Bug 516078 - setroubleshoot: SELinux is preventing python (hplip_t) "read" var_lib_t.
Summary: setroubleshoot: SELinux is preventing python (hplip_t) "read" var_lib_t.
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 11
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:cf3c4943363...
: 517729 559945 (view as bug list)
Depends On:
Blocks: 513911 517000
TreeView+ depends on / blocked
 
Reported: 2009-08-06 16:19 UTC by Tom London
Modified: 2010-01-29 13:50 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-09-15 12:03:50 UTC
Type: ---


Attachments (Terms of Use)

Description Tom London 2009-08-06 16:19:57 UTC
The following was filed automatically by setroubleshoot:

Summary:

SELinux is preventing python (hplip_t) "read" var_lib_t.

Detailed Description:

SELinux denied access requested by python. It is not expected that this access
is required by python and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Additional Information:

Source Context                system_u:system_r:hplip_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                /var/lib/hp/hplip.state [ file ]
Source                        python
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           python-2.6.2-1.fc12
Target RPM Packages           hplip-3.9.8-1.fc12
Policy RPM                    selinux-policy-3.6.26-6.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.31-0.132.rc5.git3.fc12.x86_64 #1 SMP Wed Aug 5
                              03:27:31 EDT 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Thu 06 Aug 2009 09:17:28 AM PDT
Last Seen                     Thu 06 Aug 2009 09:17:28 AM PDT
Local ID                      14225282-9043-43b8-910b-6f2ec13201c6
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1249575448.508:11633): avc:  denied  { read } for  pid=1087 comm="python" name="hplip.state" dev=dm-0 ino=143209 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1249575448.508:11633): arch=c000003e syscall=2 success=no exit=-13 a0=1177000 a1=0 a2=1b6 a3=238 items=0 ppid=1080 pid=1087 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="python" exe="/usr/bin/python" subj=system_u:system_r:hplip_t:s0-s0:c0.c1023 key=(null)


audit2allow suggests:

#============= hplip_t ==============
allow hplip_t var_lib_t:file read;

Comment 1 Tim Waugh 2009-08-07 09:27:10 UTC
The fix is to use this in cups.fc:

/var/lib/hp(/.*)?		gen_context(system_u:object_r:hplip_etc_t,s0)

Comment 2 Tim Waugh 2009-08-07 09:27:59 UTC
This affects Fedora 11 as well as rawhide.

Comment 3 Daniel Walsh 2009-08-07 11:45:42 UTC
Ok I am removing hplip_etc_t and type alias to hplip_var_lib_t

/var/lib/hp(/.*)?		gen_context(system_u:object_r:hplip_var_lib_t,s0)

Currently no domain can write there.

Miroslav can you make a similar change to F11.

Tim does any domain need to be able to write to this label?

Comment 4 Daniel Walsh 2009-08-07 11:46:09 UTC
Fixed in selinux-policy-3.6.26-7.fc12.noarch

Comment 5 Tim Waugh 2009-08-07 12:48:00 UTC
Only hplip_t needs to write to hplip_var_lib_t.

(So will /etc/hp/* be labelled hplip_var_lib_t now as well?)

Comment 6 Daniel Walsh 2009-08-10 14:32:41 UTC
Yes,

But isn't /etc/hp/* going away, or do we need two different labeles?

/etc/hp/* read/only by hplip_t
and 
/var/lib/hp/* r/w by hplip_t

Comment 7 Tim Waugh 2009-08-10 14:45:52 UTC
No, /etc/hp/* (read-only) is staying where it is.  /var/lib/hp/* is different, and is read-write.

Two different labels would be best if that's not too fine-grained.

Comment 8 Daniel Walsh 2009-08-10 17:26:09 UTC
Fixed in selinux-policy-3.6.26-9.fc12.src.rpm

Miroslav, just add


type hplip_var_lib_t;
files_type(hplip_var_lib_t)

manage_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)
manage_lnk_files_pattern(hplip_t, hplip_var_lib_t, hplip_var_lib_t)

/var/lib/hp(/.*)?		gen_context(system_u:object_r:hplip_var_lib_t,s0)

Comment 9 Miroslav Grepl 2009-08-11 10:30:38 UTC
Fixed in selinux-policy-3.6.12-75.fc11

Comment 10 Tim Waugh 2009-08-16 17:10:15 UTC
*** Bug 517729 has been marked as a duplicate of this bug. ***

Comment 11 Tom London 2009-08-16 17:20:23 UTC
I'm running rawhide, so I can't test fc11.

"Works for me" with the fc12 package.

Comment 12 Burnie West 2009-09-08 19:55:02 UTC
I'm running FC11 incorporating selinux-policy 3.6.12-81.fc11 - a related SELinux message appears, although the printer does in fact print on demand, even with SELinux policy currently enforcing. Here is the message:

**Summary:

SELinux is preventing python (hplip_t) "write" usr_t.

**Detailed Description

SELinux denied access requested by python. It is not expected that this access is required by python and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.

**Allowing Access

You can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package.

