Bug 352161 - SELinux is preventing python (cupsd_config_t) "read write" to (usb_device_t).
Summary: SELinux is preventing python (cupsd_config_t) "read write" to (usb_device_t).
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted   
(Show other bugs)
Version: 8
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2007-10-25 11:57 UTC by M. A. MacLain
Modified: 2007-11-30 22:12 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-10-30 20:15:05 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description M. A. MacLain 2007-10-25 11:57:04 UTC
Description of problem:
SELinux is preventing python (cupsd_config_t) "read write" to (usb_device_t).
Please file a bug report against this package.Additional InformationSource
Context:  system_u:system_r:cupsd_config_t:s0Target Context: 
system_u:object_r:usb_device_t:s0Target Objects:  None [ chr_file ]Affected RPM
Packages:  Policy RPM:  selinux-policy-3.0.8-30.fc8Selinux Enabled:  TruePolicy
Type:  targetedMLS Enabled:  TrueEnforcing Mode:  EnforcingPlugin Name: 
plugins.catchall_fileHost Name:  dhcppc2Platform:  Linux dhcppc2
#1 SMP Mon Oct 22 18:46:28 EDT 2007 i686 i686Alert Count:  113First Seen:  Sat
13 Oct 2007 08:02:43 AM EDTLast Seen:  Thu 25 Oct 2007 07:41:31 AM EDTLocal ID:
 821409d0-1948-425c-b4e5-0ee848ccf6f1Line Numbers:  Raw Audit Messages :avc:
denied { read write } for comm=python dev=tmpfs egid=0 euid=0
exe=/usr/bin/python exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=001 pid=2839
scontext=system_u:system_r:cupsd_config_t:s0 sgid=0
subj=system_u:system_r:cupsd_config_t:s0 suid=0 tclass=chr_file
tcontext=system_u:object_r:usb_device_t:s0 tty=(none) uid=0 

Version-Release number of selected component (if applicable):

How reproducible: Repeatable

Steps to Reproduce:
1.Turn on HP Printer
Actual results:

Expected results:

Additional info:

Comment 1 Phil Knirsch 2007-10-25 12:30:44 UTC
Reassigning to SELinux policy component.

Read ya, Phil

Comment 2 Daniel Walsh 2007-10-25 13:33:09 UTC
Do you have any idea what python application is running?  

Comment 3 Tim Waugh 2007-10-25 14:07:23 UTC
Sounds like it might be /usr/libexec/hal_lpadmin.

Comment 4 Daniel Walsh 2007-10-25 14:20:33 UTC
So this is something we want to allow.  Can we expect other avc's from this.

Comment 5 Tim Waugh 2007-10-25 15:45:53 UTC
I've just spent a while trying to reproduce this AVC here, but for some reason I

/usr/libexec/hal_lpadmin gets run by hald, and needs to be able to run
/usr/bin/hp-probe.  This in turn needs to read/write usb_device_t (for device
access), hplip_etc_t (for config files), and so on.

However, this should all be taken care of already:

/usr/libexec/hal_lpadmin gets run in domain cupsd_config_t
/usr/bin/hp-probe is a symlink to /usr/share/hplip/probe.py
/usr/share/hplip/probe.py is labelled hplip_exec_t
cupsd_config_t can transition to hplip_t when executing hplip_exec_t
finally, hplip_t can read/write usb_device_t etc

So: what do these commands say?:

1. rpm -q hplip
2. rpm -V hplip
3. ls -l /usr/bin/hp-probe
4. ls -Z /usr/share/hplip/probe.py

Comment 6 Daniel Walsh 2007-10-25 17:49:25 UTC
But it looks like something is running 

python script

Rather then just

script  with python in the first line.

I am not sure how this works from an SELinux point of view, but it is probably a
bad idea since external environment can change the python.  
#!/usr/bin/env python

Comment 7 Tim Waugh 2007-10-26 10:04:30 UTC
The Python code in hal_lpadmin for running hp-probe looks like this:

os.popen("LC_ALL=C hp-probe ...")

Could that be the problem?

Otherwise there is some code that gets run from 'hp-info', also started by
hal_lpadmin in the same way as above when a device is *disconnected*, like this:

os.system("python " + os.path.join(prop.home_dir, "hpssd.py"))

I can see that this latter case is doing exactly what you suggested, running
Python directly and tell it which script to load -- however, hplip-2.7.7-6.fc8
no longer gets to that line on device disconnection.

mgml@earthlink.net: please supply more information:
1. rpm -q hplip
2. rpm -V hplip
3. ls -l /usr/bin/hp-probe
4. ls -Z /usr/share/hplip/probe.py
5. please try to narrow down *precisely* which operation causes the audit
message: is it connecting/switch on the printer, or submitting a print job, or
disconnecting/switching off the printer?

Comment 8 M. A. MacLain 2007-10-26 21:00:46 UTC
Requested information:

1.-rpm -q hplip:

2.-rpm -V hplip: prelink:
/usr/lib/cups/backend/hp: at least one of file's dependencies has changed since
prelinking S.?.....   /usr/lib/cups/backend/hp

3.-ls -l /usr/bin/hp-probe:
lrwxrwxrwx 1 root root 23 2007-10-13 14:22 /usr/bin/hp-probe ->

4.-ls -Z /usr/share/hplip/probe.py:
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       /usr/share/hplip/probe.py

5.-Audit message triggered by switching on the printer. Note cord usb was
already connected when  the printer was switched on.

Comment 9 Tim Waugh 2007-10-29 10:59:22 UTC
It looks like /usr/share/hplip/probe.py is labelled incorrectly, and that could
be causing the problem.  So:

1. What does 'rpm -q selinux-policy' say?
2. What does '/sbin/restorecon -v /usr/share/hplip/probe.py' say, as root, and
does it fix the AVC messages?

Comment 10 Daniel Walsh 2007-10-30 03:37:31 UTC
Fixed in selinux-policy-3.0.8-38

Comment 11 M. A. MacLain 2007-10-30 12:08:13 UTC
The printer is working properly now. Thanks

Note You need to log in before you can comment on or make changes to this bug.