Bug 479178 - cups/hplip wants to write its config file (hplip.conf)?????
cups/hplip wants to write its config file (hplip.conf)?????
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: hplip (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Tim Waugh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-01-07 14:08 EST by Tom London
Modified: 2009-03-13 14:35 EDT (History)
4 users (show)

See Also:
Fixed In Version: 2.8.12-6.fc10
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-03-13 14:35:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tom London 2009-01-07 14:08:22 EST
Description of problem:
I'm seeing the following AVCs when I attempt to print to my HP1300 laserjet:

type=AVC msg=audit(1231349328.831:10): avc:  denied  { write } for  pid=2553 comm="python" name="hplip.conf" dev=dm-1 ino=778585 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:hplip_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1231349328.831:10): arch=c000003e syscall=2 success=no exit=-13 a0=1945210 a1=241 a2=1b6 a3=7feef5bda6f0 items=0 ppid=2549 pid=2553 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="python" exe="/usr/bin/python" subj=system_u:system_r:hplip_t:s0 key=(null)
type=ANOM_ABEND msg=audit(1231349329.067:11): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:kernel_t:s0 pid=790 comm="plymouthd" sig=11
type=AVC msg=audit(1231349329.154:12): avc:  denied  { write } for  pid=2588 comm="python" name="hplip.conf" dev=dm-1 ino=778585 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:hplip_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1231349329.154:12): arch=c000003e syscall=2 success=no exit=-13 a0=1039210 a1=241 a2=1b6 a3=7f18011216f0 items=0 ppid=2587 pid=2588 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="python" exe="/usr/bin/python" subj=system_u:system_r:hplip_t:s0 key=(null)
type=AVC msg=audit(1231349329.446:13): avc:  denied  { write } for  pid=2645 comm="python" name="hplip.conf" dev=dm-1 ino=778585 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:hplip_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1231349329.446:13): arch=c000003e syscall=2 success=no exit=-13 a0=7f60f198be70 a1=241 a2=1b6 a3=7f60f1ec76f0 items=0 ppid=2642 pid=2645 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="python" exe="/usr/bin/python" subj=system_u:system_r:hplip_t:s0 key=(null)

Can this be a good idea?

Version-Release number of selected component (if applicable):
hplip-2.8.12-1.fc11.x86_64
cups-1.4-0.b2.2.fc11.x86_64

How reproducible:
Every time

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Gabriel Sfestarof 2009-01-10 16:02:49 EST
I can confirm it for F10.



 rpm -qa|grep selinux && rpm -qa|grep hplip
libselinux-utils-2.0.73-1.fc10.i386
selinux-policy-doc-3.5.13-38.fc10.noarch
selinux-policy-3.5.13-38.fc10.noarch
libselinux-2.0.73-1.fc10.i386
libselinux-python-2.0.73-1.fc10.i386
selinux-doc-1.26-1.1.noarch
selinux-policy-targeted-3.5.13-38.fc10.noarch
hplip-libs-2.8.12-1.fc10.i386
hplip-2.8.12-1.fc10.i386
hplip-gui-2.8.12-1.fc10.i386




After doing semanage permissive -a hplip_t here's the difference between the original file copied in /root and the modified one


 diff  /etc/hp/hplip.conf /root/hplip.conf 
1,13c1
< [dirs]
< run = /var/run
< cupsbackend = /usr/lib/cups/backend
< ppd = /usr/share/ppd/HP
< doc = /usr/share/doc/hplip-2.8.12
< drv = /usr/share/cups/drv/hp
< ppdbase = /usr/share/ppd
< home = /usr/share/hplip
< icon = /usr/share/applications
< cupsfilter = /usr/lib/cups/filter
< 
< [last_used]
< device_uri = hp:/usb/Deskjet_F4100_series?serial=CN7673S2N104TJ
---
> # hplip.conf.  Generated from hplip.conf.in by configure.
16c4
< version = 2.8.12
---
> version=2.8.12
17a6,17
> [dirs]
> home=/usr/share/hplip
> run=/var/run
> ppd=/usr/share/ppd/HP
> ppdbase=/usr/share/ppd
> doc=/usr/share/doc/hplip-2.8.12
> icon=/usr/share/applications
> cupsbackend=/usr/lib/cups/backend
> cupsfilter=/usr/lib/cups/filter
> drv=/usr/share/cups/drv/hp
> 
> # Following values are determined at configure time and cannot be changed.
19,35c19,36
< foomatic-rip-hplip-install = no
< qt4 = no
< doc-build = yes
< qt3 = yes
< cups11-build = no
< gui-build = yes
< internal-tag = 2.8.12.26
< foomatic-ppd-install = no
< network-build = yes
< ui-toolkit = qt3
< pp-build = yes
< fax-build = yes
< scanner-build = yes
< restricted-build = no
< dbus-build = yes
< shadow-build = no
< foomatic-drv-install = yes
---
> network-build=yes
> pp-build=yes
> gui-build=yes
> scanner-build=yes
> fax-build=yes
> dbus-build=yes
> cups11-build=no
> doc-build=yes
> shadow-build=no
> foomatic-drv-install=yes
> foomatic-ppd-install=no
> foomatic-rip-hplip-install=no
> internal-tag=2.8.12.26
> restricted-build=no
> ui-toolkit=qt3
> qt3=yes
> qt4=no
>
Comment 2 Tim Waugh 2009-01-12 06:37:42 EST
Yeah, it shouldn't do that.
Comment 3 Gabriel Sfestarof 2009-01-13 01:54:53 EST
The bug seems to affect CentOS 5.2 too, so perhaps it should occur in RHEL too.
Comment 4 Tim Waugh 2009-01-13 05:12:42 EST
I can't see a code path that works in quite the same way for RHEL-5.2.  It may adjust the system wide configuration file when run directly by root, but I don't see that it will when run from CUPS.  Are you seeing AVC messages on CentOS 5.2?

FWIW, the way I was able to trigger the AVC message on Fedora 10 was by switching on a connected USB HP printer; this triggers hal_lpadmin (running in cups_config_t), which in turn runs hp-info (running in hplip_t).
Comment 5 Gabriel Sfestarof 2009-01-13 07:29:59 EST
That's precisely how I found the AVC. I had installed F10 for awhile, but never started the printer. After switching hplip.conf_t domain in permissive to make sure the AVC's still appear, then ausearch -m avc -ts today | audit2allow -M myhplip; semodule -i myhplip.pp (because it was the only denial I had on F10)




After a major power outage last night, I fired up CentOS 5.2, applied the updates and I start browsing Setroubleshooter. I noticed this kind of denial but at the moment the net was still down so I couldn't report anything. I'll reboot in a few hours, test it again for AVC's and if any I'll report back here.
Comment 6 Fedora Update System 2009-01-14 22:05:02 EST
hplip-2.8.12-5.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update hplip'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2008-11236
Comment 7 Fedora Update System 2009-01-29 18:01:51 EST
hplip-2.8.12-6.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update hplip'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2008-11236
Comment 8 Fedora Update System 2009-03-13 14:34:41 EDT
hplip-2.8.12-6.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.