Description of problem: This is not currently a bug but when hplip from updates-testing is released it will be. A faxing bug was fixed in hplip-0.9.11. The software was using the wrong port to connect to the network printer. When the fixed version is run, selinux denies access because it doesn't know about the proper port. Version-Release number of selected component (if applicable): selinux-policy-targeted-2.2.34-3.fc5 How reproducible: Always Steps to Reproduce: 1. run hp-sendfax from hplip-0.9.11-1.1 and attempt to fax 2. 3. Actual results: [bjohnson@localhost ~]$ hp-sendfax HP Linux Imaging and Printing System (ver. 0.9.11) PC Sendfax Utility ver. 2.1 Copyright (c) 2003-6 Hewlett-Packard Development Company, LP This software comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to distribute it under certain conditions. See COPYING file for more details. sendfax Using device: hpfax:/net/HP_Color_LaserJet_2840?ip=192.168.1.104 sendfax [ERROR]: Unable to open channel (Unknown internal error). sendfax [ERROR]: Fax send error. sendfax [ERROR]: Error, aborting. Expected results: No error. Additional info: from /var/log/audit/audit.log: type=AVC msg=audit(1147390107.967:599): avc: denied { name_connect } for pid=20228 comm="hpiod" dest=8292 scontext=user_u:system_r:hplip_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1147390107.967:599): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=b7f079a0 a2=8444858 a3=0 items=0 pid=20228 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hpiod" exe="/usr/sbin/hpiod" type=SOCKADDR msg=audit(1147390107.967:599): saddr=02002064C0A801680000000000000000 type=SOCKETCALL msg=audit(1147390107.967:599): nargs=3 a0=4 a1=b7f07ad8 a2=10 [root@localhost ~]# audit2allow -i /var/log/audit/audit.log allow cupsd_t user_home_t:file { getattr read }; allow hplip_t port_t:tcp_socket name_connect; allow hplip_t snmpd_var_lib_t:file { getattr read }; allow hplip_t user_home_t:file { getattr read };
Wow a pre-bug. I will add port 8292. But what about the other allow rules. Why is cups and hplip_t reading the users homedir? Also why is hplip_t looking at snmpd_var_lib_t?
Here is a more detailed set of avc messages, broken up by what action triggered them: [root@localhost /]# service cups restart type=AVC msg=audit(1147447885.248:751): avc: denied { getattr } for pid=27597 comm="python" name=".hplip.conf" dev=dm-0 ino=2293789 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c255 tcontext=user_u:object_r:user_home_t:s0 tclass=file type=SYSCALL msg=audit(1147447885.248:751): arch=40000003 syscall=195 success=yes exit=0 a0=987fd08 a1=bf883378 a2=22fff4 a3=97c21b0 items=1 pid=27597 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="python" exe="/usr/bin/python" type=AVC_PATH msg=audit(1147447885.248:751): path="/root/.hplip.conf" type=CWD msg=audit(1147447885.248:751): cwd="/" type=PATH msg=audit(1147447885.248:751): item=0 name="/root/.hplip.conf" flags=1 inode=2293789 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1147447885.276:752): avc: denied { read } for pid=27597 comm="python" name=".hplip.conf" dev=dm-0 ino=2293789 scontext=user_u:system_r:cupsd_t:s0-s0:c0.c255 tcontext=user_u:object_r:user_home_t:s0 tclass=file type=SYSCALL msg=audit(1147447885.276:752): arch=40000003 syscall=5 success=yes exit=2 a0=987fd08 a1=8000 a2=1b6 a3=984d3c0 items=1 pid=27597 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="python" exe="/usr/bin/python" type=CWD msg=audit(1147447885.276:752): cwd="/" type=PATH msg=audit(1147447885.276:752): item=0 name="/root/.hplip.conf" flags=101 inode=2293789 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 [root@localhost /]# service hplip restart type=AVC msg=audit(1147447916.662:753): avc: denied { getattr } for pid=27673 comm="python" name=".hplip.conf" dev=dm-0 ino=2293789 scontext=user_u:system_r:hplip_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file