Turboprint and FC7

Daniel J Walsh dwalsh at redhat.com
Fri Jun 22 15:49:38 UTC 2007 

piotreek23 at gmail.com wrote:
> Hi guys im using turboprint drivers for my IP 1000 Canon. When i try 
> to print from Open Office i get this below:
>
>
> sealert -l 26616fa9-ba9f-44fb-9cf2-d1940f15217f
> Summary
>    SELinux is preventing /lib/ld-2.6.so (cupsd_t) "execmem" to <Nieznane>
>    (cupsd_t).
>
> Detailed Description
>    SELinux denied access requested by /lib/ld-2.6.so. It is not 
> expected that
>    this access is required by /lib/ld-2.6.so and this access may 
> signal an
>    intrusion attempt. It is also possible that the specific version or
>    configuration of the application is causing it to require 
> additional access.
>
> Allowing Access
>    You can generate a local policy module to allow this access - see
>    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can 
> disable
>    SELinux protection altogether. Disabling SELinux protection is not
>    recommended. Please file a 
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
>    against this package.
>
> Additional Information
>
> Source Context                
> system_u:system_r:cupsd_t:SystemLow-SystemHigh
> Target Context                
> system_u:system_r:cupsd_t:SystemLow-SystemHigh
> Target Objects                None [ process ]
> Affected RPM Packages         glibc-2.6-3 [application]
> Policy RPM                    selinux-policy-2.6.4-13.fc7
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Permissive
> Plugin Name                   plugins.catchall
> Host Name                     c79-70.icpnet.pl
> Platform                      Linux *.icpnet.pl 2.6.21-1.3194.fc7 #1 SMP
>                              Wed May 23 22:35:01 EDT 2007 i686 athlon
> Alert Count                   1
> First Seen                    Sun Jun 10 19:48:42 2007
> Last Seen                     Sun Jun 10 19:48:42 2007
> Local ID                      26616fa9-ba9f-44fb-9cf2-d1940f15217f
> Line Numbers
>
> Raw Audit Messages
>
> avc: denied { execmem } for comm="ld-linux.so.2" egid=7 euid=4
> exe="/lib/ld-2.6.so" exit=0 fsgid=7 fsuid=4 gid=7 items=0 pid=3240
> scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=7
> subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=4 tclass=process
> tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tty=(none) uid=4
>
>
> On Fc 6 turboprint was working fine.
>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Sorry about missing this, my junk mail filters ate it.

This looks like a badly written application that would require execmem.  
You can allow this by executing

# grep execmem /var/log/audit/audit/audit.log | audit2allow -M mycups
# semodule -i mycups.pp

You should report this as a bug to turboprint.

This link explains the violation
SELinux Memory Protection Tests 
<http://people.redhat.com/%7Edrepper/selinux-mem.html>

More information about the fedora-selinux-list mailing list