Selinux, cups, hplip

Daniel J Walsh dwalsh at redhat.com
Wed Jun 24 19:04:39 UTC 2009 

On 06/23/2009 08:09 PM, Richard Shaw wrote:
> On Mon, Jun 22, 2009 at 3:48 PM, Daniel J Walsh<dwalsh at redhat.com>  wrote:
>
>> On 06/20/2009 01:50 PM, Steven Stern wrote:
>>
>>> On 06/20/2009 06:12 AM, Daniel J Walsh wrote:
>>>
>>>> On 06/19/2009 07:10 PM, Steven Stern wrote:
>>>>
>>>>> After installing hplip-gui, I got selinux errors when checking on the
>>>>> printer status.
>>>>>
>>>>> audit2allow generated the following policy
>>>>>
>>>>> module cups20090619 1.0;
>>>>>
>>>>> require {
>>>>> type hwdata_t;
>>>>> type xdm_t;
>>>>> class dir search;
>>>>> class file { read getattr open };
>>>>> }
>>>>>
>>>>> #============= xdm_t ==============
>>>>> allow xdm_t hwdata_t:dir search;
>>>>> allow xdm_t hwdata_t:file { read getattr open };
>>>>>
>>>>>
>>>>>   xdm is checking the printer status? This allow rule indicates the X
>>>> Login program is checking the printer status. Could you attach the AVC's
>>>> you used to generate this policy.
>>>>
>>>>
>>> And here's another one related to hplip
>>>
>>> type=AVC msg=audit(1245520061.974:38037): avc: denied { read } for
>>> pid=25561 comm="python" name="mls" dev=selinuxfs ino=12
>>> scontext=system_u:system_r:hplip_t:s0
>>> tcontext=system_u:object_r:security_t:s0 tclass=file
>>>
>>> type=AVC msg=audit(1245520061.974:38037): avc: denied { read open } for
>>> pid=25561 comm="python" name="mls" dev=selinuxfs ino=12
>>> scontext=system_u:system_r:hplip_t:s0
>>> tcontext=system_u:object_r:security_t:s0 tclass=file
>>>
>>>
>>>
>>>   Could you report this as a bug to cups. Cups has some MLS aware ness in
>> it and maybe it is reading this file directly rather then through
>> libselinux.  CC me on the bug report dwalsh at redhat.com
>>
>>
> Just a "me too" here. I've got two separate issues, one has to do with this
> thread. Just after installing F11 everything seemed fine. I poked the
> necessary holes in my firewall and shared my printer queues and my wife
> could print from her F10 laptop. Now it seems just about every job gets
> "stuck" and I see the AVC denials about python. Here's the details for mine
> (just in case anything is different:
>
> ---
> Summary:
>
> SELinux is preventing python (hplip_t) "read" security_t.
>
> Detailed Description:
>
> [SELinux is in permissive mode, the operation would have been denied but was
> permitted due to permissive mode.]
>
> SELinux denied access requested by python. It is not expected that this
> access
> is required by python and this access may signal an intrusion attempt. It is
> also possible that the specific version or configuration of the application
> is
> causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context                system_u:system_r:hplip_t:s0
> Target Context                system_u:object_r:security_t:s0
> Target Objects                mls [ file ]
> Source                        python
> Source Path                   /usr/bin/python
> Port<Unknown>
> Host                          hobbes.localdomain
> Source RPM Packages           python-2.6-9.fc11
> Target RPM Packages
> Policy RPM                    selinux-policy-3.6.12-50.fc11
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Permissive
> Plugin Name                   catchall
> Host Name                     hobbes.localdomain
> Platform                      Linux hobbes.localdomain
> 2.6.29.4-167.fc11.x86_64
>                                #1 SMP Wed May 27 17:27:08 EDT 2009 x86_64
> x86_64
> Alert Count                   16
> First Seen                    Sun 21 Jun 2009 02:29:26 PM CDT
> Last Seen                     Tue 23 Jun 2009 06:58:21 PM CDT
> Local ID                      0a0b19ce-a912-4305-9e4a-1e1369ea4f3f
> Line Numbers
>
> Raw Audit Messages
>
> node=hobbes.localdomain type=AVC msg=audit(1245801501.788:374): avc:
> denied  { read } for  pid=11771 comm="python" name="mls" dev=selinuxfs
> ino=12 scontext=system_u:system_r:hplip_t:s0
> tcontext=system_u:object_r:security_t:s0 tclass=file
>
> node=hobbes.localdomain type=AVC msg=audit(1245801501.788:374): avc:
> denied  { open } for  pid=11771 comm="python" name="mls" dev=selinuxfs
> ino=12 scontext=system_u:system_r:hplip_t:s0
> tcontext=system_u:object_r:security_t:s0 tclass=file
>
> node=hobbes.localdomain type=SYSCALL msg=audit(1245801501.788:374):
> arch=c000003e syscall=2 success=yes exit=6 a0=7fffb58ba060 a1=0
> a2=7fffb58ba06c a3=fffffff8 items=0 ppid=11764 pid=11771 auid=4294967295
> uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
> ses=4294967295 comm="python" exe="/usr/bin/python"
> subj=system_u:system_r:hplip_t:s0 key=(null)
> ---
>
> Thanks,
> Richard
>
>
Those should not be blocking anything.

More information about the users mailing list