Bug 352161 - SELinux is preventing python (cupsd_config_t) "read write" to (usb_device_t).
SELinux is preventing python (cupsd_config_t) "read write" to (usb_device_t).
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
8
i386 Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-25 07:57 EDT by M. A. MacLain
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-30 16:15:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description M. A. MacLain 2007-10-25 07:57:04 EDT
Description of problem:
SELinux is preventing python (cupsd_config_t) "read write" to (usb_device_t).
Please file a bug report against this package.Additional InformationSource
Context:  system_u:system_r:cupsd_config_t:s0Target Context: 
system_u:object_r:usb_device_t:s0Target Objects:  None [ chr_file ]Affected RPM
Packages:  Policy RPM:  selinux-policy-3.0.8-30.fc8Selinux Enabled:  TruePolicy
Type:  targetedMLS Enabled:  TrueEnforcing Mode:  EnforcingPlugin Name: 
plugins.catchall_fileHost Name:  dhcppc2Platform:  Linux dhcppc2 2.6.23.1-30.fc8
#1 SMP Mon Oct 22 18:46:28 EDT 2007 i686 i686Alert Count:  113First Seen:  Sat
13 Oct 2007 08:02:43 AM EDTLast Seen:  Thu 25 Oct 2007 07:41:31 AM EDTLocal ID:
 821409d0-1948-425c-b4e5-0ee848ccf6f1Line Numbers:  Raw Audit Messages :avc:
denied { read write } for comm=python dev=tmpfs egid=0 euid=0
exe=/usr/bin/python exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=001 pid=2839
scontext=system_u:system_r:cupsd_config_t:s0 sgid=0
subj=system_u:system_r:cupsd_config_t:s0 suid=0 tclass=chr_file
tcontext=system_u:object_r:usb_device_t:s0 tty=(none) uid=0 

Version-Release number of selected component (if applicable):
3.0.8-30.fc8

How reproducible: Repeatable


Steps to Reproduce:
1.Turn on HP Printer
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Phil Knirsch 2007-10-25 08:30:44 EDT
Reassigning to SELinux policy component.

Read ya, Phil
Comment 2 Daniel Walsh 2007-10-25 09:33:09 EDT
Do you have any idea what python application is running?  
Comment 3 Tim Waugh 2007-10-25 10:07:23 EDT
Sounds like it might be /usr/libexec/hal_lpadmin.
Comment 4 Daniel Walsh 2007-10-25 10:20:33 EDT
So this is something we want to allow.  Can we expect other avc's from this.
Comment 5 Tim Waugh 2007-10-25 11:45:53 EDT
I've just spent a while trying to reproduce this AVC here, but for some reason I
can't.

/usr/libexec/hal_lpadmin gets run by hald, and needs to be able to run
/usr/bin/hp-probe.  This in turn needs to read/write usb_device_t (for device
access), hplip_etc_t (for config files), and so on.

However, this should all be taken care of already:

/usr/libexec/hal_lpadmin gets run in domain cupsd_config_t
/usr/bin/hp-probe is a symlink to /usr/share/hplip/probe.py
/usr/share/hplip/probe.py is labelled hplip_exec_t
cupsd_config_t can transition to hplip_t when executing hplip_exec_t
finally, hplip_t can read/write usb_device_t etc

So: what do these commands say?:

1. rpm -q hplip
2. rpm -V hplip
3. ls -l /usr/bin/hp-probe
4. ls -Z /usr/share/hplip/probe.py
Comment 6 Daniel Walsh 2007-10-25 13:49:25 EDT
But it looks like something is running 

python script

Rather then just

script  with python in the first line.

I am not sure how this works from an SELinux point of view, but it is probably a
bad idea since external environment can change the python.  
#!/usr/bin/env python


Comment 7 Tim Waugh 2007-10-26 06:04:30 EDT
The Python code in hal_lpadmin for running hp-probe looks like this:

os.popen("LC_ALL=C hp-probe ...")

Could that be the problem?

Otherwise there is some code that gets run from 'hp-info', also started by
hal_lpadmin in the same way as above when a device is *disconnected*, like this:

os.system("python " + os.path.join(prop.home_dir, "hpssd.py"))

I can see that this latter case is doing exactly what you suggested, running
Python directly and tell it which script to load -- however, hplip-2.7.7-6.fc8
no longer gets to that line on device disconnection.

mgml@earthlink.net: please supply more information:
1. rpm -q hplip
2. rpm -V hplip
3. ls -l /usr/bin/hp-probe
4. ls -Z /usr/share/hplip/probe.py
5. please try to narrow down *precisely* which operation causes the audit
message: is it connecting/switch on the printer, or submitting a print job, or
disconnecting/switching off the printer?
Comment 8 M. A. MacLain 2007-10-26 17:00:46 EDT
Requested information:

1.-rpm -q hplip:
hplip-2.7.7-6.fc8

2.-rpm -V hplip: prelink:
/usr/lib/cups/backend/hp: at least one of file's dependencies has changed since
prelinking S.?.....   /usr/lib/cups/backend/hp

3.-ls -l /usr/bin/hp-probe:
lrwxrwxrwx 1 root root 23 2007-10-13 14:22 /usr/bin/hp-probe ->
../share/hplip/probe.py

4.-ls -Z /usr/share/hplip/probe.py:
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       /usr/share/hplip/probe.py

5.-Audit message triggered by switching on the printer. Note cord usb was
already connected when  the printer was switched on.
Comment 9 Tim Waugh 2007-10-29 06:59:22 EDT
It looks like /usr/share/hplip/probe.py is labelled incorrectly, and that could
be causing the problem.  So:

1. What does 'rpm -q selinux-policy' say?
2. What does '/sbin/restorecon -v /usr/share/hplip/probe.py' say, as root, and
does it fix the AVC messages?
Comment 10 Daniel Walsh 2007-10-29 23:37:31 EDT
Fixed in selinux-policy-3.0.8-38
Comment 11 M. A. MacLain 2007-10-30 08:08:13 EDT
The printer is working properly now. Thanks

Note You need to log in before you can comment on or make changes to this bug.