Tom London wrote:
Running Rawhide, targeted/enforcing:
Get the following when attempting to 'add/modify' cups classes using
the browser interface (http://localhost:631). I'm guessing its trying
to access /etc/hp:
[tbl@localhost hp]$ ls -lZ /etc/hp
-rw-r--r-- root root system_u:object_r:hplip_etc_t hplip.conf
[tbl@localhost hp]$
type=AVC msg=audit(1159399431.862:77): avc: denied { search } for
pid=4914 comm="hp" name="hp" dev=dm-0 ino=11108479
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:hplip_etc_t:s0 tclass=dir
type=SYSCALL msg=audit(1159399431.862:77): arch=40000003 syscall=5
success=no exit=-13 a0=804c305 a1=0 a2=1b6 a3=9518008 items=0
ppid=4913 pid=4914 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0
egid=7 sgid=7 fsgid=7 tty=(none) comm="hp"
exe="/usr/lib/cups/backend/hp"
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
Putting it in permissive mode and browsing to 'Administration' page
produces:
type=AVC msg=audit(1159400309.010:111): avc: denied { search } for
pid=5019 comm="hp" name="hp" dev=dm-0 ino=11108479
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:hplip_etc_t:s0 tclass=dir
type=AVC msg=audit(1159400309.010:111): avc: denied { read } for
pid=5019 comm="hp" name="hplip.conf" dev=dm-0 ino=11108480
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:hplip_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1159400309.010:111): arch=40000003 syscall=5
success=yes exit=4 a0=804c305 a1=0 a2=1b6 a3=806a008 items=0 ppid=5018
pid=5019 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7
sgid=7 fsgid=7 tty=(none) comm="hp" exe="/usr/lib/cups/backend/hp"
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1159400309.014:112): avc: denied { getattr } for
pid=5019 comm="hp" name="hplip.conf" dev=dm-0 ino=11108480
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:hplip_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1159400309.014:112): arch=40000003 syscall=197
success=yes exit=0 a0=4 a1=bf866cd8 a2=49872ff4 a3=806a008 items=0
ppid=5018 pid=5019 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0
egid=7 sgid=7 fsgid=7 tty=(none) comm="hp"
exe="/usr/lib/cups/backend/hp"
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
type=AVC_PATH msg=audit(1159400309.014:112): path="/etc/hp/hplip.conf"
type=AVC msg=audit(1159400310.474:113): avc: denied { search } for
pid=5039 comm="python" name="hp" dev=dm-0 ino=11108479
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:hplip_etc_t:s0 tclass=dir
type=AVC msg=audit(1159400310.474:113): avc: denied { getattr } for
pid=5039 comm="python" name="hplip.conf" dev=dm-0 ino=11108480
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:hplip_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1159400310.474:113): arch=40000003 syscall=195
success=yes exit=0 a0=99b4a98 a1=bfb26f88 a2=49872ff4 a3=99601b0
items=0 ppid=5018 pid=5039 auid=4294967295 uid=0 gid=7 euid=0 suid=0
fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) comm="python"
exe="/usr/bin/python" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023
key=(null)
type=AVC_PATH msg=audit(1159400310.474:113): path="/etc/hp/hplip.conf"
type=AVC msg=audit(1159400310.474:114): avc: denied { read } for
pid=5039 comm="python" name="hplip.conf" dev=dm-0 ino=11108480
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:hplip_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1159400310.474:114): arch=40000003 syscall=5
success=yes exit=4 a0=99b4a98 a1=8000 a2=1b6 a3=99d2070 items=0
ppid=5018 pid=5039 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0
egid=7 sgid=7 fsgid=7 tty=(none) comm="python" exe="/usr/bin/python"
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
tom
Added in selinux-policy-2.3.16-5
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
