Selinux, cups, hplip

Richard Shaw hobbes1069 at gmail.com
Wed Jun 24 21:28:38 UTC 2009 

On Wed, Jun 24, 2009 at 2:04 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:

> On 06/23/2009 08:09 PM, Richard Shaw wrote:
>
>> On Mon, Jun 22, 2009 at 3:48 PM, Daniel J Walsh<dwalsh at redhat.com>
>>  wrote:
>>
>>  On 06/20/2009 01:50 PM, Steven Stern wrote:
>>>
>>>  On 06/20/2009 06:12 AM, Daniel J Walsh wrote:
>>>>
>>>>  On 06/19/2009 07:10 PM, Steven Stern wrote:
>>>>>
>>>>>  After installing hplip-gui, I got selinux errors when checking on the
>>>>>> printer status.
>>>>>>
>>>>>> audit2allow generated the following policy
>>>>>>
>>>>>> module cups20090619 1.0;
>>>>>>
>>>>>> require {
>>>>>> type hwdata_t;
>>>>>> type xdm_t;
>>>>>> class dir search;
>>>>>> class file { read getattr open };
>>>>>> }
>>>>>>
>>>>>> #============= xdm_t ==============
>>>>>> allow xdm_t hwdata_t:dir search;
>>>>>> allow xdm_t hwdata_t:file { read getattr open };
>>>>>>
>>>>>>
>>>>>>  xdm is checking the printer status? This allow rule indicates the X
>>>>>>
>>>>> Login program is checking the printer status. Could you attach the
>>>>> AVC's
>>>>> you used to generate this policy.
>>>>>
>>>>>
>>>>>  And here's another one related to hplip
>>>>
>>>> type=AVC msg=audit(1245520061.974:38037): avc: denied { read } for
>>>> pid=25561 comm="python" name="mls" dev=selinuxfs ino=12
>>>> scontext=system_u:system_r:hplip_t:s0
>>>> tcontext=system_u:object_r:security_t:s0 tclass=file
>>>>
>>>> type=AVC msg=audit(1245520061.974:38037): avc: denied { read open } for
>>>> pid=25561 comm="python" name="mls" dev=selinuxfs ino=12
>>>> scontext=system_u:system_r:hplip_t:s0
>>>> tcontext=system_u:object_r:security_t:s0 tclass=file
>>>>
>>>>
>>>>
>>>>  Could you report this as a bug to cups. Cups has some MLS aware ness in
>>>>
>>> it and maybe it is reading this file directly rather then through
>>> libselinux.  CC me on the bug report dwalsh at redhat.com
>>>
>>>
>>>  Just a "me too" here. I've got two separate issues, one has to do with
>> this
>> thread. Just after installing F11 everything seemed fine. I poked the
>> necessary holes in my firewall and shared my printer queues and my wife
>> could print from her F10 laptop. Now it seems just about every job gets
>> "stuck" and I see the AVC denials about python. Here's the details for
>> mine
>> (just in case anything is different:
>>
>> ---
>> Summary:
>>
>> SELinux is preventing python (hplip_t) "read" security_t.
>>
>> Detailed Description:
>>
>> [SELinux is in permissive mode, the operation would have been denied but
>> was
>> permitted due to permissive mode.]
>>
>> SELinux denied access requested by python. It is not expected that this
>> access
>> is required by python and this access may signal an intrusion attempt. It
>> is
>> also possible that the specific version or configuration of the
>> application
>> is
>> causing it to require additional access.
>>
>> Allowing Access:
>>
>> You can generate a local policy module to allow this access - see FAQ
>> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
>> disable
>> SELinux protection altogether. Disabling SELinux protection is not
>> recommended.
>> Please file a bug report (
>> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>> against this package.
>>
>> Additional Information:
>>
>> Source Context                system_u:system_r:hplip_t:s0
>> Target Context                system_u:object_r:security_t:s0
>> Target Objects                mls [ file ]
>> Source                        python
>> Source Path                   /usr/bin/python
>> Port<Unknown>
>> Host                          hobbes.localdomain
>> Source RPM Packages           python-2.6-9.fc11
>> Target RPM Packages
>> Policy RPM                    selinux-policy-3.6.12-50.fc11
>> Selinux Enabled               True
>> Policy Type                   targeted
>> MLS Enabled                   True
>> Enforcing Mode                Permissive
>> Plugin Name                   catchall
>> Host Name                     hobbes.localdomain
>> Platform                      Linux hobbes.localdomain
>> 2.6.29.4-167.fc11.x86_64
>>                               #1 SMP Wed May 27 17:27:08 EDT 2009 x86_64
>> x86_64
>> Alert Count                   16
>> First Seen                    Sun 21 Jun 2009 02:29:26 PM CDT
>> Last Seen                     Tue 23 Jun 2009 06:58:21 PM CDT
>> Local ID                      0a0b19ce-a912-4305-9e4a-1e1369ea4f3f
>> Line Numbers
>>
>> Raw Audit Messages
>>
>> node=hobbes.localdomain type=AVC msg=audit(1245801501.788:374): avc:
>> denied  { read } for  pid=11771 comm="python" name="mls" dev=selinuxfs
>> ino=12 scontext=system_u:system_r:hplip_t:s0
>> tcontext=system_u:object_r:security_t:s0 tclass=file
>>
>> node=hobbes.localdomain type=AVC msg=audit(1245801501.788:374): avc:
>> denied  { open } for  pid=11771 comm="python" name="mls" dev=selinuxfs
>> ino=12 scontext=system_u:system_r:hplip_t:s0
>> tcontext=system_u:object_r:security_t:s0 tclass=file
>>
>> node=hobbes.localdomain type=SYSCALL msg=audit(1245801501.788:374):
>> arch=c000003e syscall=2 success=yes exit=6 a0=7fffb58ba060 a1=0
>> a2=7fffb58ba06c a3=fffffff8 items=0 ppid=11764 pid=11771 auid=4294967295
>> uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
>> ses=4294967295 comm="python" exe="/usr/bin/python"
>> subj=system_u:system_r:hplip_t:s0 key=(null)
>> ---
>>
>> Thanks,
>> Richard
>>
>>
>>  Those should not be blocking anything.
>
> I followed the advice on another thread and updated to the updates-testing
version of system-config-printer and system-config-printer-libs and I
haven't had any more issues, but I haven't had time to do extensive testing
yet.

Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20090624/f1b54e57/attachment-0001.htm>

More information about the fedora-list mailing list