FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 06-06-2011, 12:41 PM
Ed Greshko
 
Default SELinux is preventing /usr/libexec/colord from getattr access on the file /usr/local/Brother/sane/models3/ext4.ini.

On 06/06/2011 08:19 PM, Lawrence E Graves wrote:
> SELinux is preventing /usr/libexec/colord from getattr access on the file /usr/local/Brother/sane/models3/ext4.ini.

So, you've installed a package supplied by Brother...and not from the
Fedora repository. So, it is certainly possible/probably that it will
run afoul of some Selinux policies.

If you want to allow access, you should do as the selinux report
suggests and generate a local policy module.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 06-06-2011, 03:54 PM
Daniel J Walsh
 
Default SELinux is preventing /usr/libexec/colord from getattr access on the file /usr/local/Brother/sane/models3/ext4.ini.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/06/2011 08:41 AM, Ed Greshko wrote:
> On 06/06/2011 08:19 PM, Lawrence E Graves wrote:
>> SELinux is preventing /usr/libexec/colord from getattr access on the file /usr/local/Brother/sane/models3/ext4.ini.
>
> So, you've installed a package supplied by Brother...and not from the
> Fedora repository. So, it is certainly possible/probably that it will
> run afoul of some Selinux policies.
>
> If you want to allow access, you should do as the selinux report
> suggests and generate a local policy module.
Actually this is probably a labeling problem. Could you get me a
listing of files under /usr/local/Brother. We have labeled lots of
files under this directory as bin_t, but now we see where this is
additional config under the directory. I basically need to know where
the executables are stored under Brother and then we can label the rest
of the content as usr_t and SELinux will not block it.

chcon -Rt usr_t /usr/local/Brother/sane

Will solve the problem for now.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk3s+DEACgkQrlYvE4MpobP3UgCgoDebMHLg3U UEPC2WbokHXBrG
1zsAn0l60NYP4KPckKnzdLAclaVf4+FC
=GEJi
-----END PGP SIGNATURE-----
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 06-07-2011, 01:54 PM
Daniel J Walsh
 
Default SELinux is preventing /usr/libexec/colord from getattr access on the file /usr/local/Brother/sane/models3/ext4.ini.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/07/2011 09:47 AM, Lawrence E Graves wrote:
> SELinux is preventing /usr/libexec/colord from getattr access on the file /usr/local/Brother/sane/models3/ext4.ini.
>
> ***** Plugin catchall (100. confidence) suggests ***************************
>
> If you believe that colord should be allowed getattr access on the ext4.ini file by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep colord /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
> Additional Information:
> Source Context system_u:system_r:colord_t:s0-s0:c0.c1023
> Target Context system_ubject_r:bin_t:s0
> Target Objects /usr/local/Brother/sane/models3/ext4.ini [ file ]
> Source colord
> Source Path /usr/libexec/colord
> Port <Unknown>
> Host Jehovah.localdomain
> Source RPM Packages colord-0.1.7-1.fc15
> Target RPM Packages brscan3-0.2.11-4
> Policy RPM selinux-policy-3.9.16-26.fc15
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Host Name Jehovah.localdomain
> Platform Linux Jehovah.localdomain 2.6.38.7-30.fc15.x86_64
> #1 SMP Fri May 27 05:15:53 UTC 2011 x86_64 x86_64
> Alert Count 5
> First Seen Mon 06 Jun 2011 06:40:50 AM MDT
> Last Seen Tue 07 Jun 2011 05:20:41 AM MDT
> Local ID 5284eedd-a207-486b-a7d9-09af2e567072
>
> Raw Audit Messages
> type=AVC msg=audit(1307445641.672:26): avc: denied { getattr } for pid=1136 comm="colord" path="/usr/local/Brother/sane/models3/ext4.ini" dev=dm-1 ino=1325526 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_ubject_r:bin_t:s0 tclass=file
>
>
> type=SYSCALL msg=audit(1307445641.672:26): arch=x86_64 syscall=fstat success=yes exit=0 a0=12 a1=7fffa928d6a0 a2=7fffa928d6a0 a3=7fffa928d5a0 items=0 ppid=1 pid=1136 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=colord exe=/usr/libexec/colord subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null)
>
> Hash: colord,colord_t,bin_t,file,getattr
>
> audit2allow
>
> #============= colord_t ==============
> allow colord_t bin_t:file getattr;
>
> audit2allow -R
>
> #============= colord_t ==============
> allow colord_t bin_t:file getattr;
>
>
There is an open bug for this with a fix moving through the process.
Please do not spam the list with these alerts.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk3uLYAACgkQrlYvE4MpobPFCQCeOHtBJKliZy AP6zWt6p1rjWHQ
sbsAn3tluXFxYI/KiCOilHaLGY99CUlz
=XW6Y
-----END PGP SIGNATURE-----
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 06-07-2011, 03:04 PM
"Clyde E. Kunkel"
 
