Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1057862 - SELinux is preventing /usr/bin/c3pldrv from using the 'execstack' accesses on a process.
Summary: SELinux is preventing /usr/bin/c3pldrv from using the 'execstack' accesses on...
Alias: None
Product: Fedora
Classification: Fedora
Component: cups
Version: 20
Hardware: x86_64
OS: Unspecified
Target Milestone: ---
Assignee: Tim Waugh
QA Contact: Fedora Extras Quality Assurance
Whiteboard: abrt_hash:976c12ae3a2c5c3df179aaa6c62...
Depends On:
TreeView+ depends on / blocked
Reported: 2014-01-25 13:32 UTC by Michal Rovinsky
Modified: 2014-01-27 11:34 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-01-27 11:34:17 UTC

Attachments (Terms of Use)

Description Michal Rovinsky 2014-01-25 13:32:00 UTC
Description of problem:
I was trying to set up my Canon MF 4010 printer. After downloading drivers for Linux from their official website, I unpacked and installed two RPM / 'cndrvcups-common-2.00-2.x86_64' and 'cndrvcups-ufr2-uk-2.00-2.x86_64'. After installation, in 'Printers' dialog window I saw that the printer seems set up, so I click on 'Print Test Page'. It failed to print the page and in addition, this error, which I am reporting now, occured. 
SELinux is preventing /usr/bin/c3pldrv from using the 'execstack' accesses on a process.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that c3pldrv should be allowed execstack access on processes labeled cupsd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep c3pldrv /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Objects                 [ process ]
Source                        c3pldrv
Source Path                   /usr/bin/c3pldrv
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           cndrvcups-common-2.00-2.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-119.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.12.8-300.fc20.x86_64 #1 SMP Thu
                              Jan 16 01:07:50 UTC 2014 x86_64 x86_64
Alert Count                   6
First Seen                    2014-01-25 14:06:39 CET
Last Seen                     2014-01-25 14:11:50 CET
Local ID                      d0e46c23-f08c-41fd-a6a9-e113194605be

Raw Audit Messages
type=AVC msg=audit(1390655510.852:800): avc:  denied  { execstack } for  pid=15073 comm="c3pldrv" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=process

type=SYSCALL msg=audit(1390655510.852:800): arch=i386 syscall=capget success=no exit=EACCES a0=ffada000 a1=1000 a2=1000007 a3=ffada000 items=0 ppid=15072 pid=15073 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 ses=4294967295 tty=(none) comm=c3pldrv exe=/usr/bin/c3pldrv subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)

Hash: c3pldrv,cupsd_t,cupsd_t,process,execstack

Additional info:
reporter:       libreport-2.1.11
hashmarkername: setroubleshoot
kernel:         3.12.8-300.fc20.x86_64
type:           libreport

Comment 1 Tim Waugh 2014-01-27 11:34:17 UTC
I don't think it's a good idea to allow printer drivers to execute the stack, especially as their primary function is to deal with untrusted input.

The cp3ldrv driver ought to be changed in such a way that it does not do this. If that is not possible, its package ought to include SELinux policy that allows it to run in its own domain that allows execstack.

Note You need to log in before you can comment on or make changes to this bug.