Bug 476183 - AVC denial(s) in hp-sendfax
AVC denial(s) in hp-sendfax
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
9
All Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-12 05:09 EST by Gilboa Davara
Modified: 2009-06-10 03:41 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-06-10 03:41:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Gilboa Davara 2008-12-12 05:09:37 EST
Description of problem:
I'm trying to send a pdf fax using hp-send fax and I'm getting AVC denials.


Version-Release number of selected component (if applicable):
$ rpm -qa | egrep -e 'hplip|selinux-policy-targeted' | sort
hplip-2.8.2-2.fc9.x86_64
hplip-gui-2.8.2-2.fc9.x86_64
selinux-policy-targeted-3.3.1-111.fc9.noarch


How reproducible:
Always


Additional info:
$ cat /var/log/messages | grep hp | grep SELinux                     
Dec 12 11:39:07 gilboa-home-srv setroubleshoot: SELinux is preventing the hpijs from using potentially mislabeled files (./tmp). For complete SELinux messages. run sealert -l 1c97f12c-c0fe-4f43-94f5-54fe26425e51                                                                                         
[rootne@gilboa-home-srv gilboa]$ sealert -l 1c97f12c-c0fe-4f43-94f5-54fe26425e51                    

Summary:

SELinux is preventing the hpijs from using potentially mislabeled files (./tmp).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]                                          

SELinux has denied hpijs access to potentially mislabeled file(s) (./tmp). This
means that SELinux will not allow hpijs to use these files. It is common for   
users to edit files in their home directory or tmp directories and then move   
(mv) them to system directories. The problem is that the files end up with the 
wrong file context which confined applications are not allowed to access.      

Allowing Access:

If you want hpijs to access this files, you need to relabel them using
restorecon -v './tmp'. You might want to relabel the entire directory using
restorecon -R -v './tmp'.                                                  

Additional Information:

Source Context                unconfined_u:system_r:hplip_t:s0-s0:c0.c1023
Target Context                system_u:object_r:tmp_t:s0                  
Target Objects                ./tmp [ dir ]                               
Source                        hpijs                                       
Source Path                   /usr/bin/hpijs                              
Port                          <Unknown>                                   
Host                          gilboa-home-srv                             
Source RPM Packages           hpijs-2.8.2-2.fc9                           
Target RPM Packages           filesystem-2.4.13-1.fc9                     
Policy RPM                    selinux-policy-3.3.1-111.fc9                
Selinux Enabled               True                                        
Policy Type                   targeted                                    
MLS Enabled                   True                                        
Enforcing Mode                Permissive                                  
Plugin Name                   home_tmp_bad_labels                         
Host Name                     gilboa-home-srv                             
Platform                      Linux gilboa-home-srv 2.6.27.5-41.fc9.x86_64 #1
                              SMP Thu Nov 13 20:29:07 EST 2008 x86_64 x86_64 
Alert Count                   2                                              
First Seen                    Fri Dec 12 11:30:11 2008                       
Last Seen                     Fri Dec 12 11:39:07 2008                       
Local ID                      1c97f12c-c0fe-4f43-94f5-54fe26425e51           
Line Numbers                                                                 

Raw Audit Messages            

node=gilboa-home-srv type=AVC msg=audit(1229074747.116:8692): avc:  denied  { search } for  pid=27792 comm="hpijs" name="tmp" dev=dm-8 ino=409601 scontext=unconfined_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir                                                      

node=gilboa-home-srv type=AVC msg=audit(1229074747.116:8692): avc:  denied  { write } for  pid=27792 comm="hpijs" name="tmp" dev=dm-8 ino=409601 scontext=unconfined_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir                                                       

node=gilboa-home-srv type=AVC msg=audit(1229074747.116:8692): avc:  denied  { add_name } for  pid=27792 comm="hpijs" name="hplipfax8WBQaL" scontext=unconfined_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir                                                             

node=gilboa-home-srv type=AVC msg=audit(1229074747.116:8692): avc:  denied  { create } for  pid=27792 comm="hpijs" name="hplipfax8WBQaL" scontext=unconfined_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file                                                          

node=gilboa-home-srv type=AVC msg=audit(1229074747.116:8692): avc:  denied  { read write } for  pid=27792 comm="hpijs" name="hplipfax8WBQaL" dev=dm-8 ino=412901 scontext=unconfined_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:tmp_t:s0 tclass=file                                  

node=gilboa-home-srv type=SYSCALL msg=audit(1229074747.116:8692): arch=c000003e syscall=2 success=yes exit=10 a0=7fff94e8dc50 a1=c2 a2=180 a3=2d items=0 ppid=27788 pid=27792 auid=800 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=351 comm="hpijs" exe="/usr/bin/hpijs" subj=unconfined_u:system_r:hplip_t:s0-s0:c0.c1023 key=(null)
Comment 1 Gilboa Davara 2008-12-12 05:12:52 EST
P.S. I tried relabeling /var/tmp and /tmp - nothing changed.

$ restorecon -Rv /etc /var /tmp
restorecon reset /etc/hp context system_u:object_r:etc_t:s0->system_u:object_r:hplip_etc_t:s0
restorecon reset /etc/hp/hplip.conf context system_u:object_r:etc_t:s0->system_u:object_r:hplip_etc_t:s0

(Beyond hplip.conf itself that somehow needs relabeling every time - but that's another bug by itself.)

- Gilboa
Comment 2 Daniel Walsh 2008-12-12 09:31:16 EST
Looks like hplib_t needs to be able to create hplib_tmp_t files. or cups_tmp_t files.

manage_dirs_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
manage_files_pattern(hplip_t, cupsd_tmp_t, cupsd_tmp_t)
files_tmp_filetrans(hplip_t, cupsd_tmp_t, { file dir })

Should be added.
Comment 3 Miroslav Grepl 2008-12-15 08:48:02 EST
Fixed in selinux-policy-3.3.1-116.fc9.noarch
Comment 4 Gilboa Davara 2008-12-16 02:38:03 EST
When is 116 due in updates-testing? (I can only see 115 - which is used to solve the rpcbind problem)

- Gilboa
Comment 5 Miroslav Grepl 2008-12-16 06:42:29 EST
Gilboa, 

for now you can use selinux-policy-3.3.1-116.fc9.noarch from Koji.
Comment 6 Gilboa Davara 2008-12-16 10:51:15 EST
OK. Thanks. I'll give it a try.

- Gilboa
Comment 7 Gilboa Davara 2008-12-16 11:08:57 EST
Seems to work just fine. (No denials)

Thanks.
- Gilboa
Comment 8 Gilboa Davara 2009-04-30 10:30:43 EDT
Feel free to close this bug.
Comment 9 Bug Zapper 2009-06-09 23:24:55 EDT
This message is a reminder that Fedora 9 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 9.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '9'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 9's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 9 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.