Re: udev-configure-printer AVC on chr_file 003

On 02/15/2016 12:25 PM, Robert Nichols wrote: > On 02/15/2016 10:03 AM, Miroslav Grepl wrote: >> On 02/14/2016 01:43 AM, Robert Nichols wrote: >>> In CentOS 6.7 with Windows 7 running in a QEMU/KVM virtual machine, >>> when I power-on a printer that the Windows VM uses via networking >>> I get the below AVC alert. Anyone have any idea what is going on? >>> I haven't noticed anything not working. >>> >> >> Is it a USB printer? > > The host is using a USB connection with CUPS. The printer also has a > network interface, and I let Windows machines (both real and VM) use > it directly via the network rather than setting up Samba print sharing. I find I get this alert even on a fresh boot of the host with no VMs and no virt-manager running. Only the libvirtd service is running. Looking up the reported inode number, I find /dev/bus/usb/003/002:

# ls -Z /dev/bus/usb/003/002 crw-rw-r--. qemu qemu system_u:object_r:svirt_image_t:s0:c68,c582 /dev/bus/usb/003/002 # lsof /dev/bus/usb/003/002 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME qemu-kvm 4370 qemu 28u CHR 189,257 0t271 10937 /dev/bus/usb/003/002 If there are no other suggestions, I'm going to DONTAUDIT this to get it out of my hair. >>> SELinux is preventing /lib/udev/udev-configure-printer from read access >>> on the chr_file 003. >>> >>> ***** Plugin catchall (100. confidence) suggests >>> *************************** >>> >>> If you believe that udev-configure-printer should be allowed read >>> access >>> on the 003 chr_file by default. >>> Then you should report this as a bug. >>> You can generate a local policy module to allow this access. >>> Do >>> allow this access for now by executing: >>> # grep udev-configure- /var/log/audit/audit.log | audit2allow -M mypol >>> # semodule -i mypol.pp >>> >>> Additional Information: >>> Source Context system_u:system_r:cupsd_config_t:s0-s0:c0.c1023 >>> Target Context >>> system_u:object_r:svirt_image_t:s0:c255,c554 >>> Target Objects 003 [ chr_file ] >>> Source udev-configure- >>> Source Path /lib/udev/udev-configure-printer >>> Port <Unknown> >>> Host omega-3g.local >>> Source RPM Packages system-config-printer-udev-1.1.16-25.el6.x86_64 >>> Target RPM Packages >>> Policy RPM selinux-policy-3.7.19-279.el6_7.8.noarch >>> Selinux Enabled True >>> Policy Type targeted >>> Enforcing Mode Enforcing >>> Host Name omega-3g.local >>> Platform Linux omega-3g.local >>> 3.18.21-16.el6.x86_64 >>> #1 SMP >>> Sat Sep 26 01:24:19 UTC 2015 x86_64 >>> x86_64 >>> Alert Count 1 >>> First Seen Sat 13 Feb 2016 06:18:29 PM CST >>> Last Seen Sat 13 Feb 2016 06:18:29 PM CST >>> Local ID c3c9d30e-0835-4402-b342-acddd26e1686 >>> >>> Raw Audit Messages >>> type=AVC msg=audit(1455409109.607:29449): avc: denied { read } for >>> pid=32326 comm="udev-configure-" name="003" dev="devtmpfs" ino=2706 >>> scontext=system_u:system_r:cupsd_config_t:s0-s0:c0.c1023 >>> tcontext=system_u:object_r:svirt_image_t:s0:c255,c554 tclass=chr_file >>> permissive=0 >>> >>> >>> type=SYSCALL msg=audit(1455409109.607:29449): arch=x86_64 syscall=open >>> success=no exit=EACCES a0=7ffe1bd16eb0 a1=0 a2=d a3=0 items=0 ppid=1 >>> pid=32326 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >>> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=udev-configure- >>> exe=/lib/udev/udev-configure-printer >>> subj=system_u:system_r:cupsd_config_t:s0-s0:c0.c1023 key=(null) >>> >>> Hash: udev-configure-,cupsd_config_t,svirt_image_t,chr_file,read >>> >>> >>> >> >> > >