Bug 592089 - SELinux is preventing /usr/lib/cups/backend/mfp "getattr" access to device /dev/mfpports/probe.
SELinux is preventing /usr/lib/cups/backend/mfp "getattr" access to device /d...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
12
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:173a8df32f4...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-13 15:59 EDT by Simon
Modified: 2011-10-18 03:17 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-11-03 09:52:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Simon 2010-05-13 15:59:41 EDT
Summary:

SELinux is preventing /usr/lib/cups/backend/mfp "getattr" access to device
/dev/mfpports/probe.

Detailed Description:

SELinux has denied mfp "getattr" access to device /dev/mfpports/probe.
/dev/mfpports/probe is mislabeled, this device has the default label of the /dev
directory, which should not happen. All Character and/or Block Devices should
have a label. You can attempt to change the label of the file using restorecon
-v '/dev/mfpports/probe'. If this device remains labeled device_t, then this is
a bug in SELinux policy. Please file a bg report. If you look at the other
similar devices labels, ls -lZ /dev/SIMILAR, and find a type that would work for
/dev/mfpports/probe, you can use chcon -t SIMILAR_TYPE '/dev/mfpports/probe', If
this fixes the problem, you can make this permanent by executing semanage
fcontext -a -t SIMILAR_TYPE '/dev/mfpports/probe' If the restorecon changes the
context, this indicates that the application that created the device, created it
without using SELinux APIs. If you can figure out which application created the
device, please file a bug report against this application.

Allowing Access:

Attempt restorecon -v '/dev/mfpports/probe' or chcon -t SIMILAR_TYPE
'/dev/mfpports/probe'

Additional Information:

Source Context                unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:device_t:s0
Target Objects                /dev/mfpports/probe [ chr_file ]
Source                        mfp
Source Path                   /usr/lib/cups/backend/mfp
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-113.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   device
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.32.11-99.fc12.i686.PAE #1 SMP Mon Apr 5
                              16:15:03 EDT 2010 i686 i686
Alert Count                   60
First Seen                    Thu 13 May 2010 08:47:18 PM BST
Last Seen                     Thu 13 May 2010 08:57:01 PM BST
Local ID                      18fa773d-996e-459d-9218-10ae0e7cee83
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1273780621.475:39263): avc:  denied  { getattr } for  pid=27830 comm="mfp" path="/dev/mfpports/probe" dev=devtmpfs ino=412872 scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:device_t:s0 tclass=chr_file

node=(removed) type=SYSCALL msg=audit(1273780621.475:39263): arch=40000003 syscall=195 per=400000 success=no exit=-13 a0=bffd1240 a1=bffd112c a2=699ff4 a3=3 items=0 ppid=27818 pid=27830 auid=500 uid=4 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=22 comm="mfp" exe="/usr/lib/cups/backend/mfp" subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  device,mfp,cupsd_t,device_t,chr_file,getattr
audit2allow suggests:

#============= cupsd_t ==============
allow cupsd_t device_t:chr_file getattr;
Comment 1 Daniel Walsh 2010-05-14 08:41:29 EDT
What kind of device is dev/mfpports/probe?
Comment 2 Daniel Walsh 2010-05-14 08:45:13 EDT
I could try 
/dev/mfpports/.*	-c	gen_context(system_u:object_r:printer_device_t,s0)
Comment 3 Simon 2010-05-15 04:35:10 EDT
Sorry to take so long to answer. I have a  Samsung SCX-4216F multifunction fax-scanner-printer attached from the parallel port on the printer to a usb port on the fedora box via a parallel to usb converter cable.  I downloaded and installed Samsung's official driver for linux to this machine and I'm trying to get the gui system-config-printer program to recognise it.  Just when I thought I was getting somewhere selinux blocked the probe.  Thanks for your help on this, what does the /dev/mfpports/.* -c gen_context(system_u:object_r:printer_device_t,s0) do?
Comment 4 Simon 2010-05-15 11:17:26 EDT
Hello again, I installed the driver package which reported a couple of errors, and tried the command, this was the output:-
Installing mfpcommon...
Copyright Samsung Software Center, Moscow 2001-2003 (c)
Software license silently accepted via command-line option.
Backing up old versions of non-shared files to be installed...
Backing up old versions of shared files to be installed...
Creating installation directories...
Installing software...
Running post-install commands...
MFPLDProgress=100
MFPLDStep=Running scripts...
ERROR: Module mfpportprobe does not exist in /proc/modules
ERROR: Module mfpport does not exist in /proc/modules
Updating module dependencies. Please wait...
Initializing CUPS drivers (Please wait. This can take several minutes)...
done.
Installation is complete.
MFPLDProgress=100
MFPLDStep=Installing MFP drivers...
#########################################################################################
Installing MFP drivers package...
Copyright Samsung Software Center, Moscow 2001-2003 (c)
Software license silently accepted via command-line option.
Backing up old versions of shared files to be installed...
Installing software...
Running post-install commands...
Adding printer...
DEBUG: scx4x16.post.sh: DEVICE_LINE=
DEBUG: scx4x16.post.sh: DEVICE_PORT=
DEBUG: Printer install string=lpadmin -p scx4x16 -m samsung/scx4x16.ppd.gz -v mfp:/dev/mfp0
DEBUG: Setting SCALING option to printer=scx4x16
Initializing CUPS drivers...
DEBUG: CUPS_SCRIPT=/etc/rc.d/init.d/cups
DEBUG: scx4x16.post.sh: MENU dir: MFP_APPLNKS_DIR=/usr/share/applnk-mdk - menu to be installed
DEBUG: scx4x16.post.sh: MENU dir: MFP_APPLNKS_DIR=/etc/X11/applnk - menu to be installed
DEBUG: scx4x16.post.sh: MENU dir: MFP_APPLNKS_DIR=/etc/X11/applnk - MENU IS INSTALLED
DEBUG: scx4x16.post.sh: MENU dir: MFP_APPLNKS_DIR=/usr/share/applnk - menu to be installed
DEBUG: scx4x16.post.sh: MENU dir: MFP_APPLNKS_DIR=/usr/share/applnk - MENU IS INSTALLED
DEBUG: scx4x16.post.sh: MENU dir: MFP_APPLNKS_DIR=/usr/share/applnk-mdk - menu to be installed
DEBUG: scx4x16.post.sh: MENU dir: MFP_APPLNKS_DIR=/opt/kde/share/applnk - menu to be installed
DEBUG: scx4x16.post.sh: MENU dir: MFP_APPLNKS_DIR=/opt/kde/share/applnk-mdk - menu to be installed
DEBUG: scx4x16.post.sh: MENU dir: MFP_APPLNKS_DIR=/opt/kde2/share/applnk - menu to be installed
DEBUG: scx4x16.post.sh: MENU dir: MFP_APPLNKS_DIR=/opt/kde2/share/applnk-mdk - menu to be installed
DEBUG: scx4x16.post.sh: MENU dir: MFP_APPLNKS_DIR=/opt/kde3/share/applnk - menu to be installed
DEBUG: scx4x16.post.sh: MENU dir: MFP_APPLNKS_DIR=/opt/kde3/share/applnk-mdk - menu to be installed
DEBUG: scx4x16.post.sh: MENU dir: MFP_APPLNKS_DIR=/etc/opt/kde/share/applnk/SuSE - menu to be installed
DEBUG: scx4x16.post.sh: MENU dir: MFP_APPLNKS_DIR=/etc/opt/kde2/share/applnk/SuSE - menu to be installed
DEBUG: scx4x16.post.sh: MENU dir: MFP_APPLNKS_DIR=/etc/opt/kde3/share/applnk/SuSE - menu to be installed
Installation is complete.
MFP driver package installation succedded.
MFPLDProgress=100
MFP driver package has been installed successfully.
[root@www Linux]# /dev/mfpports/.* -c gen_context(system_u:object_r:printer_device_t,s0)
bash: syntax error near unexpected token `('
[root@www Linux]# /dev/mfpports/.* -c gen_context(system_u:object_r:printer_device_t,s0
bash: syntax error near unexpected token `('
[root@www Linux]# /dev/mfpports/.* -c gen_context system_u:object_r:printer_device_t,s0
bash: /dev/mfpports/.: is a directory
[root@www Linux]# /dev/mfpports/.* -c gen_context (system_u:object_r:printer_device_t,s0)
bash: syntax error near unexpected token `('
[root@www Linux]# 

Selinux is preventing access and stating that the file name is wrong, but the file name is the same as selinux expected(?)

