Bug 479178

Summary: cups/hplip wants to write its config file (hplip.conf)?????
Product: [Fedora] Fedora Reporter: Tom London <selinux>
Component: hplipAssignee: Tim Waugh <twaugh>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 10CC: dwalsh, james, ronin3510, twaugh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 2.8.12-6.fc10 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-03-13 18:35:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Tom London 2009-01-07 19:08:22 UTC 
Description of problem:
I'm seeing the following AVCs when I attempt to print to my HP1300 laserjet:

type=AVC msg=audit(1231349328.831:10): avc:  denied  { write } for  pid=2553 comm="python" name="hplip.conf" dev=dm-1 ino=778585 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:hplip_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1231349328.831:10): arch=c000003e syscall=2 success=no exit=-13 a0=1945210 a1=241 a2=1b6 a3=7feef5bda6f0 items=0 ppid=2549 pid=2553 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="python" exe="/usr/bin/python" subj=system_u:system_r:hplip_t:s0 key=(null)
type=ANOM_ABEND msg=audit(1231349329.067:11): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:kernel_t:s0 pid=790 comm="plymouthd" sig=11
type=AVC msg=audit(1231349329.154:12): avc:  denied  { write } for  pid=2588 comm="python" name="hplip.conf" dev=dm-1 ino=778585 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:hplip_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1231349329.154:12): arch=c000003e syscall=2 success=no exit=-13 a0=1039210 a1=241 a2=1b6 a3=7f18011216f0 items=0 ppid=2587 pid=2588 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="python" exe="/usr/bin/python" subj=system_u:system_r:hplip_t:s0 key=(null)
type=AVC msg=audit(1231349329.446:13): avc:  denied  { write } for  pid=2645 comm="python" name="hplip.conf" dev=dm-1 ino=778585 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:hplip_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1231349329.446:13): arch=c000003e syscall=2 success=no exit=-13 a0=7f60f198be70 a1=241 a2=1b6 a3=7f60f1ec76f0 items=0 ppid=2642 pid=2645 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="python" exe="/usr/bin/python" subj=system_u:system_r:hplip_t:s0 key=(null)

Can this be a good idea?

Version-Release number of selected component (if applicable):
hplip-2.8.12-1.fc11.x86_64
cups-1.4-0.b2.2.fc11.x86_64

How reproducible:
Every time

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Gabriel Sfestarof 2009-01-10 21:02:49 UTC 
I can confirm it for F10.



 rpm -qa|grep selinux && rpm -qa|grep hplip
libselinux-utils-2.0.73-1.fc10.i386
selinux-policy-doc-3.5.13-38.fc10.noarch
selinux-policy-3.5.13-38.fc10.noarch
libselinux-2.0.73-1.fc10.i386
libselinux-python-2.0.73-1.fc10.i386
selinux-doc-1.26-1.1.noarch
selinux-policy-targeted-3.5.13-38.fc10.noarch
hplip-libs-2.8.12-1.fc10.i386
hplip-2.8.12-1.fc10.i386
hplip-gui-2.8.12-1.fc10.i386




After doing semanage permissive -a hplip_t here's the difference between the original file copied in /root and the modified one


 diff  /etc/hp/hplip.conf /root/hplip.conf 
1,13c1
< [dirs]
< run = /var/run
< cupsbackend = /usr/lib/cups/backend
< ppd = /usr/share/ppd/HP
< doc = /usr/share/doc/hplip-2.8.12
< drv = /usr/share/cups/drv/hp
< ppdbase = /usr/share/ppd
< home = /usr/share/hplip
< icon = /usr/share/applications
< cupsfilter = /usr/lib/cups/filter
< 
< [last_used]
< device_uri = hp:/usb/Deskjet_F4100_series?serial=CN7673S2N104TJ
---
> # hplip.conf.  Generated from hplip.conf.in by configure.
16c4
< version = 2.8.12
---
> version=2.8.12
17a6,17
> [dirs]
> home=/usr/share/hplip
> run=/var/run
> ppd=/usr/share/ppd/HP
> ppdbase=/usr/share/ppd
> doc=/usr/share/doc/hplip-2.8.12
> icon=/usr/share/applications
> cupsbackend=/usr/lib/cups/backend
> cupsfilter=/usr/lib/cups/filter
> drv=/usr/share/cups/drv/hp
> 
> # Following values are determined at configure time and cannot be changed.
19,35c19,36
< foomatic-rip-hplip-install = no
< qt4 = no
< doc-build = yes
< qt3 = yes
< cups11-build = no
< gui-build = yes
< internal-tag = 2.8.12.26
< foomatic-ppd-install = no
< network-build = yes
< ui-toolkit = qt3
< pp-build = yes
< fax-build = yes
< scanner-build = yes
< restricted-build = no
< dbus-build = yes
< shadow-build = no
< foomatic-drv-install = yes
---
> network-build=yes
> pp-build=yes
> gui-build=yes
> scanner-build=yes
> fax-build=yes
> dbus-build=yes
> cups11-build=no
> doc-build=yes
> shadow-build=no
> foomatic-drv-install=yes
> foomatic-ppd-install=no
> foomatic-rip-hplip-install=no
> internal-tag=2.8.12.26
> restricted-build=no
> ui-toolkit=qt3
> qt3=yes
> qt4=no
>
Comment 2 Tim Waugh 2009-01-12 11:37:42 UTC 
Yeah, it shouldn't do that.
Comment 3 Gabriel Sfestarof 2009-01-13 06:54:53 UTC 
The bug seems to affect CentOS 5.2 too, so perhaps it should occur in RHEL too.
Comment 4 Tim Waugh 2009-01-13 10:12:42 UTC 
I can't see a code path that works in quite the same way for RHEL-5.2.  It may adjust the system wide configuration file when run directly by root, but I don't see that it will when run from CUPS.  Are you seeing AVC messages on CentOS 5.2?

FWIW, the way I was able to trigger the AVC message on Fedora 10 was by switching on a connected USB HP printer; this triggers hal_lpadmin (running in cups_config_t), which in turn runs hp-info (running in hplip_t).
Comment 5 Gabriel Sfestarof 2009-01-13 12:29:59 UTC 
That's precisely how I found the AVC. I had installed F10 for awhile, but never started the printer. After switching hplip.conf_t domain in permissive to make sure the AVC's still appear, then ausearch -m avc -ts today | audit2allow -M myhplip; semodule -i myhplip.pp (because it was the only denial I had on F10)




After a major power outage last night, I fired up CentOS 5.2, applied the updates and I start browsing Setroubleshooter. I noticed this kind of denial but at the moment the net was still down so I couldn't report anything. I'll reboot in a few hours, test it again for AVC's and if any I'll report back here.
Comment 6 Fedora Update System 2009-01-15 03:05:02 UTC 
hplip-2.8.12-5.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update hplip'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2008-11236
Comment 7 Fedora Update System 2009-01-29 23:01:51 UTC 
hplip-2.8.12-6.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update hplip'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2008-11236
Comment 8 Fedora Update System 2009-03-13 18:34:41 UTC 
hplip-2.8.12-6.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.