Bug 191444 - selinux denies hp-sendfax from connecting to network printer
selinux denies hp-sendfax from connecting to network printer
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
5
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks: 188985
  Show dependency treegraph
 
Reported: 2006-05-11 19:39 EDT by Bernard Johnson
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-31 19:54:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bernard Johnson 2006-05-11 19:39:17 EDT
Description of problem:
This is not currently a bug but when hplip from updates-testing is released it
will be.  A faxing bug was fixed in hplip-0.9.11.  The software was using the
wrong port to connect to the network printer.  When the fixed version is run,
selinux denies access because it doesn't know about the proper port.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.2.34-3.fc5

How reproducible:
Always

Steps to Reproduce:
1. run hp-sendfax from hplip-0.9.11-1.1 and attempt to fax
2.
3.
  
Actual results:
[bjohnson@localhost ~]$ hp-sendfax

HP Linux Imaging and Printing System (ver. 0.9.11)
PC Sendfax Utility ver. 2.1

Copyright (c) 2003-6 Hewlett-Packard Development Company, LP
This software comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to distribute it
under certain conditions. See COPYING file for more details.

sendfax Using device: hpfax:/net/HP_Color_LaserJet_2840?ip=192.168.1.104
sendfax [ERROR]: Unable to open channel (Unknown internal error).
sendfax [ERROR]: Fax send error.
sendfax [ERROR]: Error, aborting.

Expected results:
No error.

Additional info:
from /var/log/audit/audit.log:
type=AVC msg=audit(1147390107.967:599): avc:  denied  { name_connect } for 
pid=20228 comm="hpiod" dest=8292 scontext=user_u:system_r:hplip_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1147390107.967:599): arch=40000003 syscall=102
success=yes exit=0 a0=3 a1=b7f079a0 a2=8444858 a3=0 items=0 pid=20228 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hpiod"
exe="/usr/sbin/hpiod"
type=SOCKADDR msg=audit(1147390107.967:599): saddr=02002064C0A801680000000000000000
type=SOCKETCALL msg=audit(1147390107.967:599): nargs=3 a0=4 a1=b7f07ad8 a2=10

[root@localhost ~]# audit2allow -i /var/log/audit/audit.log
allow cupsd_t user_home_t:file { getattr read };
allow hplip_t port_t:tcp_socket name_connect;
allow hplip_t snmpd_var_lib_t:file { getattr read };
allow hplip_t user_home_t:file { getattr read };
Comment 1 Daniel Walsh 2006-05-12 10:53:50 EDT
Wow a pre-bug.  I will add port 8292.  But what about the other allow rules.

Why is cups and hplip_t reading the users homedir?

Also why is hplip_t looking at snmpd_var_lib_t?

Comment 2 Bernard Johnson 2006-05-12 11:32:49 EDT
Here is a more detailed set of avc messages, broken up by what action triggered
them:

[root@localhost /]# service cups restart
type=AVC msg=audit(1147447885.248:751): avc:  denied  { getattr } for  pid=27597
comm="python" name=".hplip.conf" dev=dm-0 ino=2293789
scontext=user_u:system_r:cupsd_t:s0-s0:c0.c255
tcontext=user_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1147447885.248:751): arch=40000003 syscall=195
success=yes exit=0 a0=987fd08 a1=bf883378 a2=22fff4 a3=97c21b0 items=1 pid=27597
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="python"
exe="/usr/bin/python"
type=AVC_PATH msg=audit(1147447885.248:751):  path="/root/.hplip.conf"
type=CWD msg=audit(1147447885.248:751):  cwd="/"
type=PATH msg=audit(1147447885.248:751): item=0 name="/root/.hplip.conf" flags=1
 inode=2293789 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1147447885.276:752): avc:  denied  { read } for  pid=27597
comm="python" name=".hplip.conf" dev=dm-0 ino=2293789
scontext=user_u:system_r:cupsd_t:s0-s0:c0.c255
tcontext=user_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1147447885.276:752): arch=40000003 syscall=5 success=yes
exit=2 a0=987fd08 a1=8000 a2=1b6 a3=984d3c0 items=1 pid=27597 auid=500 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="python"
exe="/usr/bin/python"
type=CWD msg=audit(1147447885.276:752):  cwd="/"
type=PATH msg=audit(1147447885.276:752): item=0 name="/root/.hplip.conf"
flags=101  inode=2293789 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00


