Bug 865603

Summary: SELinux is preventing /usr/lib/cups/filter/hpcups from 'search' accesses on the directory /var/log/hp.
Product: [Fedora] Fedora Reporter: Tim Waugh <twaugh>
Component: hplipAssignee: Tim Waugh <twaugh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: alanh, bugzilla, bugzilla, dbraunwarth, devonjanitz, dominick.grift, dwalsh, hector.rufrancos.list, igwa, jpopelka, lesjj10, mgrepl, mishu, mjs, mrexiani, msava, myas, neteler, peter.oosterlynck, phyrefyter, req1348, rich_pitts, rlocke, robert.l.kief, s_bumgardner, skotchman, subscribed-lists, twaugh, yann
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:665e0c8535d92ed0fc792887a2b6665dc08b101c09591426b94c6d31b7543272
Fixed In Version: hplip-3.12.10-4.a.fc18 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-11-28 11:49:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: type
none
File: hashmarkername none

Description Tim Waugh 2012-10-11 21:21:32 UTC 
Description of problem:
Occurred while printing.

Additional info:
libreport version: 2.0.14
kernel:         3.6.1-1.fc18.x86_64

description:
:SELinux is preventing /usr/lib/cups/filter/hpcups from 'search' accesses on the directory /var/log/hp.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that hpcups should be allowed search access on the hp directory by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep hpcups /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
:Target Context                system_u:object_r:hplip_var_log_t:s0
:Target Objects                /var/log/hp [ dir ]
:Source                        hpcups
:Source Path                   /usr/lib/cups/filter/hpcups
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           hpijs-3.12.10-1.fc18.x86_64
:Target RPM Packages           hplip-3.12.10-1.fc18.x86_64
:Policy RPM                    selinux-policy-3.11.1-32.fc18.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.1-1.fc18.x86_64 #1 SMP Mon Oct
:                              8 17:19:09 UTC 2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    2012-10-11 22:12:04 BST
:Last Seen                     2012-10-11 22:12:04 BST
:Local ID                      73a35854-cfec-4923-bb64-adedcefce1ff
:
:Raw Audit Messages
:type=AVC msg=audit(1349989924.647:460): avc:  denied  { search } for  pid=5403 comm="hpcups" name="hp" dev="sda8" ino=523424 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hplip_var_log_t:s0 tclass=dir
:
:
:type=SYSCALL msg=audit(1349989924.647:460): arch=x86_64 syscall=unlink success=no exit=EACCES a0=7fff90f56880 a1=0 a2=3510fb1fb8 a3=7fff90f565e0 items=0 ppid=655 pid=5403 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm=hpcups exe=/usr/lib/cups/filter/hpcups subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
:
:Hash: hpcups,cupsd_t,hplip_var_log_t,dir,search
:
:audit2allow
:
:#============= cupsd_t ==============
:allow cupsd_t hplip_var_log_t:dir search;
:
:audit2allow -R
:
:#============= cupsd_t ==============
:allow cupsd_t hplip_var_log_t:dir search;
:
Comment 1 Tim Waugh 2012-10-11 21:21:36 UTC 
Created attachment 625699 [details]
File: type
Comment 2 Tim Waugh 2012-10-11 21:21:38 UTC 
Created attachment 625700 [details]
File: hashmarkername
Comment 3 Tim Waugh 2012-10-11 21:23:04 UTC 
hpijs-3.12.10-1.fc18.x86_64

I wonder why HPLIP has to have its own log directory?
Comment 4 Daniel Walsh 2012-10-12 09:54:17 UTC 
Tim should it be labelled cups_var_log_t? And allow hplip_t to be able to write and or append to it?

I am not sure why there is a hplip_t policy at all, should we just drop this and run everything as cupsd_t?
Comment 5 Frank Büttner 2012-10-13 10:53:45 UTC 
Same for F17.
Comment 6 Dario Castellarin 2012-10-13 16:11:41 UTC 
This happens when I do the printer cleaning process from hplip-gui.

