Bug 476183
| Summary: | AVC denial(s) in hp-sendfax | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Gilboa Davara <gilboad> |
| Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Ben Levenson <benl> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 9 | CC: | james |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-06-10 07:41:43 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
P.S. I tried relabeling /var/tmp and /tmp - nothing changed. $ restorecon -Rv /etc /var /tmp restorecon reset /etc/hp context system_u:object_r:etc_t:s0->system_u:object_r:hplip_etc_t:s0 restorecon reset /etc/hp/hplip.conf context system_u:object_r:etc_t:s0->system_u:object_r:hplip_etc_t:s0 (Beyond hplip.conf itself that somehow needs relabeling every time - but that's another bug by itself.) - Gilboa Looks like hplib_t needs to be able to create hplib_tmp_t files. or cups_tmp_t files.
manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
files_tmp_filetrans(hplip_t, cupsd_tmp_t, { file dir })
Should be added.
Fixed in selinux-policy-3.3.1-116.fc9.noarch When is 116 due in updates-testing? (I can only see 115 - which is used to solve the rpcbind problem) - Gilboa Gilboa, for now you can use selinux-policy-3.3.1-116.fc9.noarch from Koji. OK. Thanks. I'll give it a try. - Gilboa Seems to work just fine. (No denials) Thanks. - Gilboa Feel free to close this bug. This message is a reminder that Fedora 9 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 9. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '9'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 9's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 9 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping |
Description of problem: I'm trying to send a pdf fax using hp-send fax and I'm getting AVC denials. Version-Release number of selected component (if applicable): $ rpm -qa | egrep -e 'hplip|selinux-policy-targeted' | sort hplip-2.8.2-2.fc9.x86_64 hplip-gui-2.8.2-2.fc9.x86_64 selinux-policy-targeted-3.3.1-111.fc9.noarch How reproducible: Always Additional info: $ cat /var/log/messages | grep hp | grep SELinux Dec 12 11:39:07 gilboa-home-srv setroubleshoot: SELinux is preventing the hpijs from using potentially mislabeled files (./tmp). For complete SELinux messages. run sealert -l 1c97f12c-c0fe-4f43-94f5-54fe26425e51 [rootne@gilboa-home-srv gilboa]$ sealert -l 1c97f12c-c0fe-4f43-94f5-54fe26425e51 Summary: SELinux is preventing the hpijs from using potentially mislabeled files (./tmp). Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux has denied hpijs access to potentially mislabeled file(s) (./tmp). This means that SELinux will not allow hpijs to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want hpijs to access this files, you need to relabel them using restorecon -v './tmp'. You might want to relabel the entire directory using restorecon -R -v './tmp'. Additional Information: Source Context unconfined_u:system_r:hplip_t:s0-s0:c0.c1023 Target Context system_u:object_r:tmp_t:s0 Target Objects ./tmp [ dir ] Source hpijs Source Path /usr/bin/hpijs Port <Unknown> Host gilboa-home-srv Source RPM Packages hpijs-2.8.2-2.fc9 Target RPM Packages filesystem-2.4.13-1.fc9 Policy RPM selinux-policy-3.3.1-111.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name home_tmp_bad_labels Host Name gilboa-home-srv Platform Linux gilboa-home-srv 2.6.27.5-41.fc9.x86_64 #1 SMP Thu Nov 13 20:29:07 EST 2008 x86_64 x86_64 Alert Count 2 First Seen Fri Dec 12 11:30:11 2008 Last Seen Fri Dec 12 11:39:07 2008 Local ID 1c97f12c-c0fe-4f43-94f5-54fe26425e51 Line Numbers Raw Audit Messages node=gilboa-home-srv type=AVC msg=audit(1229074747.116:8692): avc: denied { search } for pid=27792 comm="hpijs" name="tmp" dev=dm-8 ino=409601 scontext=unconfined_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir node=gilboa-home-srv type=AVC msg=audit(1229074747.116:8692): avc: denied { write } for pid=27792 comm="hpijs" name="tmp" dev=dm-8 ino=409601 scontext=unconfined_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir node=gilboa-home-srv type=AVC msg=audit(1229074747.116:8692): avc: denied { add_name } for pid=27792 comm="hpijs" name="hplipfax8WBQaL" scontext=unconfined_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir node=gilboa-home-srv type=AVC msg=audit(1229074747.116:8692): avc: denied { create } for pid=27792 comm="hpijs" name="hplipfax8WBQaL" scontext=unconfined_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file node=gilboa-home-srv type=AVC msg=audit(1229074747.116:8692): avc: denied { read write } for pid=27792 comm="hpijs" name="hplipfax8WBQaL" dev=dm-8 ino=412901 scontext=unconfined_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file node=gilboa-home-srv type=SYSCALL msg=audit(1229074747.116:8692): arch=c000003e syscall=2 success=yes exit=10 a0=7fff94e8dc50 a1=c2 a2=180 a3=2d items=0 ppid=27788 pid=27792 auid=800 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=351 comm="hpijs" exe="/usr/bin/hpijs" subj=unconfined_u:system_r:hplip_t:s0-s0:c0.c1023 key=(null)