On 06/23/2009 08:09 PM, Richard Shaw wrote:
On Mon, Jun 22, 2009 at 3:48 PM, Daniel J Walsh<dwalsh@xxxxxxxxxx> wrote:
On 06/20/2009 01:50 PM, Steven Stern wrote:
On 06/20/2009 06:12 AM, Daniel J Walsh wrote:
On 06/19/2009 07:10 PM, Steven Stern wrote:
After installing hplip-gui, I got selinux errors when checking on the
printer status.
audit2allow generated the following policy
module cups20090619 1.0;
require {
type hwdata_t;
type xdm_t;
class dir search;
class file { read getattr open };
}
#============= xdm_t ==============
allow xdm_t hwdata_t:dir search;
allow xdm_t hwdata_t:file { read getattr open };
xdm is checking the printer status? This allow rule indicates the X
Login program is checking the printer status. Could you attach the AVC's
you used to generate this policy.
And here's another one related to hplip
type=AVC msg=audit(1245520061.974:38037): avc: denied { read } for
pid=25561 comm="python" name="mls" dev=selinuxfs ino=12
scontext=system_u:system_r:hplip_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=file
type=AVC msg=audit(1245520061.974:38037): avc: denied { read open } for
pid=25561 comm="python" name="mls" dev=selinuxfs ino=12
scontext=system_u:system_r:hplip_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=file
Could you report this as a bug to cups. Cups has some MLS aware ness in
it and maybe it is reading this file directly rather then through
libselinux. CC me on the bug report dwalsh@xxxxxxxxxx
Just a "me too" here. I've got two separate issues, one has to do with this
thread. Just after installing F11 everything seemed fine. I poked the
necessary holes in my firewall and shared my printer queues and my wife
could print from her F10 laptop. Now it seems just about every job gets
"stuck" and I see the AVC denials about python. Here's the details for mine
(just in case anything is different:
---
Summary:
SELinux is preventing python (hplip_t) "read" security_t.
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]
SELinux denied access requested by python. It is not expected that this
access
is required by python and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application
is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:hplip_t:s0
Target Context system_u:object_r:security_t:s0
Target Objects mls [ file ]
Source python
Source Path /usr/bin/python
Port<Unknown>
Host hobbes.localdomain
Source RPM Packages python-2.6-9.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.12-50.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall
Host Name hobbes.localdomain
Platform Linux hobbes.localdomain
2.6.29.4-167.fc11.x86_64
#1 SMP Wed May 27 17:27:08 EDT 2009 x86_64
x86_64
Alert Count 16
First Seen Sun 21 Jun 2009 02:29:26 PM CDT
Last Seen Tue 23 Jun 2009 06:58:21 PM CDT
Local ID 0a0b19ce-a912-4305-9e4a-1e1369ea4f3f
Line Numbers
Raw Audit Messages
node=hobbes.localdomain type=AVC msg=audit(1245801501.788:374): avc:
denied { read } for pid=11771 comm="python" name="mls" dev=selinuxfs
ino=12 scontext=system_u:system_r:hplip_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=file
node=hobbes.localdomain type=AVC msg=audit(1245801501.788:374): avc:
denied { open } for pid=11771 comm="python" name="mls" dev=selinuxfs
ino=12 scontext=system_u:system_r:hplip_t:s0
tcontext=system_u:object_r:security_t:s0 tclass=file
node=hobbes.localdomain type=SYSCALL msg=audit(1245801501.788:374):
arch=c000003e syscall=2 success=yes exit=6 a0=7fffb58ba060 a1=0
a2=7fffb58ba06c a3=fffffff8 items=0 ppid=11764 pid=11771 auid=4294967295
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="python" exe="/usr/bin/python"
subj=system_u:system_r:hplip_t:s0 key=(null)
---
Thanks,
Richard
Those should not be blocking anything.
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines