Bug 346191

Summary: SELinux is preventing python (hplip_t) "execute" to <Unknown> (shell_exec_t)
Product: [Fedora] Fedora Reporter: Jim Hayward <jimhayward>
Component: hplipAssignee: Tim Waugh <twaugh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: F8 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-11-28 10:10:29 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 235704    

Description Jim Hayward 2007-10-22 22:14:24 EDT
Description of problem:
Summary
    SELinux is preventing python (hplip_t) "execute" to <Unknown>
    (shell_exec_t).

Additional Information        

Source Context                system_u:system_r:hplip_t:s0
Target Context                system_u:object_r:shell_exec_t:s0
Target Objects                None [ file ]
Affected RPM Packages         
Policy RPM                    selinux-policy-3.0.8-28.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     garfield.linux.localdomain
Platform                      Linux garfield.linux.localdomain 2.6.23.1-23.fc8
                              #1 SMP Wed Oct 17 18:14:46 EDT 2007 x86_64 x86_64
Alert Count                   6
First Seen                    Fri 05 Oct 2007 03:40:19 PM PDT
Last Seen                     Mon 22 Oct 2007 07:31:15 AM PDT
Local ID                      c551f64d-95de-44ba-a21f-252ef7545630
Line Numbers                  

Raw Audit Messages            

avc: denied { execute } for comm=python dev=sda2 egid=0 euid=0
exe=/usr/bin/python exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=bash pid=3713
scontext=system_u:system_r:hplip_t:s0 sgid=0 subj=system_u:system_r:hplip_t:s0
suid=0 tclass=file tcontext=system_u:object_r:shell_exec_t:s0 tty=(none) uid=0



Version-Release number of selected component (if applicable):
hplip-2.7.7-6.fc8

How reproducible:
This is not preventing me from printing. But it does come up every time I print
something.
Comment 1 Tim Waugh 2007-10-23 07:54:41 EDT
What does 'lpstat -s' say, and which queue are you printing to (if more than one
queue)?
Comment 2 Jim Hayward 2007-10-23 09:03:40 EDT
Interesting...

# lpstat -s
no system default destination
device for hp_LaserJet_1300: hp:/usb/hp_LaserJet_1300?serial=00CNCK070921

I know I had this printer selected as default before. This printer is
automatically selected when the print dialog is displayed in apps. I never have
to manually select it.

I set the printer to default in system-config-printer and I no longer see the
selinux denial message.
Comment 3 Tim Waugh 2007-10-23 09:08:09 EDT
Setting it to be default or not is not the problem.

Can you really not reproduce the problem any more?  When was the last time you
could reproduce the problem?
Comment 4 Jim Hayward 2007-10-23 09:20:30 EDT
As soon as I ran lpstat -s and saw no default was set, I did a test. I tried to
print something and I got the denial message. Then I changed the printer to
default and the message did not appear again. I was seeing the denial message
before every time I had printed something.
Comment 5 Jim Hayward 2007-10-23 09:28:51 EDT
Ok, I was curious what would happen if I rebooted the computer. After I
rebooted, the printer was still shown as default. When I printed something the
denial message is back again. 
Comment 6 Tim Waugh 2007-10-23 09:33:29 EDT
Okay, great.  Now, how are you printing things?  For example, are you typing in
commands into a terminal window, or printing files from a particular
application, etc?  Tell me exactly how you are printing, so that I can try to
see the same problem here.
Comment 7 Jim Hayward 2007-10-23 22:18:58 EDT
I have not tried printing from the command line. The denial message appears
regardless of the application. My desktop is GNOME. Any application I print from
will reproduce the message. Firefox, gedit, and Openoffice for sure will
reproduce the message.
Comment 8 Tim Waugh 2007-10-26 11:49:21 EDT
Does simply switching the printer on cause the message?
Comment 9 Jim Hayward 2007-10-27 09:47:19 EDT
No apparently not. I turned the computer and the printer off. Booted the
computer, logged in as my regular user, turned the printer on, and I did not see
any denial messages. 

I opened Firefox, pulled up this bug report, clicked format for printing,
File/Print, dialog showed CUPS/HP_LaserJet_1300, clicked Print and the message
appeared.

avc: denied { execute } for comm=python dev=sda2 name=bash pid=3143
scontext=system_u:system_r:hplip_t:s0 tclass=file
tcontext=system_u:object_r:shell_exec_t:s0

This printer is shared. I noticed that the message also appears when something
is printed from another computer.
Comment 10 Jim Hayward 2007-11-03 11:48:03 EDT
Tim with the updates from last week, I'm not seeing this denial message any
longer. The last few days I have not been able to reproduce it.
Comment 11 Tim Waugh 2007-11-28 10:10:29 EST
Okay, must have been fixed with an update.  Thanks for letting us know.