Default SELinux is preventing /usr/libexec/colord from getattr access on the file /usr/local/Brother/sane/models3/ext4.ini.

On 06/07/2011 09:47 AM, Lawrence E Graves wrote:
> SELinux is preventing /usr/libexec/colord from getattr access on the file /usr/local/Brother/sane/models3/ext4.ini.
>
> ***** Plugin catchall (100. confidence) suggests ***************************
>
> If you believe that colord should be allowed getattr access on the ext4.ini file by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # grep colord /var/log/audit/audit.log | audit2allow -M mypol
> # semodule -i mypol.pp
>
> Additional Information:
> Source Context system_u:system_r:colord_t:s0-s0:c0.c1023
> Target Context system_ubject_r:bin_t:s0
> Target Objects /usr/local/Brother/sane/models3/ext4.ini [ file ]
> Source colord
> Source Path /usr/libexec/colord
> Port<Unknown>
> Host Jehovah.localdomain
> Source RPM Packages colord-0.1.7-1.fc15
> Target RPM Packages brscan3-0.2.11-4
> Policy RPM selinux-policy-3.9.16-26.fc15
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Host Name Jehovah.localdomain
> Platform Linux Jehovah.localdomain 2.6.38.7-30.fc15.x86_64
> #1 SMP Fri May 27 05:15:53 UTC 2011 x86_64 x86_64
> Alert Count 5
> First Seen Mon 06 Jun 2011 06:40:50 AM MDT
> Last Seen Tue 07 Jun 2011 05:20:41 AM MDT
> Local ID 5284eedd-a207-486b-a7d9-09af2e567072
>
> Raw Audit Messages
> type=AVC msg=audit(1307445641.672:26): avc: denied { getattr } for pid=1136 comm="colord" path="/usr/local/Brother/sane/models3/ext4.ini" dev=dm-1 ino=1325526 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_ubject_r:bin_t:s0 tclass=file
>
>
> type=SYSCALL msg=audit(1307445641.672:26): arch=x86_64 syscall=fstat success=yes exit=0 a0=12 a1=7fffa928d6a0 a2=7fffa928d6a0 a3=7fffa928d5a0 items=0 ppid=1 pid=1136 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=colord exe=/usr/libexec/colord subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null)
>
> Hash: colord,colord_t,bin_t,file,getattr
>
> audit2allow
>
> #============= colord_t ==============
> allow colord_t bin_t:file getattr;
>
> audit2allow -R
>
> #============= colord_t ==============
> allow colord_t bin_t:file getattr;
>
>

colord is required by both cups (print server) and foomatic (printer
databases). It looks like you are using selinux in enforcing mode which
is preventing your printing due to the denial above (best guess on my part).

Turn off selinux and try it. I told you how to do that offlist. If
that doesn't work, please note in Dan's response that there is bug for
this open. You might just need to wait for the fix to hit F15
updates-testing. (sudo yum --enablerepo=updates-testing update).

If that doesn't work, follow Dan's advice and open a bugzilla for the
problem. Open against cups for now and the triagers will get it to the
right place. Include this selinux denial.

There is nothing else I can do to help you. Good luck.

--
Regards,
OldFart

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 06-07-2011, 03:23 PM
Ed Greshko
 
Default SELinux is preventing /usr/libexec/colord from getattr access on the file /usr/local/Brother/sane/models3/ext4.ini.

On 06/07/2011 09:54 PM, Daniel J Walsh wrote:
> There is an open bug for this with a fix moving through the process.
> Please do not spam the list with these alerts.
You may also want to consider trimming your responses to remove the
spam.... :-)
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 08:23 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org