Red Hat Bugzilla – Bug 457004
HP Linux Printing causes ACD Denial Issues with product causing printing to fail hpijs-2.8.2-2.fc9
Last modified: 2008-11-17 17:05:16 EST
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008071615 Fedora/3.0.1-1.fc9 Firefox/3.0.1 Description of problem: SELinux has denied the hpijs from executing /usr/share/hplip/prnt/plugins/lj-x86_32.so. If hpijs is supposed to be able to execute /usr/share/hplip/prnt/plugins/lj-x86_32.so, this could be a labeling problem. Most confined domains are allowed to execute files labeled bin_t. So you could change the labeling on this file to bin_t and retry the application. If this hpijs is not supposed to execute /usr/share/hplip/prnt/plugins/lj-x86_32.so, this could signal a intrusion attempt. Additional InformationSource Context: system_u:system_r:hplip_t:s0-s0:c0.c1023Target Context: unconfined_u:object_r:usr_t:s0Target Objects: /usr/share/hplip/prnt/plugins/lj-x86_32.so [ file ]Source: hpijsSource Path: /usr/bin/hpijsPort: <Unknown>Host: localhost.localdomainSource RPM Packages: hpijs-2.8.2-2.fc9Target RPM Packages: Policy RPM: selinux-policy-3.3.1-79.fc9Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: PermissivePlugin Name: executeHost Name: localhost.localdomainPlatform: Linux localhost.localdomain 2.6.25.11-97.fc9.i686 #1 SMP Mon Jul 21 01:31:09 EDT 2008 i686 i686Alert Count: 1First Seen: Tue 29 Jul 2008 12:14:43 AM MDTLast Seen: Tue 29 Jul 2008 12:30:58 AM MDTLocal ID: a85d3e13-d2d4-4046-99dc-259bf4221fefLine Numbers: Raw Audit Messages :host=localhost.localdomain type=AVC msg=audit(1217313058.243:54): avc: denied { execute } for pid=22791 comm="hpijs" path="/usr/share/hplip/prnt/plugins/lj-x86_32.so" dev=dm-1 ino=3787486 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file host=localhost.localdomain type=SYSCALL msg=audit(1217313058.243:54): arch=40000003 syscall=192 success=yes exit=2232320 a0=0 a1=cea0 a2=5 a3=802 items=0 ppid=22788 pid=22791 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="hpijs" exe="/usr/bin/hpijs" subj=system_u:system_r:hplip_t:s0-s0:c0.c1023 key=(null) This application has labling issues that should be addressed with SELinux Policies and the vendor application developer for printing support for HP Printers under Linux : ) Version-Release number of selected component (if applicable): hpijs-2.8.2-2.fc9 How reproducible: Always Steps to Reproduce: 1. Download the HP Printer Installer from the web site (in my case for a PL1006 laser printer. 2. Run the installer, there are EXPLICIT instructions to disable SELINUX!!!!! 3. Failutre to disable SELinux will break the installer and fail to print Actual Results: Printing with this application will fail Expected Results: Throws SELinux denail issues with the product. Additional info:
You can allow this for now. # audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.3.1-81.fc9.noarch
BTW can you point me to the link where HP says to disable SELinux?
HP says to disable within the installer itself, not when it is first launched but when it checks dependencies, it tells you to disable it explicitly. http://hplip.sourceforge.net/install/index.html
Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed.