Bug 457004 - HP Linux Printing causes ACD Denial Issues with product causing printing to fail hpijs-2.8.2-2.fc9
HP Linux Printing causes ACD Denial Issues with product causing printing to f...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
i686 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-07-29 02:47 EDT by Zach Wood
Modified: 2008-11-17 17:05 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-11-17 17:05:16 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Zach Wood 2008-07-29 02:47:21 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/2008071615 Fedora/3.0.1-1.fc9 Firefox/3.0.1

Description of problem:
SELinux has denied the hpijs from executing /usr/share/hplip/prnt/plugins/lj-x86_32.so. If hpijs is supposed to be able to execute /usr/share/hplip/prnt/plugins/lj-x86_32.so, this could be a labeling problem. Most confined domains are allowed to execute files labeled bin_t. So you could change the labeling on this file to bin_t and retry the application. If this hpijs is not supposed to execute /usr/share/hplip/prnt/plugins/lj-x86_32.so, this could signal a intrusion attempt. 

Additional InformationSource Context:  system_u:system_r:hplip_t:s0-s0:c0.c1023Target Context:  unconfined_u:object_r:usr_t:s0Target Objects:  /usr/share/hplip/prnt/plugins/lj-x86_32.so [ file ]Source:  hpijsSource Path:  /usr/bin/hpijsPort:  <Unknown>Host:  localhost.localdomainSource RPM Packages:  hpijs-2.8.2-2.fc9Target RPM Packages:  Policy RPM:  selinux-policy-3.3.1-79.fc9Selinux Enabled:  TruePolicy Type:  targetedMLS Enabled:  TrueEnforcing Mode:  PermissivePlugin Name:  executeHost Name:  localhost.localdomainPlatform:  Linux localhost.localdomain #1 SMP Mon Jul 21 01:31:09 EDT 2008 i686 i686Alert Count:  1First Seen:  Tue 29 Jul 2008 12:14:43 AM MDTLast Seen:  Tue 29 Jul 2008 12:30:58 AM MDTLocal ID:  a85d3e13-d2d4-4046-99dc-259bf4221fefLine Numbers:  Raw Audit Messages :host=localhost.localdomain type=AVC msg=audit(1217313058.243:54): avc: denied { execute } for pid=22791 comm="hpijs" path="/usr/share/hplip/prnt/plugins/lj-x86_32.so" dev=dm-1 ino=3787486 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file host=localhost.localdomain type=SYSCALL msg=audit(1217313058.243:54): arch=40000003 syscall=192 success=yes exit=2232320 a0=0 a1=cea0 a2=5 a3=802 items=0 ppid=22788 pid=22791 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="hpijs" exe="/usr/bin/hpijs" subj=system_u:system_r:hplip_t:s0-s0:c0.c1023 key=(null) 

This application has labling issues that should be addressed with SELinux Policies and the vendor application developer for printing support for HP Printers under Linux : ) 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Download the HP Printer Installer from the web site (in my case for a PL1006 laser printer. 
2. Run the installer, there are EXPLICIT instructions to disable SELINUX!!!!!
3. Failutre to disable SELinux will break the installer and fail to print

Actual Results:
Printing with this application will fail 

Expected Results:
Throws SELinux denail issues with the product. 

Additional info:
Comment 1 Daniel Walsh 2008-07-29 15:25:14 EDT
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-81.fc9.noarch
Comment 2 Daniel Walsh 2008-07-29 15:33:00 EDT
BTW can you point me to the link where HP says to disable SELinux?
Comment 3 Zach Wood 2008-07-29 16:13:01 EDT
HP says to disable within the installer itself, not when it is first launched
but when it checks dependencies, it tells you to disable it explicitly.  
Comment 4 Daniel Walsh 2008-11-17 17:05:16 EST
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.