Bug 352161
Summary: | SELinux is preventing python (cupsd_config_t) "read write" to (usb_device_t). | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | M. A. MacLain <mgml> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED RAWHIDE | QA Contact: | Ben Levenson <benl> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 8 | CC: | twaugh |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-10-30 20:15:05 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
M. A. MacLain
2007-10-25 11:57:04 UTC
Reassigning to SELinux policy component. Read ya, Phil Do you have any idea what python application is running? Sounds like it might be /usr/libexec/hal_lpadmin. So this is something we want to allow. Can we expect other avc's from this. I've just spent a while trying to reproduce this AVC here, but for some reason I can't. /usr/libexec/hal_lpadmin gets run by hald, and needs to be able to run /usr/bin/hp-probe. This in turn needs to read/write usb_device_t (for device access), hplip_etc_t (for config files), and so on. However, this should all be taken care of already: /usr/libexec/hal_lpadmin gets run in domain cupsd_config_t /usr/bin/hp-probe is a symlink to /usr/share/hplip/probe.py /usr/share/hplip/probe.py is labelled hplip_exec_t cupsd_config_t can transition to hplip_t when executing hplip_exec_t finally, hplip_t can read/write usb_device_t etc So: what do these commands say?: 1. rpm -q hplip 2. rpm -V hplip 3. ls -l /usr/bin/hp-probe 4. ls -Z /usr/share/hplip/probe.py But it looks like something is running python script Rather then just script with python in the first line. I am not sure how this works from an SELinux point of view, but it is probably a bad idea since external environment can change the python. #!/usr/bin/env python The Python code in hal_lpadmin for running hp-probe looks like this: os.popen("LC_ALL=C hp-probe ...") Could that be the problem? Otherwise there is some code that gets run from 'hp-info', also started by hal_lpadmin in the same way as above when a device is *disconnected*, like this: os.system("python " + os.path.join(prop.home_dir, "hpssd.py")) I can see that this latter case is doing exactly what you suggested, running Python directly and tell it which script to load -- however, hplip-2.7.7-6.fc8 no longer gets to that line on device disconnection. mgml: please supply more information: 1. rpm -q hplip 2. rpm -V hplip 3. ls -l /usr/bin/hp-probe 4. ls -Z /usr/share/hplip/probe.py 5. please try to narrow down *precisely* which operation causes the audit message: is it connecting/switch on the printer, or submitting a print job, or disconnecting/switching off the printer? Requested information: 1.-rpm -q hplip: hplip-2.7.7-6.fc8 2.-rpm -V hplip: prelink: /usr/lib/cups/backend/hp: at least one of file's dependencies has changed since prelinking S.?..... /usr/lib/cups/backend/hp 3.-ls -l /usr/bin/hp-probe: lrwxrwxrwx 1 root root 23 2007-10-13 14:22 /usr/bin/hp-probe -> ../share/hplip/probe.py 4.-ls -Z /usr/share/hplip/probe.py: -rwxr-xr-x root root system_u:object_r:bin_t:s0 /usr/share/hplip/probe.py 5.-Audit message triggered by switching on the printer. Note cord usb was already connected when the printer was switched on. It looks like /usr/share/hplip/probe.py is labelled incorrectly, and that could be causing the problem. So: 1. What does 'rpm -q selinux-policy' say? 2. What does '/sbin/restorecon -v /usr/share/hplip/probe.py' say, as root, and does it fix the AVC messages? Fixed in selinux-policy-3.0.8-38 The printer is working properly now. Thanks |