type=SYSCALL msg=audit(1147447916.662:753): arch=40000003 syscall=195 success=yes exit=0 a0=99c4408 a1=bff467b8 a2=22fff4 a3=99011b0 items=1 pid=27673 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="python" exe="/usr/bin/python" type=AVC_PATH msg=audit(1147447916.662:753): path="/root/.hplip.conf" type=CWD msg=audit(1147447916.662:753): cwd="/usr/share/hplip" type=PATH msg=audit(1147447916.662:753): item=0 name="/root/.hplip.conf" flags=1 inode=2293789 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1147447916.666:754): avc: denied { read } for pid=27673 comm="python" name=".hplip.conf" dev=dm-0 ino=2293789 scontext=user_u:system_r:hplip_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file type=SYSCALL msg=audit(1147447916.666:754): arch=40000003 syscall=5 success=yes exit=4 a0=99c4408 a1=8000 a2=1b6 a3=99a5718 items=1 pid=27673 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="python" exe="/usr/bin/python" type=CWD msg=audit(1147447916.666:754): cwd="/usr/share/hplip" type=PATH msg=audit(1147447916.666:754): item=0 name="/root/.hplip.conf" flags=101 inode=2293789 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 [bjohnson@localhost ~]$ hp-sendfax (program starts) type=AVC msg=audit(1147448109.480:755): avc: denied { getattr } for pid=27692 comm="hpiod" name=".index" dev=dm-0 ino=1311436 scontext=user_u:system_r:hplip_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1147448109.480:755): arch=40000003 syscall=195 success=yes exit=0 a0=b7f31508 a1=b7f311ec a2=22fff4 a3=0 items=1 pid=27692 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hpiod" exe="/usr/sbin/hpiod" type=AVC_PATH msg=audit(1147448109.480:755): path="/usr/share/snmp/mibs/.index"type=CWD msg=audit(1147448109.480:755): cwd="/" type=PATH msg=audit(1147448109.480:755): item=0 name="/usr/share/snmp/mibs/.index" flags=1 inode=1311436 dev=fd:00 mode=0100666 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1147448109.492:756): avc: denied { write } for pid=27692 comm="hpiod" name=".index" dev=dm-0 ino=1311436 scontext=user_u:system_r:hplip_t:s0 tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1147448109.492:756): arch=40000003 syscall=5 success=yes exit=5 a0=b7f313dc a1=8241 a2=1b6 a3=90251b8 items=1 pid=27692 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hpiod" exe="/usr/sbin/hpiod" type=CWD msg=audit(1147448109.492:756): cwd="/" type=PATH msg=audit(1147448109.492:756): item=0 name="/usr/share/snmp/mibs/.index" flags=310 inode=1311875 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 hp-sendfax ("Send Fax" button pressed) type=AVC msg=audit(1147448199.615:757): avc: denied { name_connect } for pid=27692 comm="hpiod" dest=8292 scontext=user_u:system_r:hplip_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1147448199.615:757): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=b7f319a0 a2=901b858 a3=0 items=0 pid=27692 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hpiod" exe="/usr/sbin/hpiod" type=SOCKADDR msg=audit(1147448199.615:757): saddr=02002064C0A801680000000000000000 type=SOCKETCALL msg=audit(1147448199.615:757): nargs=3 a0=4 a1=b7f31ad8 a2=10
> Why is cups and hplip_t reading the users homedir? cupsd_t here is actually the HPLIP CUPS backend. I don't know how useful ~/.hplip.conf is; not very when SELinux is used I think. We don't want to allow that rule. > Also why is hplip_t looking at snmpd_var_lib_t? I think this is part of the SNMP scanning that it does; perhaps libsnmp does this. As well as port 8292 there are others that HPLIP may need to connect to: 9100, 9101, 9102, 9290, 9291, 9292, 9220, 9221, 9222, 8290 Bernard: did you try putting SELinux into permissive mode to see if there are other AVC denials once these first few are overcome?
The messages from comment #2 came from permissive mode.
Tested with selinux-policy-targeted-2.2.40-1.fc5 and hplip-0.9.11-1.2 - working fine.