Bug 680612 - SELinux is preventing /lib/udev/udev-configure-printer from 'read' accesses on the chr_file 013.
Summary: SELinux is preventing /lib/udev/udev-configure-printer from 'read' accesses o...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:b3b6433f663...
: 680646 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-02-26 12:04 UTC by Dave Galloway
Modified: 2011-12-25 20:15 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.9.16-26.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-06-03 05:29:44 UTC


Attachments (Terms of Use)

Description Dave Galloway 2011-02-26 12:04:18 UTC
SELinux is preventing /lib/udev/udev-configure-printer from 'read' accesses on the chr_file 013.

*****  Plugin device (91.4 confidence) suggests  *****************************

If you want to allow udev-configure-printer to have read access on the 013 chr_file
Then you need to change the label on 013 to a type of a similar device.
Do
# semanage fcontext -a -t SIMILAR_TYPE '013'
# restorecon -v '013'

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that udev-configure-printer should be allowed read access on the 013 chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep udev-configure- /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:cupsd_config_t:s0-s0:c0.c1023
Target Context                system_u:object_r:device_t:s0
Target Objects                013 [ chr_file ]
Source                        udev-configure-
Source Path                   /lib/udev/udev-configure-printer
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           system-config-printer-udev-1.2.6-3.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-29.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.35.11-83.fc14.x86_64 #1 SMP Mon Feb 7 07:06:44
                              UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 16 Feb 2011 04:08:31 AM EST
Last Seen                     Wed 16 Feb 2011 04:08:31 AM EST
Local ID                      647bbe5b-c1c3-4243-b899-36f46e394525

Raw Audit Messages
type=AVC msg=audit(1297847311.692:15): avc:  denied  { read } for  pid=1771 comm="udev-configure-" name="013" dev=devtmpfs ino=15013 scontext=system_u:system_r:cupsd_config_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file


type=SYSCALL msg=audit(1297847311.692:15): arch=x86_64 syscall=open success=no exit=EACCES a0=7fff1d9395c0 a1=0 a2=d a3=ff items=0 ppid=1 pid=1771 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=udev-configure- exe=/lib/udev/udev-configure-printer subj=system_u:system_r:cupsd_config_t:s0-s0:c0.c1023 key=(null)

Hash: udev-configure-,cupsd_config_t,device_t,chr_file,read

audit2allow

#============= cupsd_config_t ==============
allow cupsd_config_t device_t:chr_file read;

audit2allow -R

#============= cupsd_config_t ==============
allow cupsd_config_t device_t:chr_file read;

Comment 1 Miroslav Grepl 2011-02-27 22:23:41 UTC
*** Bug 680646 has been marked as a duplicate of this bug. ***

Comment 2 Miroslav Grepl 2011-02-27 22:31:01 UTC
Is a device still mislabeled?

# ls -Z /dev/013

Should have the following label

# matchpathcon /dev/013
/dev/013	system_u:object_r:usb_device_t:s0

Dave, 
are you using software from a third party printer?

Comment 3 Hans Ecke 2011-05-16 09:06:56 UTC
The same thing happens to me when I plug in a USB printer. No 3rd-party printer software.

There is no file /dev/013

Comment 4 Miroslav Grepl 2011-05-16 20:03:43 UTC
Hans,
what AVC are you getting?

Comment 5 Daniel Walsh 2011-05-17 08:02:23 UTC
This is a race condition between the kernel creating the device, cups reading it and udev fixing the label.


Dave and/or Hans, did the printer work fine?  IE Was the only thing you knew about the AVC popping up?

Comment 6 Hans Ecke 2011-05-17 14:19:19 UTC
Miroslav: I'll attempt to reproduce tomorrow evening after a fresh reboot. Just unplugging and plugging the printer did not reproduce it.

Daniel: Yes, it worked just fine.

Comment 7 Daniel Walsh 2011-05-18 06:09:08 UTC
Miroslav lets add the dontaudit.

dontaudit domain device_t:chr_file { read open };

Comment 8 Miroslav Grepl 2011-05-18 11:14:12 UTC
I am testing it on my F15 where I have similar problem and looks good.

Comment 9 Hans Ecke 2011-05-18 15:33:47 UTC
You seem to have this covered (Thank you!), I'll hold off on trying to get more AVC info unless a direct request. I'd rather not reboot my home server.....

Comment 10 Hans Ecke 2011-05-18 16:01:14 UTC
Actually, I just repluged the printer and got the below. Don't know if its the same bug, but the chr_file stuff looks similar. Please tell me if I should file this as a different bug.


SELinux is preventing /usr/bin/python from 'read, write' accesses on the chr_file 012.

*****  Plugin device (91.4 confidence) suggests  *****************************

If you want to allow python to have read write access on the 012 chr_file
Then you need to change the label on 012 to a type of a similar device.
Do
# semanage fcontext -a -t SIMILAR_TYPE '012'
# restorecon -v '012'

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that python should be allowed read write access on the 012 chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep hpfax /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:hplip_t:s0-s0:c0.c1023
Target Context                system_u:object_r:device_t:s0
Target Objects                012 [ chr_file ]
Source                        hpfax
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           python-2.7-8.fc14.1
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-40.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.35.12-90.fc14.i686
                              #1 SMP Fri Apr 22 16:14:44 UTC 2011 i686 i686
Alert Count                   1
First Seen                    Wed 18 May 2011 09:55:49 AM MDT
Last Seen                     Wed 18 May 2011 09:55:49 AM MDT
Local ID                      7c38cd6e-9f59-4a61-a753-061dc268da16

Raw Audit Messages
type=AVC msg=audit(1305734149.294:3900): avc:  denied  { read write } for  pid=24979 comm="hpfax" name="012" dev=devtmpfs ino=4494346 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file


type=SYSCALL msg=audit(1305734149.294:3900): arch=i386 syscall=open success=no exit=EACCES a0=bfc01590 a1=2 a2=1 a3=992ce10 items=0 ppid=24978 pid=24979 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm=hpfax exe=/usr/bin/python subj=system_u:system_r:hplip_t:s0-s0:c0.c1023 key=(null)

Hash: hpfax,hplip_t,device_t,chr_file,read,write

audit2allow

#============= hplip_t ==============
allow hplip_t device_t:chr_file { read write };

audit2allow -R

#============= hplip_t ==============
allow hplip_t device_t:chr_file { read write };

Comment 11 Hans Ecke 2011-05-19 16:53:49 UTC
Here's another one. I just repluged the printer and got the below. Don't know if its the same bug, but the chr_file stuff looks similar. Please tell me if I should file this as a different bug.


SELinux is preventing /usr/bin/python from open access on the chr_file 027.

*****  Plugin device (91.4 confidence) suggests  *****************************

If you want to allow python to have open access on the 027 chr_file
Then you need to change the label on 027 to a type of a similar device.
Do
# semanage fcontext -a -t SIMILAR_TYPE '027'
# restorecon -v '027'

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that python should be allowed open access on the 027 chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep hpfax /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:hplip_t:s0-s0:c0.c1023
Target Context                system_u:object_r:device_t:s0
Target Objects                027 [ chr_file ]
Source                        hpfax
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           python-2.7-8.fc14.1
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-40.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.35.12-90.fc14.i686
                              #1 SMP Fri Apr 22 16:14:44 UTC 2011 i686 i686
Alert Count                   2
First Seen                    Thu 19 May 2011 10:38:09 AM MDT
Last Seen                     Thu 19 May 2011 10:38:09 AM MDT
Local ID                      07b7dbcd-0f4f-467d-bcd3-db38a12616b2

Raw Audit Messages
type=AVC msg=audit(1305823089.525:4132): avc:  denied  { open } for  pid=4203 comm="hpfax" name="027" dev=devtmpfs ino=4695524 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:object_r:device_t:s0 tclass=chr_file


type=SYSCALL msg=audit(1305823089.525:4132): arch=i386 syscall=open success=no exit=EACCES a0=bfd79550 a1=0 a2=1 a3=91f8e80 items=0 ppid=4202 pid=4203 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm=hpfax exe=/usr/bin/python subj=system_u:system_r:hplip_t:s0-s0:c0.c1023 key=(null)

Hash: hpfax,hplip_t,device_t,chr_file,open

audit2allow

#============= hplip_t ==============
#!!!! This avc is allowed in the current policy

allow hplip_t device_t:chr_file open;

audit2allow -R

#============= hplip_t ==============
#!!!! This avc is allowed in the current policy

allow hplip_t device_t:chr_file open;

Comment 12 Daniel Walsh 2011-05-23 19:54:14 UTC
Miroslav lets add


dontaudit hplip_t device_t:chr_file { read open };

Comment 13 Hans Ecke 2011-05-24 00:48:02 UTC
You guys rock. I appreciate the fast response and fix.

Comment 14 Miroslav Grepl 2011-05-24 06:09:54 UTC
Fixed in selinux-policy-3.9.16-25.fc15.

Comment 15 Fedora Update System 2011-05-27 16:55:43 UTC
selinux-policy-3.9.16-26.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-26.fc15

Comment 16 Fedora Update System 2011-05-28 23:57:48 UTC
Package selinux-policy-3.9.16-26.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-26.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-26.fc15
then log in and leave karma (feedback).

Comment 17 Fedora Update System 2011-06-03 05:29:00 UTC
selinux-policy-3.9.16-26.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.