861778 – SElinux AVC denial for hp-sendfax

Bug 861778 - SElinux AVC denial for hp-sendfax

Summary: SElinux AVC denial for hp-sendfax

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	16
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-09-30 17:10 UTC by NM
Modified:	2012-11-20 02:58 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-11-20 02:58:37 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description NM 2012-09-30 17:10:39 UTC

Description of problem: When running in SElinux Permissive mode the command below:
hp-sendfax -n -f 18884732963 -l debug test
results in the following Selinux type=AVC denial messages: 

type=AVC msg=audit(1349024336.369:1620): avc:  denied  { write } for  pid=12986 comm="hpfax" name="tmp" dev="dm-6" ino=17434475 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=dir
type=AVC msg=audit(1349024336.369:1620): avc:  denied  { add_name } for  pid=12986 comm="hpfax" name="hpfax-pipe-157" scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=dir
type=AVC msg=audit(1349024336.369:1620): avc:  denied  { create } for  pid=12986 comm="hpfax" name="hpfax-pipe-157" scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=fifo_file
type=SYSCALL msg=audit(1349024336.369:1620): arch=c000003e syscall=133 success=yes exit=0 a0=20c048c a1=11b6 a2=0 a3=393dd400c4 items=0 ppid=1790 pid=12986 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="hpfax" exe="/usr/bin/python2.7" subj=system_u:system_r:hplip_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1349024336.369:1621): avc:  denied  { write } for  pid=12986 comm="hpfax" name="hpfax-pipe-157" dev="dm-6" ino=17434480 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=fifo_file
type=AVC msg=audit(1349024336.369:1621): avc:  denied  { open } for  pid=12986 comm="hpfax" name="hpfax-pipe-157" dev="dm-6" ino=17434480 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=fifo_file
type=SYSCALL msg=audit(1349024336.369:1621): arch=c000003e syscall=2 success=yes exit=6 a0=2364340 a1=1 a2=1ff a3=676f6c2f7261762f items=0 ppid=1790 pid=12986 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="hpfax" exe="/usr/bin/python2.7" subj=system_u:system_r:hplip_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1349024336.490:1622): avc:  denied  { remove_name } for  pid=12986 comm="hpfax" name="hpfax-pipe-157" dev="dm-6" ino=17434480 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=dir
type=AVC msg=audit(1349024336.490:1622): avc:  denied  { unlink } for  pid=12986 comm="hpfax" name="hpfax-pipe-157" dev="dm-6" ino=17434480 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=fifo_file


Version-Release number of selected component (if applicable):
HP Linux Imaging and Printing System (ver. 3.12.9)
PC Sendfax Utility ver. 9.0


How reproducible: always
 


Steps to Reproduce:
1. hp-sendfax -n -f 18884732963 -l debug test
2. observe meaages in 'audit' log file 
3.
  
Actual results: fax works only in SElinux 'PSElinux 'Permissive' mode.


Expected results: fax should work in SElinux 'Enforcing' mode too. 


Additional info: The hplip 3.12.9 version suffers from other 'problems' too. I reported them upstream in 
https://bugs.launchpad.net/hplip/+bug/1055510

Thanks

Comment 1 Jiri Popelka 2012-10-01 12:25:20 UTC

I think the following line from hplip-3.12.9 release notes [1] could be related:

- Changes done for PrivateTmp feature. Logs get stored in /var/log/hp/tmp

Any idea what to look for Mirek, Dan ?

[1] http://hplipopensource.com/hplip-web/release_notes.html

Comment 2 Miroslav Grepl 2012-10-02 09:29:13 UTC

Added.

http://git.fedorahosted.org/cgit/selinux-policy.git/commit/?h=f16&id=03f9a2c1d2ac616e2d1c77a59171e3c50c9692cf

Comment 3 NM 2012-10-24 16:54:27 UTC

when this fix will hit the repos? I want to test it. Thanks.

Comment 4 Miroslav Grepl 2012-10-24 16:59:50 UTC

You can from koji for now

http://koji.fedoraproject.org/koji/buildinfo?buildID=359820

Comment 5 NM 2012-10-25 11:46:07 UTC

Thanks a lot.

Comment 6 Fedora Update System 2012-11-13 18:30:56 UTC

selinux-policy-3.10.0-96.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-96.fc16

Comment 7 Fedora Update System 2012-11-15 02:43:16 UTC

Package selinux-policy-3.10.0-96.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-96.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-18243/selinux-policy-3.10.0-96.fc16
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2012-11-20 02:58:39 UTC

selinux-policy-3.10.0-96.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.