Bug 694128

Summary: SELinux is preventing /lib/udev/udev-configure-printer from 'write' accesses on the chr_file 006.
Product: [Fedora] Fedora Reporter: Dan Beard <zytemp2g>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 15CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:77f0523bb9e1c464d436c07062150a21e180b435e1da0594b6d399395d101f26
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-07 14:03:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Dan Beard 2011-04-06 14:20:17 UTC 
SELinux is preventing /lib/udev/udev-configure-printer from 'write' accesses on the chr_file 006.

*****  Plugin device (91.4 confidence) suggests  *****************************

If you want to allow udev-configure-printer to have write access on the 006 chr_file
Then you need to change the label on 006 to a type of a similar device.
Do
# semanage fcontext -a -t SIMILAR_TYPE '006'
# restorecon -v '006'

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that udev-configure-printer should be allowed write access on the 006 chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep udev-configure- /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:cupsd_config_t:s0-s0:c0.c1023
Target Context                system_u:object_r:device_t:s0
Target Objects                006 [ chr_file ]
Source                        udev-configure-
Source Path                   /lib/udev/udev-configure-printer
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           system-config-printer-udev-1.3.2-2.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-10.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 2.6.38.2-9.fc15.i686
                              #1 SMP Wed Mar 30 16:54:01 UTC 2011 i686 i686
Alert Count                   1
First Seen                    Wed 06 Apr 2011 05:16:04 AM CDT
Last Seen                     Wed 06 Apr 2011 05:16:04 AM CDT
Local ID                      99612dd1-f945-4a4b-a263-1803fec3e0d6

Raw Audit Messages
type=AVC msg=audit(1302084964.172:74): avc:  denied  { write } for  pid=1634 comm="udev-configure-" name="006" dev=devtmpfs ino=23640 scontext=system_u:system_r:cupsd_config_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file


type=SYSCALL msg=audit(1302084964.172:74): arch=i386 syscall=open success=yes exit=ENOEXEC a0=bfe4f16c a1=2 a2=0 a3=8e87190 items=0 ppid=1 pid=1634 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=udev-configure- exe=/lib/udev/udev-configure-printer subj=system_u:system_r:cupsd_config_t:s0-s0:c0.c1023 key=(null)

Hash: udev-configure-,cupsd_config_t,device_t,chr_file,write

audit2allow

#============= cupsd_config_t ==============
allow cupsd_config_t device_t:chr_file write;

audit2allow -R

#============= cupsd_config_t ==============
allow cupsd_config_t device_t:chr_file write;
Comment 1 Dan Beard 2011-04-06 14:31:50 UTC 
Attempting to start Firefox via the link in the bug report dialog to view this bug resulted in immediate unrecoverable "shotgunning" of the video output, requiring dropping to a new TTY to reboot the machine,   

The above error/denial came while booted with enforcing=0 appended to the kernel line in Grub, and attempting to add a printer/scanner.  (HP PhotoSmart C7200 series)
Comment 2 Daniel Walsh 2011-04-06 14:44:04 UTC 
The firefox problem, I have no idea on.  The cupsd_config problem is a race condition caused by the kernel creating the device and udev not relabeling it before cups tries to use it.  I think if you looked at the device now, it would be labeled correctly.

Miroslav lets just add

ifdef(`hide_broken_symptoms', `
      dev_rw_generic_chr_files(cupsd_config_t)
')

Until we get the kernel labeling correct in F16.
Comment 3 Dan Beard 2011-04-06 17:51:32 UTC 
I got it installed now, and as long as I don't attempt to install the other printer, everything seems to work.   Attempting to add the other printer crashed the control panel and made both printers disappear from the dialog.   Rebooting fixed that.   However, when I tried to re-boot with the printer connected and powered up, I got the screen illustrated here,

http://forums.fedoraforum.org/showpost.php?p=1458926&postcount=6

(You will need to be logged in to view the photo)

Pulling the USB plug on the printer until the system is up and stable seemed to fix that, but I've got no solid proof that was the culprit.
Comment 4 Daniel Walsh 2011-04-06 20:27:08 UTC 
Dan, add the rules using a custom policy module.

# grep cupsd_config_t /var/log/audit/audit.log | audit2allow -M mycups
# semodule -i mycups.pp

That should allow the access for now.