Re: SELinux is preventing boomagabackend from 'sys_ptrace' accesses on the cap_userns Unknown.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 03/30/2017 01:19 PM, Martin Gansser wrote:

I have received this error report, about boomaga.

I can print to boomaga printer, but with a delay about 30 seconds per task. SELinux Troubleshooter reports an error.



Hi,
boomaga SELinux module is not part of selinux-policy package, which means it's not maintained by Fedora SELinux team. I cloned boomaga repo and boomaga policy is part of permissivedomains, which means that boomaga rules won't be enforced by kernel, even if your system is in enforcing state. If you would like to fix this issue you can create local module: 

$ cat boomaga_local.cil
(allow boomaga_cups_t boomaga_cups_t(cap_userns (sys_ptrace)))

# semodule -i boomaga_local.cil
#
I'll try to contact boomaga maintainer and provide patch for boomaga SELinux module. 

Thanks.
Lukas.



SELinux is preventing boomagabackend from 'sys_ptrace' accesses on the cap_userns Unknown.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that boomagabackend should be allowed sys_ptrace access on the Unknown cap_userns by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'boomagabackend' --raw | audit2allow -M my-boomagabackend
# semodule -X 300 -i my-boomagabackend.pp

Additional Information:
Source Context                system_u:system_r:boomaga_cups_t:s0-s0:c0.c1023
Target Context                system_u:system_r:boomaga_cups_t:s0-s0:c0.c1023
Target Objects                Unknown [ cap_userns ]
Source                        boomagabackend
Source Path                   boomagabackend
Port                          <Unknown>
Host                          (removed)
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-225.11.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.9.14-200.fc25.x86_64 #1 SMP Mon
                              Mar 13 19:26:40 UTC 2017 x86_64 x86_64
Alert Count                   3
First Seen                    2017-03-25 00:29:09 MSK
Last Seen                     2017-03-25 00:32:12 MSK
Local ID                      531f80ea-deab-40c6-9bd0-c7375eef6639

Raw Audit Messages
type=AVC msg=audit(1490391132.808:798): avc:  denied  { sys_ptrace } for  pid=12332 comm="boomagabackend" capability=19  scontext=system_u:system_r:boomaga_cups_t:s0-s0:c0.c1023 tcontext=system_u:system_r:boomaga_cups_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1

Hash: boomagabackend,boomaga_cups_t,boomaga_cups_t,cap_userns,sys_ptrace

------------------------------------
Have someone a idea how can this be solved ?
The files of the package were stored for test purposes here: https://martinkg.fedorapeople.org/Review/test/boomaga/
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx




--
Lukas Vrabec
SELinux Solutions
Red Hat, Inc.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux