Description of problem: SELinux is preventing python (cupsd_config_t) "read write" to (usb_device_t). Please file a bug report against this package.Additional InformationSource Context: system_u:system_r:cupsd_config_t:s0Target Context: system_u:object_r:usb_device_t:s0Target Objects: None [ chr_file ]Affected RPM Packages: Policy RPM: selinux-policy-3.0.8-30.fc8Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: EnforcingPlugin Name: plugins.catchall_fileHost Name: dhcppc2Platform: Linux dhcppc2 2.6.23.1-30.fc8 #1 SMP Mon Oct 22 18:46:28 EDT 2007 i686 i686Alert Count: 113First Seen: Sat 13 Oct 2007 08:02:43 AM EDTLast Seen: Thu 25 Oct 2007 07:41:31 AM EDTLocal ID: 821409d0-1948-425c-b4e5-0ee848ccf6f1Line Numbers: Raw Audit Messages :avc: denied { read write } for comm=python dev=tmpfs egid=0 euid=0 exe=/usr/bin/python exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=001 pid=2839 scontext=system_u:system_r:cupsd_config_t:s0 sgid=0 subj=system_u:system_r:cupsd_config_t:s0 suid=0 tclass=chr_file tcontext=system_u:object_r:usb_device_t:s0 tty=(none) uid=0 Version-Release number of selected component (if applicable): 3.0.8-30.fc8 How reproducible: Repeatable Steps to Reproduce: 1.Turn on HP Printer 2. 3. Actual results: Expected results: Additional info:
Reassigning to SELinux policy component. Read ya, Phil
Do you have any idea what python application is running?
Sounds like it might be /usr/libexec/hal_lpadmin.
So this is something we want to allow. Can we expect other avc's from this.
I've just spent a while trying to reproduce this AVC here, but for some reason I can't. /usr/libexec/hal_lpadmin gets run by hald, and needs to be able to run /usr/bin/hp-probe. This in turn needs to read/write usb_device_t (for device access), hplip_etc_t (for config files), and so on. However, this should all be taken care of already: /usr/libexec/hal_lpadmin gets run in domain cupsd_config_t /usr/bin/hp-probe is a symlink to /usr/share/hplip/probe.py /usr/share/hplip/probe.py is labelled hplip_exec_t cupsd_config_t can transition to hplip_t when executing hplip_exec_t finally, hplip_t can read/write usb_device_t etc So: what do these commands say?: 1. rpm -q hplip 2. rpm -V hplip 3. ls -l /usr/bin/hp-probe 4. ls -Z /usr/share/hplip/probe.py
But it looks like something is running python script Rather then just script with python in the first line. I am not sure how this works from an SELinux point of view, but it is probably a bad idea since external environment can change the python. #!/usr/bin/env python
The Python code in hal_lpadmin for running hp-probe looks like this: os.popen("LC_ALL=C hp-probe ...") Could that be the problem? Otherwise there is some code that gets run from 'hp-info', also started by hal_lpadmin in the same way as above when a device is *disconnected*, like this: os.system("python " + os.path.join(prop.home_dir, "hpssd.py")) I can see that this latter case is doing exactly what you suggested, running Python directly and tell it which script to load -- however, hplip-2.7.7-6.fc8 no longer gets to that line on device disconnection. mgml: please supply more information: 1. rpm -q hplip 2. rpm -V hplip 3. ls -l /usr/bin/hp-probe 4. ls -Z /usr/share/hplip/probe.py 5. please try to narrow down *precisely* which operation causes the audit message: is it connecting/switch on the printer, or submitting a print job, or disconnecting/switching off the printer?
Requested information: 1.-rpm -q hplip: hplip-2.7.7-6.fc8 2.-rpm -V hplip: prelink: /usr/lib/cups/backend/hp: at least one of file's dependencies has changed since prelinking S.?..... /usr/lib/cups/backend/hp 3.-ls -l /usr/bin/hp-probe: lrwxrwxrwx 1 root root 23 2007-10-13 14:22 /usr/bin/hp-probe -> ../share/hplip/probe.py 4.-ls -Z /usr/share/hplip/probe.py: -rwxr-xr-x root root system_u:object_r:bin_t:s0 /usr/share/hplip/probe.py 5.-Audit message triggered by switching on the printer. Note cord usb was already connected when the printer was switched on.
It looks like /usr/share/hplip/probe.py is labelled incorrectly, and that could be causing the problem. So: 1. What does 'rpm -q selinux-policy' say? 2. What does '/sbin/restorecon -v /usr/share/hplip/probe.py' say, as root, and does it fix the AVC messages?
Fixed in selinux-policy-3.0.8-38
The printer is working properly now. Thanks