I have received this error report, about boomaga.
I can print to boomaga printer, but with a delay about 30 seconds per task. SELinux Troubleshooter reports an error.
SELinux is preventing boomagabackend from 'sys_ptrace' accesses on the cap_userns Unknown.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that boomagabackend should be allowed sys_ptrace access on the Unknown cap_userns by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'boomagabackend' --raw | audit2allow -M my-boomagabackend # semodule -X 300 -i my-boomagabackend.pp
Additional Information: Source Context system_u:system_r:boomaga_cups_t:s0-s0:c0.c1023 Target Context system_u:system_r:boomaga_cups_t:s0-s0:c0.c1023 Target Objects Unknown [ cap_userns ] Source boomagabackend Source Path boomagabackend Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-225.11.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.9.14-200.fc25.x86_64 #1 SMP Mon Mar 13 19:26:40 UTC 2017 x86_64 x86_64 Alert Count 3 First Seen 2017-03-25 00:29:09 MSK Last Seen 2017-03-25 00:32:12 MSK Local ID 531f80ea-deab-40c6-9bd0-c7375eef6639
Raw Audit Messages type=AVC msg=audit(1490391132.808:798): avc: denied { sys_ptrace } for pid=12332 comm="boomagabackend" capability=19 scontext=system_u:system_r:boomaga_cups_t:s0-s0:c0.c1023 tcontext=system_u:system_r:boomaga_cups_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
Hash: boomagabackend,boomaga_cups_t,boomaga_cups_t,cap_userns,sys_ptrace
------------------------------------ Have someone a idea how can this be solved ? The files of the package were stored for test purposes here: https://martinkg.fedorapeople.org/Review/test/boomaga/
On 03/30/2017 01:19 PM, Martin Gansser wrote:
I have received this error report, about boomaga.
I can print to boomaga printer, but with a delay about 30 seconds per task. SELinux Troubleshooter reports an error.
Hi,
boomaga SELinux module is not part of selinux-policy package, which means it's not maintained by Fedora SELinux team. I cloned boomaga repo and boomaga policy is part of permissivedomains, which means that boomaga rules won't be enforced by kernel, even if your system is in enforcing state. If you would like to fix this issue you can create local module:
$ cat boomaga_local.cil (allow boomaga_cups_t boomaga_cups_t(cap_userns (sys_ptrace)))
# semodule -i boomaga_local.cil #
I'll try to contact boomaga maintainer and provide patch for boomaga SELinux module.
Thanks. Lukas.
SELinux is preventing boomagabackend from 'sys_ptrace' accesses on the cap_userns Unknown.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that boomagabackend should be allowed sys_ptrace access on the Unknown cap_userns by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'boomagabackend' --raw | audit2allow -M my-boomagabackend # semodule -X 300 -i my-boomagabackend.pp
Additional Information: Source Context system_u:system_r:boomaga_cups_t:s0-s0:c0.c1023 Target Context system_u:system_r:boomaga_cups_t:s0-s0:c0.c1023 Target Objects Unknown [ cap_userns ] Source boomagabackend Source Path boomagabackend Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-225.11.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.9.14-200.fc25.x86_64 #1 SMP Mon Mar 13 19:26:40 UTC 2017 x86_64 x86_64 Alert Count 3 First Seen 2017-03-25 00:29:09 MSK Last Seen 2017-03-25 00:32:12 MSK Local ID 531f80ea-deab-40c6-9bd0-c7375eef6639
Raw Audit Messages type=AVC msg=audit(1490391132.808:798): avc: denied { sys_ptrace } for pid=12332 comm="boomagabackend" capability=19 scontext=system_u:system_r:boomaga_cups_t:s0-s0:c0.c1023 tcontext=system_u:system_r:boomaga_cups_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1
Hash: boomagabackend,boomaga_cups_t,boomaga_cups_t,cap_userns,sys_ptrace
Have someone a idea how can this be solved ? The files of the package were stored for test purposes here: https://martinkg.fedorapeople.org/Review/test/boomaga/ _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
On 03/30/2017 01:19 PM, Martin Gansser wrote:
Hi,
boomaga SELinux module is not part of selinux-policy package, which means it's not maintained by Fedora SELinux team. I cloned boomaga repo and boomaga policy is part of permissivedomains, which means that boomaga rules won't be enforced by kernel, even if your system is in enforcing state. If you would like to fix this issue you can create local module:
$ cat boomaga_local.cil (allow boomaga_cups_t boomaga_cups_t(cap_userns (sys_ptrace)))
# semodule -i boomaga_local.cil #
I'll try to contact boomaga maintainer and provide patch for boomaga SELinux module.
that sounds good. many thanks Martin
current rpm spec file with selinux rules. http://pkgs.fedoraproject.org/cgit/rpms/boomaga.git/tree/boomaga.spec
On 03/30/2017 01:19 PM, Martin Gansser wrote: $ cat boomaga_local.cil (allow boomaga_cups_t boomaga_cups_t(cap_userns (sys_ptrace)))
# semodule -i boomaga_local.cil
Thank you for tip but I get another error. So I still have some delay printing to boomaga printer.
$ sudo semodule -l | grep boomaga boomaga boomaga_local
$ cat boomaga_local.cil (allow boomaga_cups_t boomaga_cups_t(cap_userns (sys_ptrace)))
$ journalctl -b Mar 31 17:08:31 magnolia.home.lan audit[1070]: USER_AVC pid=1070 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.1062 spid=1084 tpid=12021 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:boomaga_cups_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
On 03/31/2017 04:30 PM, Oleg Pykhalov wrote:
On 03/30/2017 01:19 PM, Martin Gansser wrote: $ cat boomaga_local.cil (allow boomaga_cups_t boomaga_cups_t(cap_userns (sys_ptrace)))
# semodule -i boomaga_local.cil
Thank you for tip but I get another error. So I still have some delay printing to boomaga printer.
$ sudo semodule -l | grep boomaga boomaga boomaga_local
$ cat boomaga_local.cil (allow boomaga_cups_t boomaga_cups_t(cap_userns (sys_ptrace)))
$ journalctl -b Mar 31 17:08:31 magnolia.home.lan audit[1070]: USER_AVC pid=1070 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.1062 spid=1084 tpid=12021 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:boomaga_cups_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Update your boomaga_local.cil file: $ cat boomaga_local.cil (allow boomaga_cups_t boomaga_cups_t(cap_userns (sys_ptrace))) (allow systemd_logind_t boomaga_cups_t(dbus (send_msg)))
and load it again: # semodule -i boomaga_local.cil
Lukas.
_______________________________________________
selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
selinux@lists.fedoraproject.org