Bug 1291033 - SELinux is preventing hp from 'write' accesses on the directory /var/lib/net-snmp/mib_indexes.
SELinux is preventing hp from 'write' accesses on the directory /var/lib/net-...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
23
x86_64 Unspecified
medium Severity high
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
abrt_hash:eaacbb77d6e05b06952481485c7...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-12 20:24 EST by Matthew Saltzman
Modified: 2016-03-05 01:22 EST (History)
17 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-158.8.fc23 selinux-policy-3.13.1-158.9.fc23
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-03-05 01:22:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matthew Saltzman 2015-12-12 20:24:57 EST
Description of problem:
Printing from Firefox to printer using hplip driver.
SELinux is preventing hp from 'write' accesses on the directory /var/lib/net-snmp/mib_indexes.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that hp should be allowed write access on the mib_indexes directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep hp /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:snmpd_var_lib_t:s0
Target Objects                /var/lib/net-snmp/mib_indexes [ dir ]
Source                        hp
Source Path                   hp
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           net-snmp-libs-5.7.3-7.fc23.x86_64
Policy RPM                    selinux-policy-3.13.1-155.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.2.6-301.fc23.x86_64 #1 SMP Fri
                              Nov 20 22:22:41 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-12-12 18:40:30 EST
Last Seen                     2015-12-12 18:40:30 EST
Local ID                      0d077139-2d9f-4b44-b0bb-c08d0a8c11b4

Raw Audit Messages
type=AVC msg=audit(1449963630.98:736): avc:  denied  { write } for  pid=4527 comm="hp" name="mib_indexes" dev="dm-1" ino=1180663 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir permissive=0


Hash: hp,cupsd_t,snmpd_var_lib_t,dir,write

Version-Release number of selected component:
selinux-policy-3.13.1-155.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.6-301.fc23.x86_64
type:           libreport
Comment 1 Vasco Rodrigues 2015-12-13 13:09:18 EST
Description of problem:
When printing to a HP Printer.

Version-Release number of selected component:
selinux-policy-3.13.1-155.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.6-301.fc23.x86_64
type:           libreport
Comment 2 Luya Tshimbalanga 2015-12-23 15:10:40 EST
Description of problem:
Popped up on desktop session.

Version-Release number of selected component:
selinux-policy-3.13.1-157.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.7-300.fc23.x86_64
type:           libreport
Comment 3 Tim Jackson 2015-12-26 15:36:35 EST
I'm seeing this too with:

Source RPM Packages hplip-3.15.11-3.fc23.x86_64
Target RPM Packages net-snmp-libs-5.7.3-7.fc23.x86_64
Policy RPM selinux-policy-3.13.1-157.fc23.noarch

when printing to a HP 8600 Plus printer.
Comment 4 Tim Jackson 2015-12-26 15:37:23 EST
Raw Audit Messages
type=AVC msg=audit(1451161908.916:625): avc: denied { write } for pid=6061 comm="hp" name="mib_indexes" dev="dm-1" ino=786500 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir permissive=0


type=SYSCALL msg=audit(1451161908.916:625): arch=x86_64 syscall=open success=no exit=EACCES a0=7ffeebac8760 a1=241 a2=1b6 a3=240 items=0 ppid=2553 pid=6061 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm=hp exe=/usr/lib/cups/backend/hp subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
Comment 5 bztdlinux 2015-12-28 03:34:49 EST
Description of problem:
I tried printing to a hplip printer.


Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.8-300.fc23.x86_64
type:           libreport
Comment 6 OoZooL 2015-12-29 18:48:28 EST
Description of problem:
Probably trying to print to an HP printer I suppose

Version-Release number of selected component:
selinux-policy-3.13.1-158.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.8-300.fc23.x86_64
type:           libreport
Comment 7 Ermanno Scaglione 2015-12-31 17:32:10 EST
Description of problem:
It appears when printing something on a hp envy4500

Version-Release number of selected component:
selinux-policy-3.13.1-158.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.8-300.fc23.x86_64
type:           libreport
Comment 8 Peter Bieringer 2016-02-04 17:03:49 EST
Hit by the same issue

# grep hp /var/log/audit/audit.log | audit2allow

#============= cupsd_t ==============
allow cupsd_t snmpd_var_lib_t:dir write;


hplip-3.15.11-4.fc23.x86_64
net-snmp-libs-5.7.3-7.fc23.x86_64
selinux-policy-3.13.1-158.2.fc23.noarch

Printer is also a HP network printer

Workaround according to SE troubleshooting UI:
# grep hp /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Comment 9 Laurent Rineau 2016-02-05 09:44:12 EST
Description of problem:
I just printed something!

My scenario was the following:
  in "Firefox", with "Amazon", list of commands, I clicked on "print bill". Okular (from KDE 5) opened, and I clicked on "print", in the menu. The document was printed, but SELinux Alert popped at the same time.

Version-Release number of selected component:
selinux-policy-3.13.1-158.2.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.3.4-300.fc23.x86_64
type:           libreport
Comment 10 Laurent Rineau 2016-02-05 09:44:44 EST
(In reply to Laurent Rineau from comment #9)
> Description of problem:
> I just printed something!
> 
> My scenario was the following:
>   in "Firefox", with "Amazon", list of commands, I clicked on "print bill".
> Okular (from KDE 5) opened, and I clicked on "print", in the menu. The
> document was printed, but SELinux Alert popped at the same time.
> 
> Version-Release number of selected component:
> selinux-policy-3.13.1-158.2.fc23.noarch
> 
> Additional info:
> reporter:       libreport-2.6.3
> hashmarkername: setroubleshoot
> kernel:         4.3.4-300.fc23.x86_64
> type:           libreport

Also an HP printer.
Comment 11 Peter Bieringer 2016-02-06 04:39:07 EST
After allowing "write" it also wants "add_name", let see what coming next...

allow cupsd_t snmpd_var_lib_t:dir write;
allow cupsd_t snmpd_var_lib_t:dir add_name;
Comment 12 Garrett Mitchener 2016-02-15 21:58:52 EST
Description of problem:
I installed an HP wireless printer using hp-setup. Now I keep getting SE alerts about it.

Version-Release number of selected component:
selinux-policy-3.13.1-158.4.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64
type:           libreport
Comment 13 Peter Bieringer 2016-02-16 02:02:37 EST
After applying following policy extension, no longer an alert occurs:

allow cupsd_t snmpd_var_lib_t:dir { add_name write };
allow cupsd_t snmpd_var_lib_t:file { create write };
Comment 14 Lukas Vrabec 2016-02-24 08:18:35 EST
commit d94643659af9fc5a1673a32aa24395d10d0243bc
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Wed Feb 24 14:14:29 2016 +0100

    Allow hplip driver to write to its MIB index files stored in the /var/lib/net-snmp/mib_indexes.
    Resolves: rhbz#1291033
Comment 15 Daniël van Eeden 2016-02-26 02:02:42 EST
Description of problem:
Printing to a HP printer from Evince

Version-Release number of selected component:
selinux-policy-3.13.1-158.6.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64
type:           libreport
Comment 16 Dario Castellarin 2016-02-26 09:18:38 EST
Description of problem:
I was printing a series of documents on my networked HP printer

Version-Release number of selected component:
selinux-policy-3.13.1-158.7.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.4.2-301.fc23.x86_64
type:           libreport
Comment 17 Fedora Update System 2016-02-27 08:50:04 EST
selinux-policy-3.13.1-158.9.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870
Comment 18 Fedora Update System 2016-02-28 08:53:58 EST
selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870
Comment 19 Fedora Update System 2016-03-05 01:21:40 EST
selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.