking that the Fedora 12 x86_64 CD was for the AMD Processors. Until I remembered that it is the 64 Bit OS!:O And it turns out that the 64 Bit Fedora 12 does not yet have several of the Apps and drivers that I need on this machine ready and working yet. So, I'm back working on this 32 bit System. I can't find a way to change any settings in the brfax app. So, I can't move the /usr/local/Brother/fax/txreport.log to /var/log/cups like you suggested. Looks to me like the simplest way to fix this is to generate a local policy module to allow this access. I'm trying to do this right now with the SELinux Policy Generation Tool. But when it gets to the last window and I click Apply... Nothing happens, it just sets there and gives no response nor errors. What can I do to fix this denied access problem? Don
# semanage fcontext -a -t cupsd_log_t '/usr/local/Brother/fax/.*\.log' # restorecon -R -v /usr/local/Brother Should change the labels on all of the log files to be writeable by cups.
I will make this a default label in the next policy release.
Ok, thanks Daniel. I did this and SELinux stopped squaking. But the BRFax still just sits there and does nothing. Guess I'll have to contact their Support now. ' Don
If you put the machine into permissive mode does it work?
Replied on the Site... Nope, I tried that at the beginning of the problem. But it had no effect. I just now used the SELinux Management App to set the Current Enforcing mode to Permissive and left the System Default to Enforcing. I checked the Relabel on next reboot and Rebooted the system. But this had no effect on the the brfax dialing app. The print seems successful, but the dialing app never comes up. And when I log into the CUPS Web interface, it even reports that the print job was completed. Any ideas on that? BRFAX-101 Fwd: [Bug 590577] SELinux is preventing /bin/bash "append" access on /usr/local/Brother/fax/txreport.log. Theda 80k Unknown completed at Fri 28 May 2010 08:03:12 PM CDT Don
If this does not work when SELinux is in permissive mode, then it is most likely NOT and SELinux issue. I don't think I can help you. THe append problem can be fixed by changing the label of the log file as described above. I guess you need to contact Brother?
Finally, I got brpcfax working!:) First off, I Reformatted the HD and installed Fedora 13. Still, had the same problems as with Fedora 12. But I knew the steps to go through to fix brpcfax. Not necessarily in this order though... For Brother MFC-295CN Printer Scanner Fax Machine. After installing all of the Brother Drivers and Apps, my scanner still didn't work. I found this on the Brother Support Site along with the drivers and apps (that is where I downloaded them all and installed them from the RPM's). Later I saw them listed in in Add/Remove Programs too. But I didn't see them in the list until after I did the manual downloads and installs. There are other Distros shown there too. It worked for me. The info is at... http://welcome.solutions.brother.com/bsc/public_s/id/linux/en/instruction_scn1c.html#f12 Fedora 12 and 13 to make the Scanner Work... 1. Open"/lib/udev/rules.d/65-libsane.rules" 2. Add the following 2 lines at the last of the device entry. (just before "# The following rule..."). # Brother ATTR{idVendor}=="04f9", ENV{libsane_matched}="yes" 3. Restart the OS. Brother's Driver Pages Brother MFC-295CN Printer Scanner Fax Linux Drivers Brother Solutions Center : Brother Driver for Linux Distributions Brother Solutions Center : Brother Driver for Linux Distributions Brother Solutions Center : Brother Driver for Linux Distributions Brother Solutions Center : Brother Driver for Linux Distributions Brother Solutions Center : Brother Driver for Linux Distributions To make BRPCFAX Work... 1. I made sure that the Printer and Fax setup on my computer were ok from these instructions on the Brother BRFAX Setup info from web site... 4-5. Check status of the LPR driver and cupswrapper driver Command (for dpkg): dpkg -l | grep Brother Command (for rpm): rpm -qa | grep -e brmfcfaxlpd-1.0.0-1.i386.rpm -e brmfcfaxcups-1.0.0-1.i386.rpm Example(for dpkg) | Example(for rpm) Step 5a. (USB Connection) Check your fax device on the CUPS web interface 5a-1. Open a web browser and go to "http://localhost:631/printers". 5a-2. Click "Modify Printer" of "BRFAX" and set following parameters. - Your PC-FAX device for Device Selection - Brother for Make/Manufacturer Selection - Brother BRMFCFAX for CUPS(en) for Model/Driver Selection Device URI is supposed to be "usb://Brother/(your printer's model name)" Example of a USB PC-FAX entry Step 6. Try a test fax. Without the () I used the Brother Registration Fax number here. If it works right, you will get a Fax Call Back in just a few minutes. I did the second time, any way, but nothing called back even though the fax reported to go through, the first time I used direct dial on the machine it's self... Command: brpcfax -o fax-number=18772689575 (your .ps file) Example Available file format: .ps http://welcome.solutions.brother.com/bsc/public_s/id/linux/en/instruction_pcf1a.html 2. I ran these commands from... Daniel Walsh 2010-05-24 11:05:40 EDT # semanage fcontext -a -t cupsd_log_t '/usr/local/Brother/fax/.