[root@localhost /]# service hplip restart
type=AVC msg=audit(1147447916.662:753): avc:  denied  { getattr } for  pid=27673
comm="python" name=".hplip.conf" dev=dm-0 ino=2293789
scontext=user_u:system_r:hplip_t:s0 tcontext=user_u:object_r:user_home_t:s0
tclass=file
type=SYSCALL msg=audit(1147447916.662:753): arch=40000003 syscall=195
success=yes exit=0 a0=99c4408 a1=bff467b8 a2=22fff4 a3=99011b0 items=1 pid=27673
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="python"
exe="/usr/bin/python"
type=AVC_PATH msg=audit(1147447916.662:753):  path="/root/.hplip.conf"
type=CWD msg=audit(1147447916.662:753):  cwd="/usr/share/hplip"
type=PATH msg=audit(1147447916.662:753): item=0 name="/root/.hplip.conf" flags=1
 inode=2293789 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1147447916.666:754): avc:  denied  { read } for  pid=27673
comm="python" name=".hplip.conf" dev=dm-0 ino=2293789
scontext=user_u:system_r:hplip_t:s0 tcontext=user_u:object_r:user_home_t:s0
tclass=file
type=SYSCALL msg=audit(1147447916.666:754): arch=40000003 syscall=5 success=yes
exit=4 a0=99c4408 a1=8000 a2=1b6 a3=99a5718 items=1 pid=27673 auid=500 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="python"
exe="/usr/bin/python"
type=CWD msg=audit(1147447916.666:754):  cwd="/usr/share/hplip"
type=PATH msg=audit(1147447916.666:754): item=0 name="/root/.hplip.conf"
flags=101  inode=2293789 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00


[bjohnson@localhost ~]$ hp-sendfax (program starts)
type=AVC msg=audit(1147448109.480:755): avc:  denied  { getattr } for  pid=27692
comm="hpiod" name=".index" dev=dm-0 ino=1311436
scontext=user_u:system_r:hplip_t:s0
tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1147448109.480:755): arch=40000003 syscall=195
success=yes exit=0 a0=b7f31508 a1=b7f311ec a2=22fff4 a3=0 items=1 pid=27692
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hpiod"
exe="/usr/sbin/hpiod"
type=AVC_PATH msg=audit(1147448109.480:755): 
path="/usr/share/snmp/mibs/.index"type=CWD msg=audit(1147448109.480:755):  cwd="/"
type=PATH msg=audit(1147448109.480:755): item=0
name="/usr/share/snmp/mibs/.index" flags=1  inode=1311436 dev=fd:00 mode=0100666
ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1147448109.492:756): avc:  denied  { write } for  pid=27692
comm="hpiod" name=".index" dev=dm-0 ino=1311436
scontext=user_u:system_r:hplip_t:s0
tcontext=system_u:object_r:snmpd_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1147448109.492:756): arch=40000003 syscall=5 success=yes
exit=5 a0=b7f313dc a1=8241 a2=1b6 a3=90251b8 items=1 pid=27692 auid=500 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hpiod" exe="/usr/sbin/hpiod"
type=CWD msg=audit(1147448109.492:756):  cwd="/"
type=PATH msg=audit(1147448109.492:756): item=0
name="/usr/share/snmp/mibs/.index" flags=310  inode=1311875 dev=fd:00
mode=040755 ouid=0 ogid=0 rdev=00:00


hp-sendfax ("Send Fax" button pressed)
type=AVC msg=audit(1147448199.615:757): avc:  denied  { name_connect } for 
pid=27692 comm="hpiod" dest=8292 scontext=user_u:system_r:hplip_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1147448199.615:757): arch=40000003 syscall=102
success=yes exit=0 a0=3 a1=b7f319a0 a2=901b858 a3=0 items=0 pid=27692 auid=500
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hpiod"
exe="/usr/sbin/hpiod"
type=SOCKADDR msg=audit(1147448199.615:757): saddr=02002064C0A801680000000000000000
type=SOCKETCALL msg=audit(1147448199.615:757): nargs=3 a0=4 a1=b7f31ad8 a2=10
Comment 3 Tim Waugh 2006-05-12 11:43:27 EDT
> Why is cups and hplip_t reading the users homedir?

cupsd_t here is actually the HPLIP CUPS backend.  I don't know how useful
~/.hplip.conf is; not very when SELinux is used I think.  We don't want to allow
that rule.

> Also why is hplip_t looking at snmpd_var_lib_t?

I think this is part of the SNMP scanning that it does; perhaps libsnmp does this.

As well as port 8292 there are others that HPLIP may need to connect to:

9100, 9101, 9102,
9290, 9291, 9292,
9220, 9221, 9222, 8290

Bernard: did you try putting SELinux into permissive mode to see if there are
other AVC denials once these first few are overcome?
Comment 4 Bernard Johnson 2006-05-12 11:58:25 EDT
The messages from comment #2 came from permissive mode.
Comment 5 Bernard Johnson 2006-05-31 19:54:05 EDT
Tested with selinux-policy-targeted-2.2.40-1.fc5 and hplip-0.9.11-1.2 - working
fine.

Note You need to log in before you can comment on or make changes to this bug.