Bug 661372 - SELinux is preventing /bin/bash "getattr" access on /usr/lib/httpd.
Summary: SELinux is preventing /bin/bash "getattr" access on /usr/lib/httpd.
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 14
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:21bac275a35...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-12-08 16:55 UTC by Mark Myatt
Modified: 2010-12-10 12:31 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-12-09 10:58:31 UTC


Attachments (Terms of Use)

Description Mark Myatt 2010-12-08 16:55:30 UTC
Summary:

SELinux is preventing /bin/bash "getattr" access on /usr/lib/httpd.

Detailed Description:

SELinux denied access requested by Samsung-ML-1660. It is not expected that this
access is required by Samsung-ML-1660 and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:httpd_modules_t:s0
Target Objects                /usr/lib/httpd [ dir ]
Source                        Samsung-ML-1660
Source Path                   /bin/bash
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           bash-4.1.7-3.fc14
Target RPM Packages           httpd-2.2.17-1.fc14
Policy RPM                    selinux-policy-3.9.7-14.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.35.9-64.fc14.i686.PAE #1 SMP Fri
                              Dec 3 12:28:00 UTC 2010 i686 i686
Alert Count                   1
First Seen                    Wed 08 Dec 2010 16:51:57 GMT
Last Seen                     Wed 08 Dec 2010 16:51:57 GMT
Local ID                      3e91515a-55c3-498e-8d7c-37f3d5f6ed89
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1291827117.374:40): avc:  denied  { getattr } for  pid=2810 comm="Samsung-ML-1660" path="/usr/lib/httpd" dev=dm-0 ino=1710680 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_modules_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1291827117.374:40): arch=40000003 syscall=195 success=no exit=-13 a0=8cac5c8 a1=bfc46370 a2=4b7ff4 a3=8ca2dd0 items=0 ppid=2798 pid=2810 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="Samsung-ML-1660" exe="/bin/bash" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,Samsung-ML-1660,cupsd_t,httpd_modules_t,dir,getattr
audit2allow suggests:

#============= cupsd_t ==============
allow cupsd_t httpd_modules_t:dir getattr;

Comment 1 Miroslav Grepl 2010-12-08 17:31:59 UTC
Do you know what were you doing when this happened?

Comment 2 Tim Waugh 2010-12-09 10:28:34 UTC
This looks like something the 3rd party Samsung driver is trying to do, perhaps in a CUPS backend or filter.  It is not expected that CUPS backends or filters would do something like that.

Comment 3 Miroslav Grepl 2010-12-09 10:58:31 UTC
Mark was trying to install Samsung Laser printer ML-1665.

I think this won't happen again. 

Mark,
if yes, please reopen the bug.

Comment 4 Mark Myatt 2010-12-09 11:39:35 UTC
09/12/2010 11.35 GMT

Just a thought - it may not have worked as it appears to have initially choked on SElinux. I have since deleted SELinux but the problem still remains. Printer USB connected and recognised by Fedora 14 with correct and recommended driver (foomatic/PXL mono) but will still not print test page or anything else. Nothing seen in print queue. Any ideas ?

M J Myatt

Comment 5 Tim Waugh 2010-12-09 12:13:06 UTC
Try the printing troubleshooter.
https://fedoraproject.org/wiki/Printing/Debugging

Comment 6 Mark Myatt 2010-12-09 19:40:36 UTC
(In reply to comment #5)
> Try the printing troubleshooter.
> https://fedoraproject.org/wiki/Printing/Debugging

Thank you time for your suggestion. Unhappily there is no text or advice of any kind on that site. It is yet to be activated and not clear whether there is any work in progress.

M J Myatt

Comment 7 Tim Waugh 2010-12-10 12:31:53 UTC
(In reply to comment #6)
> (In reply to comment #5)
> > Try the printing troubleshooter.
> > https://fedoraproject.org/wiki/Printing/Debugging
> 
> Thank you time for your suggestion. Unhappily there is no text or advice of any
> kind on that site. It is yet to be activated and not clear whether there is any
> work in progress.

You don't see a page entitled "How to debug printing problems"?  It certainly works when I view it.


Note You need to log in before you can comment on or make changes to this bug.