cupsd_t/hplip_etc_t AVCs configuring w/ browser interface

Thu Sep 28 14:56:52 UTC 2006

Tom London wrote:
> Running Rawhide, targeted/enforcing:
>
> Get the following when attempting to 'add/modify' cups classes using
> the browser interface (http://localhost:631). I'm guessing its trying
> to access /etc/hp:
>
> [tbl at localhost hp]$ ls -lZ /etc/hp
> -rw-r--r--  root root system_u:object_r:hplip_etc_t    hplip.conf
> [tbl at localhost hp]$
>
> type=AVC msg=audit(1159399431.862:77): avc:  denied  { search } for
> pid=4914 comm="hp" name="hp" dev=dm-0 ino=11108479
> scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:hplip_etc_t:s0 tclass=dir
> type=SYSCALL msg=audit(1159399431.862:77): arch=40000003 syscall=5
> success=no exit=-13 a0=804c305 a1=0 a2=1b6 a3=9518008 items=0
> ppid=4913 pid=4914 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0
> egid=7 sgid=7 fsgid=7 tty=(none) comm="hp"
> exe="/usr/lib/cups/backend/hp"
> subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
>
> Putting it in permissive mode and browsing to 'Administration' page 
> produces:
>
> type=AVC msg=audit(1159400309.010:111): avc:  denied  { search } for
> pid=5019 comm="hp" name="hp" dev=dm-0 ino=11108479
> scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:hplip_etc_t:s0 tclass=dir
> type=AVC msg=audit(1159400309.010:111): avc:  denied  { read } for
> pid=5019 comm="hp" name="hplip.conf" dev=dm-0 ino=11108480
> scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:hplip_etc_t:s0 tclass=file
> type=SYSCALL msg=audit(1159400309.010:111): arch=40000003 syscall=5
> success=yes exit=4 a0=804c305 a1=0 a2=1b6 a3=806a008 items=0 ppid=5018
> pid=5019 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7
> sgid=7 fsgid=7 tty=(none) comm="hp" exe="/usr/lib/cups/backend/hp"
> subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(1159400309.014:112): avc:  denied  { getattr } for
> pid=5019 comm="hp" name="hplip.conf" dev=dm-0 ino=11108480
> scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:hplip_etc_t:s0 tclass=file
> type=SYSCALL msg=audit(1159400309.014:112): arch=40000003 syscall=197
> success=yes exit=0 a0=4 a1=bf866cd8 a2=49872ff4 a3=806a008 items=0
> ppid=5018 pid=5019 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0
> egid=7 sgid=7 fsgid=7 tty=(none) comm="hp"
> exe="/usr/lib/cups/backend/hp"
> subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
> type=AVC_PATH msg=audit(1159400309.014:112):  path="/etc/hp/hplip.conf"
> type=AVC msg=audit(1159400310.474:113): avc:  denied  { search } for
> pid=5039 comm="python" name="hp" dev=dm-0 ino=11108479
> scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:hplip_etc_t:s0 tclass=dir
> type=AVC msg=audit(1159400310.474:113): avc:  denied  { getattr } for
> pid=5039 comm="python" name="hplip.conf" dev=dm-0 ino=11108480
> scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:hplip_etc_t:s0 tclass=file
> type=SYSCALL msg=audit(1159400310.474:113): arch=40000003 syscall=195
> success=yes exit=0 a0=99b4a98 a1=bfb26f88 a2=49872ff4 a3=99601b0
> items=0 ppid=5018 pid=5039 auid=4294967295 uid=0 gid=7 euid=0 suid=0
> fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) comm="python"
> exe="/usr/bin/python" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023
> key=(null)
> type=AVC_PATH msg=audit(1159400310.474:113):  path="/etc/hp/hplip.conf"
> type=AVC msg=audit(1159400310.474:114): avc:  denied  { read } for
> pid=5039 comm="python" name="hplip.conf" dev=dm-0 ino=11108480
> scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:hplip_etc_t:s0 tclass=file
> type=SYSCALL msg=audit(1159400310.474:114): arch=40000003 syscall=5
> success=yes exit=4 a0=99b4a98 a1=8000 a2=1b6 a3=99d2070 items=0
> ppid=5018 pid=5039 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0
> egid=7 sgid=7 fsgid=7 tty=(none) comm="python" exe="/usr/bin/python"
> subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
>
> tom
Added in selinux-policy-2.3.16-5