hp-sendfax + SELinux enforcing on Fedora
Bug #1385838 reported by
Dan Paulat
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
HPLIP |
New
|
Undecided
|
Gaurav Sood | ||
Fedora |
Won't Fix
|
Undecided
|
Bug Description
Running hp-sendfax with SELinux enforcing on Fedora results in the inability to add files, and will ultimately hang when trying to send the fax. I am aware of the workaround to set SELinux to permissive, and this works. However, this should not be a permanent solution, as there are many cases where SELinux cannot be disabled for one reason or another (i.e., organizational policy on a production system), and a user may not have root access. Attached are tracebacks and audit logs relevant to this issue.
Changed in hplip: | |
assignee: | nobody → Gaurav Sood (gaurav-sood) |
Changed in fedora: | |
importance: | Unknown → Undecided |
status: | Unknown → Won't Fix |
To post a comment you must log in.
Description of problem:
'hp-sendfax -n -f 18884732963 -l debug test' does not work with SELinux Enforcing. In permisssive mode it does work however producing this allert.
SELinux is preventing /usr/bin/python2.7 from 'remove_name' accesses on the directory hp_fax-pipe-5.
***** Plugin catchall (100. confidence) suggests ******* ******* ******* *****
If you believe that python2.7 should be allowed remove_name access on the hp_fax-pipe-5 directory by default. audit/audit. log | audit2allow -M mypol
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep hpfax /var/log/
# semodule -i mypol.pp
Additional Information: u:system_ r:cupsd_ t:s0-s0: c0.c1023 u:object_ r:user_ home_t: s0 2.7.5-9. fc20.x86_ 64 policy- 3.12.1- 106.fc20. noarch 302.fc20. x86_64 #1 SMP Tue
Dec 17 20:42:32 UTC 2013 x86_64 x86_64 789a-45f0- 9d67-8ded478d9f 98
Source Context system_
Target Context unconfined_
Target Objects hp_fax-pipe-5 [ dir ]
Source hpfax
Source Path /usr/bin/python2.7
Port <Unknown>
Host (removed)
Source RPM Packages python-
Target RPM Packages
Policy RPM selinux-
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name (removed)
Platform Linux (removed) 3.12.5-
Alert Count 2
First Seen 2013-12-22 18:52:27 EST
Last Seen 2013-12-22 18:54:20 EST
Local ID 77ed627b-
Raw Audit Messages 1387756460. 376:3449) : avc: denied { remove_name } for pid=21522 comm="hpfax" name="hp_ fax-pipe- 5" dev="dm-3" ino=263040 scontext= system_ u:system_ r:cupsd_ t:s0-s0: c0.c1023 tcontext= unconfined_ u:object_ r:user_ home_t: s0 tclass=dir
type=AVC msg=audit(
type=AVC msg=audit( 1387756460. 376:3449) : avc: denied { unlink } for pid=21522 comm="hpfax" name="hp_ fax-pipe- 5" dev="dm-3" ino=263040 scontext= system_ u:system_ r:cupsd_ t:s0-s0: c0.c1023 tcontext= system_ u:object_ r:user_ home_t: s0 tclass=fifo_file
type=SYSCALL msg=audit( 1387756460. 376:3449) : arch=x86_64 syscall=unlink success=yes exit=0 a0=1213c40 a1=ffffffff a2=30343bff88 a3=0 items=0 ppid=2475 pid=21522 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 ses=4294967295 tty=(none) comm=hpfax exe=/usr/ bin/python2. 7 subj=system_ u:system_ r:cupsd_ t:s0-s0: c0.c1023 key=(null)
Hash: hpfax,cupsd_ t,user_ home_t, dir,remove_ name
Additional info: 302.fc20. x86_64
reporter: libreport-2.1.10
hashmarkername: setroubleshoot
kernel: 3.12.5-
type: libreport