*\.log' # restorecon -R -v /usr/local/Brother Should change the labels on all of the log files to be writeable by cups. 3. I went to follow these instructions again on the new Fedora 13 system. When by shear accident I noticed that I didn't need to change mine at all. I accidentally double clicked on the /usr/bin/brpcfax file when I was trying to right click and open it to edit the file. Well... the brpcfax Dialer Opened up! So, I decided that there was no fix needed here. I figure that I must have installed Java Jre before the Brother Drivers and that is why mine is working now. But, I'm not sure and can't remember what I did first on the Fedora 12 System either. # Set up Brother PC-FAX interface 1. Install sun-java and check the full path of the sun-java's path Example : /usr/lib/jvm/java-6-sun/bin/java (sun-java6-jre with Ubuntu 8.04) 2. Edit "/usr/bin/brpcfax" script Edit the java's path in the following line in "/usr/bin/brpcfax" *** the line is located around 37th line in the file. Before the edit; extarg="'java -jar /usr/local/Brother/fax/brmfcfax.jar 2>/dev/null'" After the edit; extarg="'/usr/lib/jvm/java-6-sun/bin/java -jar /usr/local/Brother/fax/brmfcfax.jar 2>/dev/null'" 3. Run Brother PC-FAX interface Command : brpcfax (file name) Go there... http://welcome.solutions.brother.com/bsc/public_s/id/linux/en/instruction_pcf2.html 4. I still had one more problem. Still getting errors when I tried to use the BRFAX Printer from the Printer Menu. I kept getting this error... Filter "/usr/lib/cups/filter/brfaxfilter" for printer "BRFAX" has insecure permissions (0100777)'], 'error_log_debug_logging_unset': True} Page 12 (Printer state reasons): {'printer-state-message': u'Filter "/usr/lib/cups/filter/brfaxfilter" for printer "BRFAX" has insecure permissions (0100777)', 'printer-state-reasons': [u'cups-insecure-filter-warning']} So, I went to the file in Krusader, in root mode. and changed the file permissions from all read write execute, to only allowing viewing to others. This stopped the error message and now if you try to print with BRFAX it says it goes through ok. Which I think is helpful in the whole Faxing Process. Still, I kept forgetting that this is not how you send a fix with brpcfax. What you have to do is, Print the file by using "Print to File". This will convert and save your file to a .ps Image file, (Note, the file Can Not have any Spaces in the file Name or it will not work in the Terminal or by opening the file with brpcfax in Krusader. Probably, in no file manager ether). Then open the .ps file with brpcfax. This will open up the Dialing Program. From there, just put in the Fax Recipients Telephone number and hit Send. It took allot of Research on the Web and the Brother Web site to figure all of this out. And the never answered my request tor help on there Support Page at... https://secure6.brother.co.jp/LinuxContactUs/contact/Linuxform.html It's been over 2 months since I sent in a detailed Support Request! So, I'm posting all this in hopes of helping others from going through all of this trouble again with the Brother MFC-295CN Printer Scanner Fax Machine. I will attache my files that show these changes to this But Report too. Here's how to Send a Fax with brpcfax... I cannot find the section to enter the BRFAX command in my application. After the driver installation, you will have a printer called "BRFAX." This printer is NOT used to print faxes directly. Instead, this printer is used by the " brpcfax" utility. To actually send a fax, you must use the "brpcfax" utility to process your print jobs. Some programs (like the old Mozilla default installation) allow you to specify the print program, in which case you can specify "brpcfax" (in place of lpr for example). This is NOT possible with most current applications including Firefox and Openoffice as distributed in popular distributions including SuSE 10.1. To print to fax with SuSE 10.1, for example: 1)Use "Print to file" from your application to generate a postscript file. 2) Right-click the file and select "Open with" using the executable "SendAsFax" command configured below. Configure konqueror to have an option to Open postscript files with brpcfax 1. Open Konqueror. 2. Select "Settings" -> "Configure Konqueror". 3. Click "File Associations". 