Description of problem: When running in SElinux Permissive mode the command below: hp-sendfax -n -f 18884732963 -l debug test results in the following Selinux type=AVC denial messages: type=AVC msg=audit(1349024336.369:1620): avc: denied { write } for pid=12986 comm="hpfax" name="tmp" dev="dm-6" ino=17434475 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=dir type=AVC msg=audit(1349024336.369:1620): avc: denied { add_name } for pid=12986 comm="hpfax" name="hpfax-pipe-157" scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=dir type=AVC msg=audit(1349024336.369:1620): avc: denied { create } for pid=12986 comm="hpfax" name="hpfax-pipe-157" scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=fifo_file type=SYSCALL msg=audit(1349024336.369:1620): arch=c000003e syscall=133 success=yes exit=0 a0=20c048c a1=11b6 a2=0 a3=393dd400c4 items=0 ppid=1790 pid=12986 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="hpfax" exe="/usr/bin/python2.7" subj=system_u:system_r:hplip_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1349024336.369:1621): avc: denied { write } for pid=12986 comm="hpfax" name="hpfax-pipe-157" dev="dm-6" ino=17434480 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=fifo_file type=AVC msg=audit(1349024336.369:1621): avc: denied { open } for pid=12986 comm="hpfax" name="hpfax-pipe-157" dev="dm-6" ino=17434480 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=fifo_file type=SYSCALL msg=audit(1349024336.369:1621): arch=c000003e syscall=2 success=yes exit=6 a0=2364340 a1=1 a2=1ff a3=676f6c2f7261762f items=0 ppid=1790 pid=12986 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="hpfax" exe="/usr/bin/python2.7" subj=system_u:system_r:hplip_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1349024336.490:1622): avc: denied { remove_name } for pid=12986 comm="hpfax" name="hpfax-pipe-157" dev="dm-6" ino=17434480 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=dir type=AVC msg=audit(1349024336.490:1622): avc: denied { unlink } for pid=12986 comm="hpfax" name="hpfax-pipe-157" dev="dm-6" ino=17434480 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=fifo_file Version-Release number of selected component (if applicable): HP Linux Imaging and Printing System (ver. 3.12.9) PC Sendfax Utility ver. 9.0 How reproducible: always Steps to Reproduce: 1. hp-sendfax -n -f 18884732963 -l debug test 2. observe meaages in 'audit' log file 3. Actual results: fax works only in SElinux 'PSElinux 'Permissive' mode. Expected results: fax should work in SElinux 'Enforcing' mode too. Additional info: The hplip 3.12.9 version suffers from other 'problems' too. I reported them upstream in https://bugs.launchpad.net/hplip/+bug/1055510 Thanks
I think the following line from hplip-3.12.9 release notes [1] could be related: - Changes done for PrivateTmp feature. Logs get stored in /var/log/hp/tmp Any idea what to look for Mirek, Dan ? [1] http://hplipopensource.com/hplip-web/release_notes.html
Added. http://git.fedorahosted.org/cgit/selinux-policy.git/commit/?h=f16&id=03f9a2c1d2ac616e2d1c77a59171e3c50c9692cf
when this fix will hit the repos? I want to test it. Thanks.
You can from koji for now http://koji.fedoraproject.org/koji/buildinfo?buildID=359820
Thanks a lot.
selinux-policy-3.10.0-96.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-96.fc16
Package selinux-policy-3.10.0-96.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-96.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-18243/selinux-policy-3.10.0-96.fc16 then log in and leave karma (feedback).
selinux-policy-3.10.0-96.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.