Summary:

SELinux is preventing /usr/lib/cups/backend/mfp "unix_read unix_write" access to
<Unknown>.

Detailed Description:

SELinux denied access requested by /usr/lib/cups/backend/mfp.
/usr/lib/cups/backend/mfp is mislabeled. /usr/lib/cups/backend/mfp default
SELinux type is bin_t, but its current type is bin_t. Changing this file back to
the default type, may fix your problem.

If you believe this is a bug, please file a bug report against this package.

Allowing Access:

You can restore the default system context to this file by executing the
restorecon command. restorecon '/usr/lib/cups/backend/mfp'.

Fix Command:

/sbin/restorecon '/usr/lib/cups/backend/mfp'

Additional Information:

Source Context                unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                None [ shm ]
Source                        mfp
Source Path                   /usr/lib/cups/backend/mfp
Port                          <Unknown>
Host                          www.
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-113.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   restore_source_context
Host Name                     www.
Platform                      Linux www.
                              2.6.32.11-99.fc12.i686.PAE #1 SMP Mon Apr 5
                              16:15:03 EDT 2010 i686 i686
Alert Count                   216
First Seen                    Thu 13 May 2010 08:47:18 PM BST
Last Seen                     Sat 15 May 2010 03:53:08 PM BST
Local ID                      05b6aeda-f04a-48b5-8519-13b82c6f6874
Line Numbers                  

Raw Audit Messages            

node=www. type=AVC msg=audit(1273935188.51:39791): avc:  denied  { unix_read unix_write } for  pid=20258 comm="mfp" key=-324508629  scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=shm

node=www. type=SYSCALL msg=audit(1273935188.51:39791): arch=40000003 syscall=117 per=400000 success=no exit=-13 a0=17 a1=eca8642b a2=1000 a3=3b6 items=0 ppid=20248 pid=20258 auid=500 uid=4 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=22 comm="mfp" exe="/usr/lib/cups/backend/mfp" subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)


When I Successfully ran /sbin/restorecon '/usr/lib/cups/backend/mfp' I still cannot print from either system-config-printer, or the Samsung program, and GtlLP reports an internal program error then exits when I click OK.
Comment 5 Simon 2010-05-16 12:22:04 EDT
I have installed the samsung driver without errors now and system-config-printer is seeing Samsung SCX-4x16 at location parallel:/dev/lp0 and saying it is idle  but online.  I cannot print a test page though and selinux says:-




Summary:

SELinux is preventing /lib/ld-2.11.1.so "execmod" access to
/usr/lib/libqt-mt.samsung-mfp.so.3.0.4.

Detailed Description:

SELinux denied access requested by ld-linux.so.2.
/usr/lib/libqt-mt.samsung-mfp.so.3.0.4 may be a mislabeled.
/usr/lib/libqt-mt.samsung-mfp.so.3.0.4 default SELinux type is lib_t, but its
current type is bin_t. Changing this file back to the default type, may fix your
problem.

File contexts can be assigned to a file in the following ways.

  * Files created in a directory receive the file context of the parent
    directory by default.
  * The SELinux policy might override the default label inherited from the
    parent directory by specifying a process running in context A which creates
    a file in a directory labeled B will instead create the file with label C.
    An example of this would be the dhcp client running with the dhclient_t type
    and creating a file in the directory /etc. This file would normally receive
    the etc_t type due to parental inheritance but instead the file is labeled
    with the net_conf_t type because the SELinux policy specifies this.
  * Users can change the file context on a file using tools such as chcon, or
    restorecon.

This file could have been mislabeled either by user error, or if an normally
confined application was run under the wrong domain.

However, this might also indicate a bug in SELinux because the file should not
have been labeled with this type.

If you believe this is a bug, please file a bug report against this package.

Allowing Access:

You can restore the default system context to this file by executing the
restorecon command. restorecon '/usr/lib/libqt-mt.samsung-mfp.so.3.0.4', if this
file is a directory, you can recursively restore using restorecon -R
'/usr/lib/libqt-mt.samsung-mfp.so.3.0.4'.

Fix Command:

/sbin/restorecon '/usr/lib/libqt-mt.samsung-mfp.so.3.0.4'

Additional Information:

Source Context                system_u:system_r:prelink_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:bin_t:s0
Target Objects                /usr/lib/libqt-mt.samsung-mfp.so.3.0.4 [ file ]
Source                        ld-linux.so.2
Source Path                   /lib/ld-2.11.1.so
Port                          <Unknown>
Host                          www.conditional-fee.co.uk
Source RPM Packages           glibc-2.11.1-6
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-113.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   restorecon
Host Name                     www.conditional-fee.co.uk
Platform                      Linux www.conditional-fee.co.uk
                              2.6.32.11-99.fc12.i686.PAE #1 SMP Mon Apr 5
                              16:15:03 EDT 2010 i686 i686
Alert Count                   1
First Seen                    Fri 14 May 2010 03:34:12 AM BST
Last Seen                     Fri 14 May 2010 03:34:12 AM BST
Local ID                      a9db3258-e8eb-4f4c-b201-074fe8888e5e
Line Numbers                  

Raw Audit Messages            

node=www.conditional-fee.co.uk type=AVC msg=audit(1273804452.677:39363): avc:  denied  { execmod } for  pid=1233 comm="ld-linux.so.2" path="/usr/lib/libqt-mt.samsung-mfp.so.3.0.4" dev=dm-2 ino=300044 scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:bin_t:s0 tclass=file

node=www.conditional-fee.co.uk type=SYSCALL msg=audit(1273804452.677:39363): arch=40000003 syscall=125 success=no exit=-13 a0=731000 a1=807000 a2=5 a3=bfaeb320 items=0 ppid=32479 pid=1233 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=205 comm="ld-linux.so.2" exe="/lib/ld-2.11.1.so" subj=system_u:system_r:prelink_t:s0-s0:c0.c1023 key=(null)


AND


Summary:

SELinux is preventing /usr/lib/cups/backend/mfp "unix_read unix_write" access to
<Unknown>.

Detailed Description:

SELinux denied access requested by /usr/lib/cups/backend/mfp.
/usr/lib/cups/backend/mfp is mislabeled. /usr/lib/cups/backend/mfp default
SELinux type is bin_t, but its current type is bin_t. Changing this file back to
the default type, may fix your problem.

If you believe this is a bug, please file a bug report against this package.

Allowing Access:

You can restore the default system context to this file by executing the
restorecon command. restorecon '/usr/lib/cups/backend/mfp'.

Fix Command:

/sbin/restorecon '/usr/lib/cups/backend/mfp'

Additional Information:

Source Context                unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                None [ shm ]
Source                        mfp
Source Path                   /usr/lib/cups/backend/mfp
Port                          <Unknown>
Host                          www.conditional-fee.co.uk
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-113.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   restore_source_context
Host Name                     www.conditional-fee.co.uk
Platform                      Linux www.conditional-fee.co.uk
                              2.6.32.11-99.fc12.i686.PAE #1 SMP Mon Apr 5
                              16:15:03 EDT 2010 i686 i686
Alert Count                   336
First Seen                    Thu 13 May 2010 08:47:18 PM BST
Last Seen                     Sun 16 May 2010 04:23:36 PM BST
Local ID                      05b6aeda-f04a-48b5-8519-13b82c6f6874
Line Numbers                  

Raw Audit Messages            

node=www.conditional-fee.co.uk type=AVC msg=audit(1274023416.143:36822): avc:  denied  { unix_read unix_write } for  pid=8837 comm="mfp" key=-324508629  scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=shm

node=www.conditional-fee.co.uk type=SYSCALL msg=audit(1274023416.143:36822): arch=40000003 syscall=117 per=400000 success=no exit=-13 a0=17 a1=eca8642b a2=1000 a3=3b6 items=0 ppid=8827 pid=8837 auid=500 uid=4 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=1 comm="mfp" exe="/usr/lib/cups/backend/mfp" subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)