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 7 markusN 2012-10-14 15:42:56 UTC 
The latest update created this problem. Before it worked fine.

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 8 Robert Kief 2012-10-14 20:26:53 UTC 
I sent a doc. to my printer from Gourmet Recipe Manager.  The SELInux error icon then appeared.

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 9 GoinEasy9 2012-10-14 22:15:50 UTC 
New hplip and new selinux-policy came in on Oct 13th.  I got the AVC error when trying to print a page.

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 10 Tim Waugh 2012-10-15 12:24:40 UTC 
IMHO hplip should be changed so that it uses $TMPDIR (/var/spool/cups/tmp) instead. This is the area for temporary files that should be used by CUPS filters and backends.
Comment 11 Steven Stern 2012-10-15 13:11:30 UTC 
Occurs when printing

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 12 myas 2012-10-15 23:52:34 UTC 
1)Starting HP Device Manager.
2)Printing to Google Chrome


Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 13 MrBrownwait 2012-10-16 04:40:51 UTC 
Alert occurs every time I'm printing something

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 14 Fedora Update System 2012-10-16 11:19:31 UTC 
hplip-3.12.10-3.a.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/FEDORA-2012-15918/hplip-3.12.10-3.a.fc18
Comment 15 Fedora Update System 2012-10-16 11:23:22 UTC 
hplip-3.12.10-3.a.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/hplip-3.12.10-3.a.fc17
Comment 16 Fedora Update System 2012-10-16 11:25:13 UTC 
hplip-3.12.10-3.a.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/hplip-3.12.10-3.a.fc16
Comment 17 Alan Hamilton 2012-10-16 20:13:28 UTC 
Occured while printing a document to an HP D7400 over wifi.

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 18 Fedora Update System 2012-10-17 00:20:55 UTC 
Package hplip-3.12.10-3.a.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing hplip-3.12.10-3.a.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-16236/hplip-3.12.10-3.a.fc17
then log in and leave karma (feedback).
Comment 19 Scott Castaline 2012-10-18 19:53:07 UTC 
Link is wrong or actually version of file. Should be hplip-3.12.10-4.a.fc17. Once I did the above with the corrected file name I was able to print a 12 page PDF file without any SELinux Alert. Seems to be fixed at this time for me anyway.
Comment 20 Tim Waugh 2012-10-19 08:16:27 UTC 
Thanks.

Correct instructions, for anyone else who would like to test:

Package hplip-3.12.10-4.a.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror.
Update it with:
# su -c 'yum update --enablerepo=updates-testing hplip-3.12.10-4.a.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-16236/hplip-3.12.10-4.a.fc17
then log in and leave karma (feedback).
Comment 21 Frank Büttner 2012-10-19 11:28:58 UTC 
Work for me.
Comment 22 MrBrownwait 2012-10-19 17:18:10 UTC 
Works for me, too.
Comment 23 Devon Janitz 2012-10-20 21:17:17 UTC 
Printed a page of an e-mail.

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 24 Robert Locke 2012-10-22 17:03:41 UTC 
This appears any time I print to one of my network based HP printers: HP Laserjet P2055dn in this case. The job does print, but this SELinux denial appears each time now.

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 25 Devon Janitz 2012-10-23 01:15:34 UTC 
Printed a web page.

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 26 Fedora Update System 2012-10-23 08:44:00 UTC 
hplip-3.12.10-4.a.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 27 Matthew Saltzman 2012-10-24 18:41:39 UTC 
Attempt to print on an HP printer.

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 28 Steve Bumgardner 2012-10-25 13:53:54 UTC 
I turned on my HP printer after starting and logging into the computer. It seems this should be acceptable, though of course cups may be trying to do something it does not need to do, rather than selinux failing to allow something that should be done.

Package: (null)
OS Release: Fedora release 17 (Beefy Miracle)
Comment 29 Fedora Update System 2012-11-28 11:49:55 UTC 
hplip-3.12.10-4.a.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 30 Miroslav Grepl 2012-11-28 16:00:52 UTC 
*** Bug 881032 has been marked as a duplicate of this bug. ***