Bug 244205

Summary: hplip generates AVC's for root, etc. on startup
Product: [Fedora] Fedora Reporter: Tom London <selinux>
Component: hplipAssignee: Tim Waugh <twaugh>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: dwalsh
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 1.7.4a-4.fc7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-07-11 15:20:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 235703    
Attachments:
Description Flags
AVCs from 'service hplip start' in permissive mode none

Description Tom London 2007-06-14 14:30:07 UTC 
Description of problem:
On boot up, or on 'service hplip start', hplip generates AVCs.

Appears to be trying to create /.hplip.conf 

Attached are the AVCs when running in permissive mode.


Version-Release number of selected component (if applicable):
hplip-1.7.4a-1.fc8

How reproducible:
Every time

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Tom London 2007-06-14 14:30:07 UTC 
Created attachment 157005 [details]
AVCs from 'service hplip start' in permissive mode
Comment 2 Daniel Walsh 2007-06-14 14:33:23 UTC 
Why is this program creating a file in the /root directory?
Comment 3 Tim Waugh 2007-06-14 14:37:59 UTC 
This is another instance of bug #241776.  Investigating.
Comment 4 Tim Waugh 2007-06-14 15:21:55 UTC 
Should be fixed in 1.7.4a-2.fc8.
Comment 5 Tom London 2007-06-27 23:50:30 UTC 
I'm continuing to see this with hplip-1.7.4a-2.fc8

type=AVC msg=audit(1182958803.610:11): avc:  denied  { getattr } for  pid=2983
comm="python" name=".hplip.conf" dev=dm-0 ino=98414
scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:root_t:s0
tclass=file
type=SYSCALL msg=audit(1182958803.610:11): arch=40000003 syscall=195 success=no
exit=-13 a0=8256708 a1=bfab6bf8 a2=4604aff4 a3=81a51b8 items=0 ppid=2982
pid=2983 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="python" exe="/usr/bin/python" subj=system_u:system_r:hplip_t:s0
key=(null)
type=AVC_PATH msg=audit(1182958803.610:11):  path="/.hplip.conf"
type=AVC msg=audit(1182958803.610:12): avc:  denied  { write } for  pid=2983
comm="python" name=".hplip.conf" dev=dm-0 ino=98414
scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:root_t:s0
tclass=file
type=SYSCALL msg=audit(1182958803.610:12): arch=40000003 syscall=5 success=no
exit=-13 a0=8256708 a1=8241 a2=1b6 a3=82bb430 items=0 ppid=2982 pid=2983
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="python" exe="/usr/bin/python" subj=system_u:system_r:hplip_t:s0
key=(null)
type=AVC msg=audit(1182958803.610:13): avc:  denied  { getattr } for  pid=2983
comm="python" name=".hplip.conf" dev=dm-0 ino=98414
scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:root_t:s0
tclass=file
type=SYSCALL msg=audit(1182958803.610:13): arch=40000003 syscall=195 success=no
exit=-13 a0=8256c40 a1=bfab6818 a2=4604aff4 a3=81a51b8 items=0 ppid=2982
pid=2983 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="python" exe="/usr/bin/python" subj=system_u:system_r:hplip_t:s0
key=(null)
type=AVC_PATH msg=audit(1182958803.610:13):  path="/.hplip.conf"
Comment 6 Tim Waugh 2007-06-28 09:06:05 UTC 
Tom: how are you getting those?  What triggers them?  Are you interacting with
CUPS in some way, or directly using some hplip tool?
Comment 7 Daniel Walsh 2007-06-28 11:08:18 UTC 
I have also seen them

time->Tue Jun 26 16:07:21 2007
type=PATH msg=audit(1182888441.258:11): item=0 name="/.hplip.conf" inode=2
dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:root_t:s0
type=CWD msg=audit(1182888441.258:11):  cwd="/usr/share/hplip"
type=SYSCALL msg=audit(1182888441.258:11): arch=40000003 syscall=5 success=no
exit=-13 a0=97d7f38 a1=8241 a2=1b6 a3=988bac0 items=1 ppid=2620 pid=2621
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="python" exe="/usr/bin/python" subj=system_u:system_r:hplip_t:s0
key=(null)
type=AVC msg=audit(1182888441.258:11): avc:  denied  { write } for  pid=2621
comm="python" name="/" dev=dm-0 ino=2 scontext=system_u:system_r:hplip_t:s0
tcontext=system_u:object_r:root_t:s0 tclass=dir

rpm -q hplip
hplip-1.7.4a-2.fc8

I just have it installed and I think it happens on a reboot.  Restart is not
generating them.

Thie is rawhide.
Comment 8 Tim Waugh 2007-06-28 12:40:18 UTC 
I can't reproduce that.  I have rawhide here, with hplip-1.7.4a-2.fc8, and I
don't get those audit messages on boot.
Comment 9 Tom London 2007-06-28 13:41:47 UTC 
I get them on boot and whenever I do 'service hplip stop; service hplip start'.

I get no AVC with 'service hplip stop'; just with 'start'.  Also running Rawhide.

type=AVC msg=audit(1183037989.902:39): avc:  denied  { getattr } for  pid=4069
comm="python" name=".hplip.conf" dev=dm-0 ino=9043994
scontext=system_u:system_r:hplip_t:s0 tcontext=root:object_r:sysadm_home_t:s0
tclass=file
type=SYSCALL msg=audit(1183037989.902:39): arch=40000003 syscall=195 success=yes
exit=0 a0=9d94c20 a1=bfb42138 a2=4604aff4 a3=9ce81b8 items=0 ppid=4068 pid=4069
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1
comm="python" exe="/usr/bin/python" subj=system_u:system_r:hplip_t:s0 key=(null)
type=AVC_PATH msg=audit(1183037989.902:39):  path="/root/.hplip.conf"
type=AVC msg=audit(1183037989.902:40): avc:  denied  { read } for  pid=4069
comm="python" name=".hplip.conf" dev=dm-0 ino=9043994
scontext=system_u:system_r:hplip_t:s0 tcontext=root:object_r:sysadm_home_t:s0
tclass=file
type=SYSCALL msg=audit(1183037989.902:40): arch=40000003 syscall=5 success=yes
exit=4 a0=9da8f98 a1=8000 a2=1b6 a3=9dffbc0 items=0 ppid=4068 pid=4069 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="python"
exe="/usr/bin/python" subj=system_u:system_r:hplip_t:s0 key=(null)
Comment 10 Tim Waugh 2007-06-28 15:35:50 UTC 
I still can't reproduce this here.  Please try hplip-1.7.4a-3.fc8.
Comment 11 Tom London 2007-06-28 16:03:50 UTC 
I downloaded from koji and installed.

'service hplip start' no longer produces AVCs.

I'll test on boot up later.
Comment 12 Fedora Update System 2007-06-29 14:02:37 UTC 
hplip-1.7.4a-3.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2007-07-09 15:48:43 UTC 
hplip-1.7.4a-4.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2007-07-11 15:20:41 UTC 
hplip-1.7.4a-4.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.