What can I do to get access to the printer, restorecon commands don't seem to help?
Comment 6 Daniel Walsh 2010-08-19 07:31:13 EDT
Lost this bug in the flood,  Are you still seeing this problem?
Comment 7 Miroslav Grepl 2010-11-03 09:52:35 EDT
Please reopen the bug if this still happens.
Comment 8 Bug Zapper 2010-11-03 10:56:06 EDT
This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '12'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 12's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 12 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 9 Simon 2011-10-15 12:40:47 EDT
Hello again,

I bought a samsung CLX-6220FX which prints OK but each time I try to use the smatpanel or unified driver configurater selinux block it:-

SELinux is preventing /opt/Samsung/mfp/bin/Configurator from using the execstack access on a process.

*****  Plugin allow_execstack (53.1 confidence) suggests  ********************

If you believe that 
None
should not require execstack
Then you should clear the execstack flag and see if /opt/Samsung/mfp/bin/Configurator works correctly.
Report this as a bug on None.
You can clear the exestack flag by executing:
Do
execstack -c None

*****  Plugin catchall_boolean (42.6 confidence) suggests  *******************

If you want to allow unconfined executables to make their stack executable.  This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla
Then you must tell SELinux about this by enabling the 'allow_execstack' boolean.
Do
setsebool -P allow_execstack 1

*****  Plugin catchall (5.76 confidence) suggests  ***************************

If you believe that Configurator should be allowed execstack access on processes labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep Configurator /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                Unknown [ process ]
Source                        Configurator
Source Path                   /opt/Samsung/mfp/bin/Configurator
Port                          <Unknown>
Host                          www.conditional-fee.co.uk
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-44.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     www.conditional-fee.co.uk
Platform                      Linux www.conditional-fee.co.uk
                              2.6.35.14-97.fc14.i686.PAE #1 SMP Sat Sep 17
                              00:22:29 UTC 2011 i686 i686
Alert Count                   1
First Seen                    Sat 15 Oct 2011 17:11:32 BST
Last Seen                     Sat 15 Oct 2011 17:11:32 BST
Local ID                      b1f3562c-ec3e-48c8-9798-73102216119f

Raw Audit Messages
type=AVC msg=audit(1318695092.132:2519): avc:  denied  { execstack } for  pid=14265 comm="Configurator" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process


type=SYSCALL msg=audit(1318695092.132:2519): arch=i386 syscall=mprotect success=no exit=EACCES a0=bfb02000 a1=1000 a2=1000007 a3=bfb020ec items=0 ppid=1 pid=14265 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=268 comm=Configurator exe=/opt/Samsung/mfp/bin/Configurator subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Hash: Configurator,unconfined_t,unconfined_t,process,execstack

audit2allow

#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'allow_execstack'

allow unconfined_t self:process execstack;

audit2allow -R

#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'allow_execstack'


I want to use the scanning capability but not if the method involves any security risk (I've got another scanner -not as good)

What are the implications of using execstack -c None
please?
Comment 10 Miroslav Grepl 2011-10-18 03:17:59 EDT
You could look for libraries that are marked as requiring execstack

# find /lib -exec execstack -q {} \; -print 2> /dev/null | grep ^X 
# find /usr/lib -exec execstack -q {} \; -print 2> /dev/null | grep ^X 

or

# find /lib64 -exec execstack -q {} \; -print 2> /dev/null | grep ^X 
# find /usr/lib64 -exec execstack -q {} \; -print 2> /dev/null | grep ^X


Then try to turn off the flag of any libraries that require execstack

execstack -c

And see if the apps work.  

If you can not find the problem library or the libraray does not work without
the execstack flag turned on, your only option is to tell SELinux to stop
checking for execstack using the boolean

setsebool -P allow_execstack 1

Note You need to log in before you can comment on or make changes to this bug.