4. Type "ps" in the search box and select "Application" -> "Postscript" from the list below. 5. Click "add" and type "brpcfax" then click OK. 6. Click the new "brpcfax" option and click "Edit". 7. Select the "Application" tab. 8. For the "Command:" line, enter: brpcfax -P BRFAX -o Paper=Letter 9. For the "Name:' enter: SendAsFax 10. Click OK to save Read more... http://solutions.brother.com/linux/sol/printer/linux/linux_faq-3.html#4 What I do is, Print the file by using "Print to File". This will convert and save your file to a .ps Image file, (Note, the file Can Not have any Spaces in the file Name or it will not work in the Terminal or by opening the file with brpcfax in Krusader. Probably, in no file manager ether). Then open the .ps file with brpcfax. I set my Krusader to open a .ps file by default and I will do the same with other file managers on this system. This will open up the Dialing Program when you click on any .ps file. From there, just put in the Fax Recipients Telephone number and hit Send. Here's what I got when I registered online. I never tried to call them and I never tried to contact them again. Hope you have better luck... Your Products Brother MFC-295CN Product Warranty Product Warranty MFC-295CN Color Inkjet All-in-One with Fax and Networking Need to register a model? Support Options for your: MFC-295CN Supply/Accessory Information Frequently Asked Questions Drivers and Software Manuals and Guides Material Safety Data Sheets Visit our Support Center Find your closest Authorized Service Center Contact Us Email Please visit our "Ask Us" online email support system. Mail Brother International Corporation 7777 North Brother Blvd. Bartlett, Tennessee 38133 Phone For Multi-Function Center® (MFC and DCP series) Support, please call: 1-877-BROTHER (877-276-8437) 901-379-1215 (fax) M-F, 9:00am to 8:00pm Eastern Time Top 5 Setup Questions for your machine 1. What is Distinctive Ring and how do I program it? 2. How can I change the paper size, paper type and print size settings when using the PhotoCapture Center™? 3. I cannot locate the Print & Fax. Where is this found? Also how do I add my Brother machine as a printer using Mac OS® X 10.5? 4. How do I set up an answering machine (TAD) to work on the same line as my Brother machine? 5. When I load the Brother software, the installation will not continue past the instruction to connect the USB cable to the computer. What can I do? For additional assistance with Setup, view our Quick Setup Guide Top 5 Operational Questions for your machine 1. How do I configure or change the settings of the ControlCenter 2 or 3 scanning options? 2. I am using Voice Over Internet Protocol (VoIP) and I'm having problems receiving faxes. What can I do? 3. I'm using Windows®. The network scanning feature was working after I installed the driver but no longer works. What can I do? 4. One or more of my colors are not printing (blank). What can I do? 5. Caller ID information is not being displayed on my Brother machine. What can I do? 6. I'm using Windows Vista® and trying to use a network connected Brother machine, but the machine stays offline and I cannot print. What should I do? View all Frequently Asked Questions for your model Manage Your Account View or Update your account profile and password Sign up for email updates Orders Place an Order The account that you have created with Brother-USA.com can be used to purchase Supplies & Accessories on our Brothermall site. Visit Brothermall.com http://www.brother-usa.com/myaccount/welcome.aspx?AccountType=newreg&R3ModelID=MFC295CN&BPGUID=4BDE99F9020964E5E1000000CD8620B8 If you need more details, download the files I uploaded. Hope this all helps... Don
Created attachment 434306 [details] brfaxfilter for printer BRFAX has insecure permissions If you need more details, download the files I uploaded.
Created attachment 434307 [details] 65-libsane-bk-brother-mfc-295cn-scanner-works.rules,65-libsane-original-bk.rules.html Sending files: 65-libsane-bk-brother-mfc-295cn-scanner-works.rules,65-libsane-original-bk.rules.html
Created attachment 434308 [details] BRFAX file locations in Krusader BRFAX file locations in Krusader
Created attachment 434309 [details] 65-libsane-bk-brother-mfc-295cn-scanner-works.rules 65-libsane-bk-brother-mfc-295cn-scanner-works.rules This is the file I renamed and used to fix the Scanner function. I had saved it from my Fedora 12 install that I had working.
Created attachment 434310 [details] Brother-Product-Registration-Test-Sheet-Scanned.ps Brother-Product-Registration-Test-Sheet-Scanned.ps This is a working .ps file. I scanned it and then used Print to File to make a .ps file. If you want to see the file. Gimp will Import it and let you edit the file too. Don