**Additional Information

Source Context:  system_u:system_r:hplip_t:s0
Target Context:  unconfined_u:object_r:usr_t:s0
Target Objects:  /usr/share/hplip/prnt [ dir ]
Source:  python
Source Path:  /usr/bin/python
Port:  <Unknown>
Host:  localhost.localdomain
Source RPM Packages:  python-2.6-9.fc11
Target RPM Packages:  
Policy RPM:  selinux-policy-3.6.12-81.fc11
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  catchall
Host Name:  localhost.localdomain
Platform:  Linux localhost.localdomain 2.6.30.5-43.fc11.x86_64 #1 SMP Thu Aug 27 21:39:52 EDT 2009 x86_64 x86_64
Alert Count:  108
First Seen:  Tue 01 Sep 2009 07:08:06 AM PDT
Last Seen:  Tue 08 Sep 2009 09:19:31 AM PDT
Local ID:  3b3261c6-7166-4a59-810d-199abffde082
Line Numbers:  
Raw Audit Messages :

node=localhost.localdomain type=AVC msg=audit(1252426771.556:128): avc: denied { write } for pid=3209
comm="python" name="prnt" dev=dm-0 ino=4850285 scontext=system_u:system_r:hplip_t:s0
tcontext=unconfined_u:object_r:usr_t:s0 tclass=dir

node=localhost.localdomain type=SYSCALL msg=audit(1252426771.556:128): arch=c000003e syscall=2 success=no
exit=-13 a0=7fff12cefe10 a1=2c1 a2=81ed a3=280ad70 items=0 ppid=3191 pid=3209 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="python" exe="/usr/bin/python"
subj=system_u:system_r:hplip_t:s0 key=(null)

Comment 13 Burnie West 2009-09-09 16:54:37 UTC
I'm running FC11 incorporating selinux-policy 3.6.12-81.fc11 - a related SELinux message appears, although the printer does in fact print on demand, even with SELinux policy currently enforcing. Here is the message:

**Summary:

SELinux is preventing python (hplip_t) "write" usr_t.

**Detailed Description

SELinux denied access requested by python. It is not expected that this access is required by python and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.

**Allowing Access

You can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package.

**Additional Information

Source Context:  system_u:system_r:hplip_t:s0
Target Context:  unconfined_u:object_r:usr_t:s0
Target Objects:  /usr/share/hplip/prnt [ dir ]
Source:  python
Source Path:  /usr/bin/python
Port:  <Unknown>
Host:  localhost.localdomain
Source RPM Packages:  python-2.6-9.fc11
Target RPM Packages:  
Policy RPM:  selinux-policy-3.6.12-81.fc11
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  catchall
Host Name:  localhost.localdomain
Platform:  Linux localhost.localdomain 2.6.30.5-43.fc11.x86_64 #1 SMP Thu Aug 27 21:39:52 EDT 2009 x86_64 x86_64
Alert Count:  108
First Seen:  Tue 01 Sep 2009 07:08:06 AM PDT
Last Seen:  Tue 08 Sep 2009 09:19:31 AM PDT
Local ID:  3b3261c6-7166-4a59-810d-199abffde082
Line Numbers:  
Raw Audit Messages :

node=localhost.localdomain type=AVC msg=audit(1252426771.556:128): avc: denied { write } for pid=3209
comm="python" name="prnt" dev=dm-0 ino=4850285 scontext=system_u:system_r:hplip_t:s0
tcontext=unconfined_u:object_r:usr_t:s0 tclass=dir

node=localhost.localdomain type=SYSCALL msg=audit(1252426771.556:128): arch=c000003e syscall=2 success=no
exit=-13 a0=7fff12cefe10 a1=2c1 a2=81ed a3=280ad70 items=0 ppid=3191 pid=3209 auid=4294967295 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="python" exe="/usr/bin/python"
subj=system_u:system_r:hplip_t:s0 key=(null)

Comment 14 Daniel Walsh 2009-09-09 21:55:35 UTC
Could the write be caused by python compilation?

Comment 15 Burnie West 2009-09-13 00:21:46 UTC
I don't know, Daniel. My installation is vanilla Fedora 11.
BTW, I apologize for the double-posting.

Comment 16 Daniel Walsh 2009-09-14 16:05:34 UTC
Are there python scripts in /usr/share/hplip/prnt

If you simply run 

#python /usr/share/hplib/prnt/*py

It should generate all of the compiled python code and stop this AVC if this is the cause.

Comment 17 Burnie West 2009-09-15 01:09:32 UTC
Thanks, Daniel.

I infer from your Comment #16 that .../prnt/*py should have been run (although 'hplip' is what I think you meant).

I also infer from 
  $yum info hplip
that hplip-3.9.8-12.fc11 is "available" (meaning, I believe, not "yum installed")

I also infer from "locate hplip | grep 3.9.8" that the hplip I am using is 3.9.8.

These inferences lead me to conclude (tentatively) that my installation is not as "vanilla" as I thought.

Having now run #python /usr/share/hplip/prnt/*py, the message
  SELinux is preventing python (hplip_t) "write" usr_t.
still appears.

However, having now run "yum install hplip", the AVC no longer appears. It appears that some other details needed attention - although I will not speculate about what they are.

So thanks very much for your help. My problem is resolved.

Comment 18 Daniel Walsh 2009-09-15 12:03:50 UTC
Not sure how, but who am I to argue.  :^)

Comment 19 Burnie West 2009-09-21 00:24:06 UTC
I guess my main point was that had I been more rigorous in relying on the yellowdog updater (modified), I would not have had any difficulty to begin with.

Comment 20 Daniel Walsh 2010-01-29 13:50:44 UTC
*** Bug 559945 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.