Bug 352161
| Summary: | SELinux is preventing python (cupsd_config_t) "read write" to (usb_device_t). | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | M. A. MacLain <mgml> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED RAWHIDE | QA Contact: | Ben Levenson <benl> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 8 | CC: | twaugh |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-10-30 20:15:05 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Reassigning to SELinux policy component. Read ya, Phil Do you have any idea what python application is running? Sounds like it might be /usr/libexec/hal_lpadmin. So this is something we want to allow. Can we expect other avc's from this. I've just spent a while trying to reproduce this AVC here, but for some reason I can't. /usr/libexec/hal_lpadmin gets run by hald, and needs to be able to run /usr/bin/hp-probe. This in turn needs to read/write usb_device_t (for device access), hplip_etc_t (for config files), and so on. However, this should all be taken care of already: /usr/libexec/hal_lpadmin gets run in domain cupsd_config_t /usr/bin/hp-probe is a symlink to /usr/share/hplip/probe.py /usr/share/hplip/probe.py is labelled hplip_exec_t cupsd_config_t can transition to hplip_t when executing hplip_exec_t finally, hplip_t can read/write usb_device_t etc So: what do these commands say?: 1. rpm -q hplip 2. rpm -V hplip 3. ls -l /usr/bin/hp-probe 4. ls -Z /usr/share/hplip/probe.py But it looks like something is running python script Rather then just script with python in the first line. I am not sure how this works from an SELinux point of view, but it is probably a bad idea since external environment can change the python. #!/usr/bin/env python The Python code in hal_lpadmin for running hp-probe looks like this:
os.popen("LC_ALL=C hp-probe ...")
Could that be the problem?
Otherwise there is some code that gets run from 'hp-info', also started by
hal_lpadmin in the same way as above when a device is *disconnected*, like this:
os.system("python " + os.path.join(prop.home_dir, "hpssd.py"))
I can see that this latter case is doing exactly what you suggested, running
Python directly and tell it which script to load -- however, hplip-2.7.7-6.fc8
no longer gets to that line on device disconnection.
mgml: please supply more information:
1. rpm -q hplip
2. rpm -V hplip
3. ls -l /usr/bin/hp-probe
4. ls -Z /usr/share/hplip/probe.py
5. please try to narrow down *precisely* which operation causes the audit
message: is it connecting/switch on the printer, or submitting a print job, or
disconnecting/switching off the printer?
Requested information: 1.-rpm -q hplip: hplip-2.7.7-6.fc8 2.-rpm -V hplip: prelink: /usr/lib/cups/backend/hp: at least one of file's dependencies has changed since prelinking S.?..... /usr/lib/cups/backend/hp 3.-ls -l /usr/bin/hp-probe: lrwxrwxrwx 1 root root 23 2007-10-13 14:22 /usr/bin/hp-probe -> ../share/hplip/probe.py 4.-ls -Z /usr/share/hplip/probe.py: -rwxr-xr-x root root system_u:object_r:bin_t:s0 /usr/share/hplip/probe.py 5.-Audit message triggered by switching on the printer. Note cord usb was already connected when the printer was switched on. It looks like /usr/share/hplip/probe.py is labelled incorrectly, and that could be causing the problem. So: 1. What does 'rpm -q selinux-policy' say? 2. What does '/sbin/restorecon -v /usr/share/hplip/probe.py' say, as root, and does it fix the AVC messages? Fixed in selinux-policy-3.0.8-38 The printer is working properly now. Thanks |
Description of problem: SELinux is preventing python (cupsd_config_t) "read write" to (usb_device_t). Please file a bug report against this package.Additional InformationSource Context: system_u:system_r:cupsd_config_t:s0Target Context: system_u:object_r:usb_device_t:s0Target Objects: None [ chr_file ]Affected RPM Packages: Policy RPM: selinux-policy-3.0.8-30.fc8Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: EnforcingPlugin Name: plugins.catchall_fileHost Name: dhcppc2Platform: Linux dhcppc2 2.6.23.1-30.fc8 #1 SMP Mon Oct 22 18:46:28 EDT 2007 i686 i686Alert Count: 113First Seen: Sat 13 Oct 2007 08:02:43 AM EDTLast Seen: Thu 25 Oct 2007 07:41:31 AM EDTLocal ID: 821409d0-1948-425c-b4e5-0ee848ccf6f1Line Numbers: Raw Audit Messages :avc: denied { read write } for comm=python dev=tmpfs egid=0 euid=0 exe=/usr/bin/python exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=001 pid=2839 scontext=system_u:system_r:cupsd_config_t:s0 sgid=0 subj=system_u:system_r:cupsd_config_t:s0 suid=0 tclass=chr_file tcontext=system_u:object_r:usb_device_t:s0 tty=(none) uid=0 Version-Release number of selected component (if applicable): 3.0.8-30.fc8 How reproducible: Repeatable Steps to Reproduce: 1.Turn on HP Printer 2. 3. Actual results: Expected results: Additional info: