Bug #1385838 “hp-sendfax + SELinux enforcing on Fedora” : Bugs : HPLIP

Revision history for this message

In Red Hat Bugzilla #1045938, NM (nm-redhat-bugs) wrote on 2013-12-22:

#6

Description of problem:
'hp-sendfax -n -f 18884732963 -l debug test' does not work with SELinux Enforcing. In permisssive mode it does work however producing this allert.
SELinux is preventing /usr/bin/python2.7 from 'remove_name' accesses on the directory hp_fax-pipe-5.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that python2.7 should be allowed remove_name access on the hp_fax-pipe-5 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep hpfax /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context unconfined_u:object_r:user_home_t:s0
Target Objects hp_fax-pipe-5 [ dir ]
Source hpfax
Source Path /usr/bin/python2.7
Port <Unknown>
Host (removed)
Source RPM Packages python-2.7.5-9.fc20.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-106.fc20.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name (removed)
Platform Linux (removed) 3.12.5-302.fc20.x86_64 #1 SMP Tue
Dec 17 20:42:32 UTC 2013 x86_64 x86_64
Alert Count 2
First Seen 2013-12-22 18:52:27 EST
Last Seen 2013-12-22 18:54:20 EST
Local ID 77ed627b-789a-45f0-9d67-8ded478d9f98

Raw Audit Messages
type=AVC msg=audit(1387756460.376:3449): avc: denied { remove_name } for pid=21522 comm="hpfax" name="hp_fax-pipe-5" dev="dm-3" ino=263040 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir

type=AVC msg=audit(1387756460.376:3449): avc: denied { unlink } for pid=21522 comm="hpfax" name="hp_fax-pipe-5" dev="dm-3" ino=263040 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=fifo_file

type=SYSCALL msg=audit(1387756460.376:3449): arch=x86_64 syscall=unlink success=yes exit=0 a0=1213c40 a1=ffffffff a2=30343bff88 a3=0 items=0 ppid=2475 pid=21522 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 ses=4294967295 tty=(none) comm=hpfax exe=/usr/bin/python2.7 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)

Hash: hpfax,cupsd_t,user_home_t,dir,remove_name

Additional info:
reporter: libreport-2.1.10
hashmarkername: setroubleshoot
kernel: 3.12.5-302.fc20.x86_64
type: libreport

Description of problem:
'hp-sendfax -n -f 18884732963 -l debug test' does not work with SELinux Enforcing. In permisssive mode it does work however producing this allert. 
SELinux is preventing /usr/bin/python2.7 from 'remove_name' accesses on the directory hp_fax-pipe-5.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that python2.7 should be allowed remove_name access on the hp_fax-pipe-5 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep hpfax /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                hp_fax-pipe-5 [ dir ]
Source                        hpfax
Source Path                   /usr/bin/python2.7
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           python-2.7.5-9.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-106.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.12.5-302.fc20.x86_64 #1 SMP Tue
                              Dec 17 20:42:32 UTC 2013 x86_64 x86_64
Alert Count                   2
First Seen                    2013-12-22 18:52:27 EST
Last Seen                     2013-12-22 18:54:20 EST
Local ID                      77ed627b-789a-45f0-9d67-8ded478d9f98

Raw Audit Messages
type=AVC msg=audit(1387756460.376:3449): avc:  denied  { remove_name } for  pid=21522 comm="hpfax" name="hp_fax-pipe-5" dev="dm-3" ino=263040 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir

type=AVC msg=audit(1387756460.376:3449): avc:  denied  { unlink } for  pid=21522 comm="hpfax" name="hp_fax-pipe-5" dev="dm-3" ino=263040 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_home_t:s0 tclass=fifo_file

type=SYSCALL msg=audit(1387756460.376:3449): arch=x86_64 syscall=unlink success=yes exit=0 a0=1213c40 a1=ffffffff a2=30343bff88 a3=0 items=0 ppid=2475 pid=21522 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 ses=4294967295 tty=(none) comm=hpfax exe=/usr/bin/python2.7 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)

Hash: hpfax,cupsd_t,user_home_t,dir,remove_name

Additional info:
reporter:       libreport-2.1.10
hashmarkername: setroubleshoot
kernel:         3.12.5-302.fc20.x86_64
type:           libreport

Revision history for this message

In Red Hat Bugzilla #1045938, NM (nm-redhat-bugs) wrote on 2014-01-04:

#7

Am I the only one observing this behavior ?

Please post your observations even if successful to help track the problem.

Thanks a lot!

Revision history for this message

In Red Hat Bugzilla #1045938, Miroslav (miroslav-redhat-bugs) wrote on 2014-01-06:

#8

Where is hp_fax-pipe-5 located in your homedir?

Revision history for this message

In Red Hat Bugzilla #1045938, NM (nm-redhat-bugs) wrote on 2014-01-06:

#9

I can not find hp_fax-pipe-5 anymore. I would guess it was in /tmp/ directory.

I rerun the 'hp-sendfax -n -f 18884732963 -l debug test' with SELinux enforcing to observed (among many other messages) the following:

hp-sendfax[28414]: debug: Waiting for fax...
hp-sendfax[28414]: debug: [dbus.String(u'hpfax:/net/Officejet_4620_series?hostname=HP4620.home'), dbus.String(u''), dbus.Int32(0), dbus.String(u'akavalov'), dbus.Int32(9), dbus.String(u''), dbus.Double(0.0), dbus.String(u'')]

ERROR:dbus.connection:Exception in handler for D-Bus signal:
Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/dbus/connection.py", line 230, in maybe_handle_message
    self._handler(*args, **kwargs)
  File "/usr/share/hplip/hpssd.py", line 551, in handle_system_signal
    return handle_signal('system', *args, **kwds)
  File "/usr/share/hplip/hpssd.py", line 547, in handle_signal
    return handle_event(event, args[6:])
  File "/usr/share/hplip/hpssd.py", line 464, in handle_event
    handle_fax_event(event, pipe_name)
  File "/usr/share/hplip/hpssd.py", line 252, in handle_fax_event
    pipe = os.open(pipe_name, os.O_RDONLY)
OSError: [Errno 2] No such file or directory: '/tmp/hp_fax-pipe-9'
hp-sendfax[28414]: debug: Waiting for fax...
hp-sendfax[28414]: debug: [dbus.String(u'hpfax:/net/Officejet_4620_series?hostname=HP4620.home'), dbus.String(u''), dbus.Int32(0), dbus.String(u'akavalov'), dbus.Int32(9), dbus.String(u''), dbus.Double(0.0), dbus.String(u'')]

With SELinux in permissive mode the fax works, but with the AVC denial alert as described above.

Thanks for your help. Let me know if you need more information.

Revision history for this message

In Red Hat Bugzilla #1045938, Tim (tim-redhat-bugs) wrote on 2014-01-06:

#10

What does 'rpm -q hplip' say?

Revision history for this message

In Red Hat Bugzilla #1045938, NM (nm-redhat-bugs) wrote on 2014-01-06:

#11

It returns

hplip-3.13.11-4.fc20.x86_64

Revision history for this message

Dan Paulat (dpaulat) wrote on 2014-10-26:

#1

hp-sendfax-attachment.txt Edit (6.1 KiB, text/plain)

Revision history for this message

Dan Paulat (dpaulat) wrote on 2014-10-26:

#2

Version information:

Linux 3.16.6-200.fc20.x86_64 #1 SMP Wed Oct 15 13:06:51 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

$ hp-sendfax

HP Linux Imaging and Printing System (ver. 3.14.10)
PC Sendfax Utility ver. 9.0

Revision history for this message

yehielb (yehielb) wrote on 2014-11-02:

#3

I also experience the same problem.

Revision history for this message

Gaurav Sood (gaurav-sood) wrote on 2014-11-12:

#4

Hi we are looking into this issue and will update you regarding this

Revision history for this message

Tim Waugh (twaugh) wrote on 2015-03-03:

#5

Any news on this?

Suma Byrappa (suma-byrappa) on 2015-03-03

Changed in hplip:
assignee:	nobody → Gaurav Sood (gaurav-sood)

Bug Watch Updater (bug-watch-updater) on 2017-10-26

Changed in fedora:
importance:	Unknown → Undecided
status:	Unknown → Won't Fix

Affects		Status	Importance	Assigned to	Milestone
	HPLIP	New	Undecided	Gaurav Sood
	Fedora	Won't Fix	Undecided	redhat-bugs #1045938

HPLIP

hp-sendfax + SELinux enforcing on Fedora

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches