Bug 394081 - SELinux is preventing /usr/sbin/cupsd (cupsd_t) "sigkill" to (hplip_t).
Summary: SELinux is preventing /usr/sbin/cupsd (cupsd_t) "sigkill" to (hplip_t).
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy   
(Show other bugs)
Version: 8
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-11-21 13:12 UTC by Jonathan Underwood
Modified: 2008-03-05 22:17 UTC (History)
2 users (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-03-05 22:17:25 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Jonathan Underwood 2007-11-21 13:12:42 UTC
Description of problem:
While setting up a printer (HP Deskjet F380) using system-config-printer, I get
the SElinux denial below when clicking the "Apply" button after making a change

Version-Release number of selected component (if applicable):
selinux-policy-devel-3.0.8-56.fc8
libselinux-2.0.43-1.fc8
libselinux-python-2.0.43-1.fc8
selinux-policy-targeted-3.0.8-56.fc8
libselinux-2.0.43-1.fc8
selinux-policy-3.0.8-56.fc8
system-config-printer-libs-0.7.74.4-3.fc8
system-config-printer-0.7.74.4-3.fc8
bluez-utils-cups-3.20-4.fc8
libgnomecups-0.2.2-11.fc8
cups-libs-1.3.4-2.fc8
cups-1.3.4-2.fc8
apcupsd-3.14.2-1.fc8
cups-libs-1.3.4-2.fc8
hal-cups-utils-0.6.13-2.fc8
libgnomecups-0.2.2-11.fc8
hpijs-2.7.7-6.fc8

Summary
    SELinux is preventing /usr/sbin/cupsd (cupsd_t) "sigkill" to <Unknown>
    (hplip_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/cupsd. It is not expected that
    this access is required by /usr/sbin/cupsd and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.

Allowing Access
    You can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    SELinux protection altogether. Disabling SELinux protection is not
    recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    against this package.

Additional Information        

Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                system_u:system_r:hplip_t:s0-s0:c0.c1023
Target Objects                None [ process ]
Affected RPM Packages         cups-1.3.4-2.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-56.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall
Host Name                     withnail.phys.ucl.ac.uk
Platform                      Linux withnail.phys.ucl.ac.uk 2.6.23.1-49.fc8 #1
                              SMP Thu Nov 8 22:14:09 EST 2007 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 21 Nov 2007 01:06:39 PM GMT
Last Seen                     Wed 21 Nov 2007 01:06:39 PM GMT
Local ID                      1248ff6a-740b-4881-8ea1-edd425fa12bd
Line Numbers                  

Raw Audit Messages            

avc: denied { sigkill } for comm=cupsd egid=0 euid=0 exe=/usr/sbin/cupsd
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=2329
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=0 tclass=process
tcontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tty=(none) uid=0

Comment 1 Daniel Walsh 2007-11-21 14:31:35 UTC
You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-60.fc8


Comment 2 Suresh Kolsur 2007-12-21 09:06:47 UTC
I had faced the same issue when tried configuring HP LJ 9040 MFP and HP color LJ
5550. I would like to know if allowing has any flows/security holes?

-Suresh Kolsur

Comment 3 Suresh Kolsur 2007-12-21 09:17:54 UTC
What does audit2allow -M mypol -i /var/log/audit/audit.log do ?
Let me know how to resolve this issue, or if any patch available?

-Suresh Kolsur

Comment 4 Daniel Walsh 2007-12-31 19:10:16 UTC
It examines the audit.log file for avc messages, it then generates a policy
module named mypol.pp allowing all of the denied access rules in the audit.log.

Basically it allows you to easily customize the policy on your machine, so you
can leave it in enforcing mode.  You should always examine the policy that it
generates to see if it would be a security problem.

Comment 5 Daniel Walsh 2008-03-05 22:17:25 UTC
Bugs have been in modified for over one month.  Closing as fixed in current
release please reopen if the problem still persists.


Note You need to log in before you can comment on or make changes to this bug.