On Wed, Jun 24, 2009 at 2:04 PM, Daniel J Walsh <[email protected]> wrote:
> On 06/23/2009 08:09 PM, Richard Shaw wrote: > >> On Mon, Jun 22, 2009 at 3:48 PM, Daniel J Walsh<[email protected]> >> wrote: >> >> On 06/20/2009 01:50 PM, Steven Stern wrote: >>> >>> On 06/20/2009 06:12 AM, Daniel J Walsh wrote: >>>> >>>> On 06/19/2009 07:10 PM, Steven Stern wrote: >>>>> >>>>> After installing hplip-gui, I got selinux errors when checking on the >>>>>> printer status. >>>>>> >>>>>> audit2allow generated the following policy >>>>>> >>>>>> module cups20090619 1.0; >>>>>> >>>>>> require { >>>>>> type hwdata_t; >>>>>> type xdm_t; >>>>>> class dir search; >>>>>> class file { read getattr open }; >>>>>> } >>>>>> >>>>>> #============= xdm_t ============== >>>>>> allow xdm_t hwdata_t:dir search; >>>>>> allow xdm_t hwdata_t:file { read getattr open }; >>>>>> >>>>>> >>>>>> xdm is checking the printer status? This allow rule indicates the X >>>>>> >>>>> Login program is checking the printer status. Could you attach the >>>>> AVC's >>>>> you used to generate this policy. >>>>> >>>>> >>>>> And here's another one related to hplip >>>> >>>> type=AVC msg=audit(1245520061.974:38037): avc: denied { read } for >>>> pid=25561 comm="python" name="mls" dev=selinuxfs ino=12 >>>> scontext=system_u:system_r:hplip_t:s0 >>>> tcontext=system_u:object_r:security_t:s0 tclass=file >>>> >>>> type=AVC msg=audit(1245520061.974:38037): avc: denied { read open } for >>>> pid=25561 comm="python" name="mls" dev=selinuxfs ino=12 >>>> scontext=system_u:system_r:hplip_t:s0 >>>> tcontext=system_u:object_r:security_t:s0 tclass=file >>>> >>>> >>>> >>>> Could you report this as a bug to cups. Cups has some MLS aware ness in >>>> >>> it and maybe it is reading this file directly rather then through >>> libselinux. CC me on the bug report [email protected] >>> >>> >>> Just a "me too" here. I've got two separate issues, one has to do with >> this >> thread. Just after installing F11 everything seemed fine. I poked the >> necessary holes in my firewall and shared my printer queues and my wife >> could print from her F10 laptop. Now it seems just about every job gets >> "stuck" and I see the AVC denials about python. Here's the details for >> mine >> (just in case anything is different: >> >> --- >> Summary: >> >> SELinux is preventing python (hplip_t) "read" security_t. >> >> Detailed Description: >> >> [SELinux is in permissive mode, the operation would have been denied but >> was >> permitted due to permissive mode.] >> >> SELinux denied access requested by python. It is not expected that this >> access >> is required by python and this access may signal an intrusion attempt. It >> is >> also possible that the specific version or configuration of the >> application >> is >> causing it to require additional access. >> >> Allowing Access: >> >> You can generate a local policy module to allow this access - see FAQ >> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can >> disable >> SELinux protection altogether. Disabling SELinux protection is not >> recommended. >> Please file a bug report ( >> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) >> against this package. >> >> Additional Information: >> >> Source Context system_u:system_r:hplip_t:s0 >> Target Context system_u:object_r:security_t:s0 >> Target Objects mls [ file ] >> Source python >> Source Path /usr/bin/python >> Port<Unknown> >> Host hobbes.localdomain >> Source RPM Packages python-2.6-9.fc11 >> Target RPM Packages >> Policy RPM selinux-policy-3.6.12-50.fc11 >> Selinux Enabled True >> Policy Type targeted >> MLS Enabled True >> Enforcing Mode Permissive >> Plugin Name catchall >> Host Name hobbes.localdomain >> Platform Linux hobbes.localdomain >> 2.6.29.4-167.fc11.x86_64 >> #1 SMP Wed May 27 17:27:08 EDT 2009 x86_64 >> x86_64 >> Alert Count 16 >> First Seen Sun 21 Jun 2009 02:29:26 PM CDT >> Last Seen Tue 23 Jun 2009 06:58:21 PM CDT >> Local ID 0a0b19ce-a912-4305-9e4a-1e1369ea4f3f >> Line Numbers >> >> Raw Audit Messages >> >> node=hobbes.localdomain type=AVC msg=audit(1245801501.788:374): avc: >> denied { read } for pid=11771 comm="python" name="mls" dev=selinuxfs >> ino=12 scontext=system_u:system_r:hplip_t:s0 >> tcontext=system_u:object_r:security_t:s0 tclass=file >> >> node=hobbes.localdomain type=AVC msg=audit(1245801501.788:374): avc: >> denied { open } for pid=11771 comm="python" name="mls" dev=selinuxfs >> ino=12 scontext=system_u:system_r:hplip_t:s0 >> tcontext=system_u:object_r:security_t:s0 tclass=file >> >> node=hobbes.localdomain type=SYSCALL msg=audit(1245801501.788:374): >> arch=c000003e syscall=2 success=yes exit=6 a0=7fffb58ba060 a1=0 >> a2=7fffb58ba06c a3=fffffff8 items=0 ppid=11764 pid=11771 auid=4294967295 >> uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) >> ses=4294967295 comm="python" exe="/usr/bin/python" >> subj=system_u:system_r:hplip_t:s0 key=(null) >> --- >> >> Thanks, >> Richard >> >> >> Those should not be blocking anything. > > I followed the advice on another thread and updated to the updates-testing version of system-config-printer and system-config-printer-libs and I haven't had any more issues, but I haven't had time to do extensive testing yet. Richard
-- fedora-list mailing list [email protected] To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
