Bug 394081 - SELinux is preventing /usr/sbin/cupsd (cupsd_t) "sigkill" to (hplip_t).
SELinux is preventing /usr/sbin/cupsd (cupsd_t) "sigkill" to (hplip_t).
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-21 08:12 EST by Jonathan Underwood
Modified: 2008-03-05 17:17 EST (History)
2 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-03-05 17:17:25 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jonathan Underwood 2007-11-21 08:12:42 EST
Description of problem:
While setting up a printer (HP Deskjet F380) using system-config-printer, I get
the SElinux denial below when clicking the "Apply" button after making a change

Version-Release number of selected component (if applicable):
selinux-policy-devel-3.0.8-56.fc8
libselinux-2.0.43-1.fc8
libselinux-python-2.0.43-1.fc8
selinux-policy-targeted-3.0.8-56.fc8
libselinux-2.0.43-1.fc8
selinux-policy-3.0.8-56.fc8
system-config-printer-libs-0.7.74.4-3.fc8
system-config-printer-0.7.74.4-3.fc8
bluez-utils-cups-3.20-4.fc8
libgnomecups-0.2.2-11.fc8
cups-libs-1.3.4-2.fc8
cups-1.3.4-2.fc8
apcupsd-3.14.2-1.fc8
cups-libs-1.3.4-2.fc8
hal-cups-utils-0.6.13-2.fc8
libgnomecups-0.2.2-11.fc8
hpijs-2.7.7-6.fc8

Summary
    SELinux is preventing /usr/sbin/cupsd (cupsd_t) "sigkill" to <Unknown>
    (hplip_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/cupsd. It is not expected that
    this access is required by /usr/sbin/cupsd and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                system_u:system_r:hplip_t:s0-s0:c0.c1023
Target Objects                None [ process ]
Affected RPM Packages         cups-1.3.4-2.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-56.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall
Host Name                     withnail.phys.ucl.ac.uk
Platform                      Linux withnail.phys.ucl.ac.uk 2.6.23.1-49.fc8 #1
                              SMP Thu Nov 8 22:14:09 EST 2007 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 21 Nov 2007 01:06:39 PM GMT
Last Seen                     Wed 21 Nov 2007 01:06:39 PM GMT
Local ID                      1248ff6a-740b-4881-8ea1-edd425fa12bd
Line Numbers                  

Raw Audit Messages            

avc: denied { sigkill } for comm=cupsd egid=0 euid=0 exe=/usr/sbin/cupsd
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=2329
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=0 tclass=process
tcontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tty=(none) uid=0
Comment 1 Daniel Walsh 2007-11-21 09:31:35 EST
You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-60.fc8
Comment 2 Suresh Kolsur 2007-12-21 04:06:47 EST
I had faced the same issue when tried configuring HP LJ 9040 MFP and HP color LJ
5550. I would like to know if allowing has any flows/security holes?

-Suresh Kolsur
Comment 3 Suresh Kolsur 2007-12-21 04:17:54 EST
What does audit2allow -M mypol -i /var/log/audit/audit.log do ?
Let me know how to resolve this issue, or if any patch available?

-Suresh Kolsur
Comment 4 Daniel Walsh 2007-12-31 14:10:16 EST
It examines the audit.log file for avc messages, it then generates a policy
module named mypol.pp allowing all of the denied access rules in the audit.log.

Basically it allows you to easily customize the policy on your machine, so you
can leave it in enforcing mode.  You should always examine the policy that it
generates to see if it would be a security problem.
Comment 5 Daniel Walsh 2008-03-05 17:17:25 EST
Bugs have been in modified for over one month.  Closing as fixed in current
release please reopen if the problem still persists.

Note You need to log in before you can comment on or make changes to this bug.