Bug 1291033 - SELinux is preventing hp from 'write' accesses on the directory /var/lib/net-snmp/mib_indexes.
Summary: SELinux is preventing hp from 'write' accesses on the directory /var/lib/net-...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 23
Hardware: x86_64
OS: Unspecified
medium
high
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:eaacbb77d6e05b06952481485c7...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-12-13 01:24 UTC by Matthew Saltzman
Modified: 2016-03-05 06:22 UTC (History)
17 users (show)

Fixed In Version: selinux-policy-3.13.1-158.8.fc23 selinux-policy-3.13.1-158.9.fc23
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-03-05 06:22:34 UTC


Attachments (Terms of Use)

Description Matthew Saltzman 2015-12-13 01:24:57 UTC
Description of problem:
Printing from Firefox to printer using hplip driver.
SELinux is preventing hp from 'write' accesses on the directory /var/lib/net-snmp/mib_indexes.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that hp should be allowed write access on the mib_indexes directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep hp /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:snmpd_var_lib_t:s0
Target Objects                /var/lib/net-snmp/mib_indexes [ dir ]
Source                        hp
Source Path                   hp
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           net-snmp-libs-5.7.3-7.fc23.x86_64
Policy RPM                    selinux-policy-3.13.1-155.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.2.6-301.fc23.x86_64 #1 SMP Fri
                              Nov 20 22:22:41 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-12-12 18:40:30 EST
Last Seen                     2015-12-12 18:40:30 EST
Local ID                      0d077139-2d9f-4b44-b0bb-c08d0a8c11b4

Raw Audit Messages
type=AVC msg=audit(1449963630.98:736): avc:  denied  { write } for  pid=4527 comm="hp" name="mib_indexes" dev="dm-1" ino=1180663 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir permissive=0


Hash: hp,cupsd_t,snmpd_var_lib_t,dir,write

Version-Release number of selected component:
selinux-policy-3.13.1-155.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.6-301.fc23.x86_64
type:           libreport

Comment 1 Vasco Rodrigues 2015-12-13 18:09:18 UTC
Description of problem:
When printing to a HP Printer.

Version-Release number of selected component:
selinux-policy-3.13.1-155.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.6-301.fc23.x86_64
type:           libreport

Comment 2 Luya Tshimbalanga 2015-12-23 20:10:40 UTC
Description of problem:
Popped up on desktop session.

Version-Release number of selected component:
selinux-policy-3.13.1-157.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.7-300.fc23.x86_64
type:           libreport

Comment 3 Tim Jackson 2015-12-26 20:36:35 UTC
I'm seeing this too with:

Source RPM Packages hplip-3.15.11-3.fc23.x86_64
Target RPM Packages net-snmp-libs-5.7.3-7.fc23.x86_64
Policy RPM selinux-policy-3.13.1-157.fc23.noarch

when printing to a HP 8600 Plus printer.

Comment 4 Tim Jackson 2015-12-26 20:37:23 UTC
Raw Audit Messages
type=AVC msg=audit(1451161908.916:625): avc: denied { write } for pid=6061 comm="hp" name="mib_indexes" dev="dm-1" ino=786500 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=dir permissive=0


type=SYSCALL msg=audit(1451161908.916:625): arch=x86_64 syscall=open success=no exit=EACCES a0=7ffeebac8760 a1=241 a2=1b6 a3=240 items=0 ppid=2553 pid=6061 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm=hp exe=/usr/lib/cups/backend/hp subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)

Comment 5 bztdlinux 2015-12-28 08:34:49 UTC
Description of problem:
I tried printing to a hplip printer.


Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.8-300.fc23.x86_64
type:           libreport

Comment 6 OoZooL 2015-12-29 23:48:28 UTC
Description of problem:
Probably trying to print to an HP printer I suppose

Version-Release number of selected component:
selinux-policy-3.13.1-158.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.8-300.fc23.x86_64
type:           libreport

Comment 7 Ermanno Scaglione 2015-12-31 22:32:10 UTC
Description of problem:
It appears when printing something on a hp envy4500

Version-Release number of selected component:
selinux-policy-3.13.1-158.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.2.8-300.fc23.x86_64
type:           libreport

Comment 8 Peter Bieringer 2016-02-04 22:03:49 UTC
Hit by the same issue

# grep hp /var/log/audit/audit.log | audit2allow

#============= cupsd_t ==============
allow cupsd_t snmpd_var_lib_t:dir write;


hplip-3.15.11-4.fc23.x86_64
net-snmp-libs-5.7.3-7.fc23.x86_64
selinux-policy-3.13.1-158.2.fc23.noarch

Printer is also a HP network printer

Workaround according to SE troubleshooting UI:
# grep hp /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Comment 9 Laurent Rineau 2016-02-05 14:44:12 UTC
Description of problem:
I just printed something!

My scenario was the following:
  in "Firefox", with "Amazon", list of commands, I clicked on "print bill". Okular (from KDE 5) opened, and I clicked on "print", in the menu. The document was printed, but SELinux Alert popped at the same time.

Version-Release number of selected component:
selinux-policy-3.13.1-158.2.fc23.noarch

Additional info:
reporter:       libreport-2.6.3
hashmarkername: setroubleshoot
kernel:         4.3.4-300.fc23.x86_64
type:           libreport

Comment 10 Laurent Rineau 2016-02-05 14:44:44 UTC
(In reply to Laurent Rineau from comment #9)
> Description of problem:
> I just printed something!
> 
> My scenario was the following:
>   in "Firefox", with "Amazon", list of commands, I clicked on "print bill".
> Okular (from KDE 5) opened, and I clicked on "print", in the menu. The
> document was printed, but SELinux Alert popped at the same time.
> 
> Version-Release number of selected component:
> selinux-policy-3.13.1-158.2.fc23.noarch
> 
> Additional info:
> reporter:       libreport-2.6.3
> hashmarkername: setroubleshoot
> kernel:         4.3.4-300.fc23.x86_64
> type:           libreport

Also an HP printer.

Comment 11 Peter Bieringer 2016-02-06 09:39:07 UTC
After allowing "write" it also wants "add_name", let see what coming next...

allow cupsd_t snmpd_var_lib_t:dir write;
allow cupsd_t snmpd_var_lib_t:dir add_name;

Comment 12 Garrett Mitchener 2016-02-16 02:58:52 UTC
Description of problem:
I installed an HP wireless printer using hp-setup. Now I keep getting SE alerts about it.

Version-Release number of selected component:
selinux-policy-3.13.1-158.4.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64
type:           libreport

Comment 13 Peter Bieringer 2016-02-16 07:02:37 UTC
After applying following policy extension, no longer an alert occurs:

allow cupsd_t snmpd_var_lib_t:dir { add_name write };
allow cupsd_t snmpd_var_lib_t:file { create write };

Comment 14 Lukas Vrabec 2016-02-24 13:18:35 UTC
commit d94643659af9fc5a1673a32aa24395d10d0243bc
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Wed Feb 24 14:14:29 2016 +0100

    Allow hplip driver to write to its MIB index files stored in the /var/lib/net-snmp/mib_indexes.
    Resolves: rhbz#1291033

Comment 15 Daniël van Eeden 2016-02-26 07:02:42 UTC
Description of problem:
Printing to a HP printer from Evince

Version-Release number of selected component:
selinux-policy-3.13.1-158.6.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.3.5-300.fc23.x86_64
type:           libreport

Comment 16 Dario Castellarin 2016-02-26 14:18:38 UTC
Description of problem:
I was printing a series of documents on my networked HP printer

Version-Release number of selected component:
selinux-policy-3.13.1-158.7.fc23.noarch

Additional info:
reporter:       libreport-2.6.4
hashmarkername: setroubleshoot
kernel:         4.4.2-301.fc23.x86_64
type:           libreport

Comment 17 Fedora Update System 2016-02-27 13:50:04 UTC
selinux-policy-3.13.1-158.9.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870

Comment 18 Fedora Update System 2016-02-28 13:53:58 UTC
selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870

Comment 19 Fedora Update System 2016-03-05 06:21:40 UTC
selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.