View Issue Details

IDProjectCategoryView StatusLast Update
0017859CentOS-7selinux-policypublic2020-11-26 07:36
Reporterpnewell 
PrioritynormalSeverityminorReproducibilityN/A
Status closedResolutionno change required 
Product Version7.9.2009 
Target VersionFixed in Version 
Summary0017859: selinux is barking about cups-pk-helper
DescriptionDear Centos:

Once I updated to 7.9, I am seeing this SELinux warning showing up either all the time I print or most of the times I print. Since SELinux says I should report this as a bug, I am doing so

I attach a screenshot of what I see

In case that screenshot doesn't get to you, the two items of interest (I think) are:

Under "If you were trying to...":
    If you believe that cups-pk-helper- should be allowed read access on the cups.sock sock_file by default

Under "Then this is the solution.":
You should report this as a bug.
You can generate a local policy module to allow this access.
Allow this access for now by executing:
# ausearch -c 'cups-pk-helper-' --raw | audit2allow -M my-cupdspkhelper
# semodule -l my-cupspkhelper.pp

My question then becomes "is this really a bug" and, if so, should I wait for a patch to download since the SELinux alert does not seem to have any bearing on my ability to print.

I have an HP ENVY Photo 7855 which means I have to download hplip 3.18.5 to override 3.15.9 as Centos 7.* doesn't know about this HP printer/scanner.

Do you need more info?

Thanks,
Paul
Steps To ReproducePrint something ...
Additional InformationNone
TagsNo tags attached.
abrt_hashno abrt as it is a selinux alert
URL

Activities

pnewell

pnewell

2020-11-16 06:27

reporter  

ManuelWolfshant

ManuelWolfshant

2020-11-16 10:19

manager   ~0037907

Did you change anything in the default configuration, such as the location of the socket ?
Did you try to relabel the filesystem ?
pnewell

pnewell

2020-11-16 19:38

reporter   ~0037908

Manuel:

Thanks for prompt reply

The only thing I did was update from 7.8.2003 to 7.9.2009. I do change selinux to permissive when running clamscan and then set it back to enforcing, but I've been doing that for many years so that is something I trust works.

I looked online about relabeling and got a bit confused (as in read https://danwalsh.livejournal.com/38157.html and not certain what I should do). What command would you like me to run?

Paul
TrevorH

TrevorH

2020-11-16 19:46

manager   ~0037909

But you're not running the CentOS copy of hplip?
pnewell

pnewell

2020-11-16 19:54

reporter   ~0037910

Trevor:

Thanks for reply.

No, I am not. The Centos copy of hplip is 3.15.9 which does not recognize my printer. So I had to download/build/install 3.18.5 to get it to work. Printing did not generate these SELinux warnings under Centos 7.6, 7.7, or 7.8. I wish to not that the printing and scanning work under 7.9 even though I get this SElinux alert for printing (have not seen any alerts when scanning) -- though there is a small issue with double-sided that has been there since I got the printer / 3.18.5

Paul
ManuelWolfshant

ManuelWolfshant

2020-11-17 11:55

manager   ~0037913

Try touch /.autorelabel && reboot
pnewell

pnewell

2020-11-17 20:27

reporter   ~0037917

Manuel:

Tried as you suggested and no change (the reboot did confirm it was relabelling)

But I do have a bit more info. I pick a short message in tBird to test with. I did a "before" to confirm that I got the alerts and actually got three of them which I attach. Note the cups-pk-helper one is slightly different.

After rebooting, I tried the print again (the "after" test) and got the cups-pk-helper and gnome-session-check-acceler alerts but not the /usr/lib/cups/backend/hp

The real interesting one was that before I got your mail to try the relabel, I had to print a pdf and I got no alerts. The pdf was an attachment in an email and I opened with Atril and printed from that application.

Not certain what this means, if anything. The notes I have from the yum update that kicked me from 7.8 to 7.9 show that I also got tBird updated to 78.4.0 and it is definitely different than what I had before (68.12.0). So maybe this is a tBird issue? The next time I reboot I will try printing a file and printing something in Firefox to see whether the SELinux alerts are limited to tBird or not

Thanks for your help,
Paul

alerts_17nov20.txt (7,851 bytes)
1 of 4:
    old one from 09oct20 about /usr/libexec/ibus-x11 with setattr on /usr/lib/fontconfig/cache

2 of 4:

    SELinux is preventing /usr/libexec/gnome-session-check-accelerated-gl-helper from sendto access on the unix_dgram_socket /run/nvidia-xdriver-1de39bc9.

    *****  Plugin catchall (100. confidence) suggests   **************************

    If you believe that gnome-session-check-accelerated-gl-helper should be allowed sendto access on the nvidia-xdriver-1de39bc9 unix_dgram_socket by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'gnome-session-c' --raw | audit2allow -M my-gnomesessionc
    # semodule -i my-gnomesessionc.pp

    Additional Information:
    Source Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
    Target Context                system_u:system_r:xserver_t:s0-s0:c0.c1023
    Target Objects                /run/nvidia-xdriver-1de39bc9 [ unix_dgram_socket ]
    Source                        gnome-session-c
    Source Path                   /usr/libexec/gnome-session-check-accelerated-gl-
                                  helper
    Port                          <Unknown>
    Host                          birdinhand.localdomain
    Source RPM Packages           gnome-shell-3.28.3-30.el7.x86_64
    Target RPM Packages          
    Policy RPM                    selinux-policy-3.13.1-268.el7.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Enforcing
    Host Name                     birdinhand.localdomain
    Platform                      Linux birdinhand.localdomain
                                  3.10.0-1160.2.2.el7.x86_64 #1 SMP Tue Oct 20
                                  16:53:08 UTC 2020 x86_64 x86_64
    Alert Count                   413
    First Seen                    2020-10-12 16:59:42 PDT
    Last Seen                     2020-11-17 11:40:20 PST
    Local ID                      2b72ebb7-628c-4e1f-9388-9ff0753a0f29

    Raw Audit Messages
    type=AVC msg=audit(1605642020.427:172): avc:  denied  { sendto } for  pid=2342 comm="gnome-shell" path="/run/nvidia-xdriver-1de39bc9" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0


    type=SYSCALL msg=audit(1605642020.427:172): arch=x86_64 syscall=connect success=no exit=EACCES a0=8 a1=7fff7e6b31d0 a2=42 a3=10140800003 items=0 ppid=2275 pid=2342 auid=4294967295 uid=42 gid=42 euid=42 suid=42 fsuid=42 egid=42 sgid=42 fsgid=42 tty=(none) ses=4294967295 comm=gnome-shell exe=/usr/bin/gnome-shell subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 key=(null)

    Hash: gnome-session-c,xdm_t,xserver_t,unix_dgram_socket,sendto

3 of 4:

    SELinux is preventing cups-pk-helper- from read access on the sock_file cups.sock.

    *****  Plugin catchall (100. confidence) suggests   **************************

    If you believe that cups-pk-helper- should be allowed read access on the cups.sock sock_file by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'cups-pk-helper-' --raw | audit2allow -M my-cupspkhelper
    # semodule -i my-cupspkhelper.pp

    Additional Information:
    Source Context                system_u:system_r:cupsd_config_t:s0-s0:c0.c1023
    Target Context                system_u:object_r:cupsd_var_run_t:s0
    Target Objects                cups.sock [ sock_file ]
    Source                        cups-pk-helper-
    Source Path                   cups-pk-helper-
    Port                          <Unknown>
    Host                          birdinhand.localdomain
    Source RPM Packages           cups-pk-helper-0.2.6-2.el7.x86_64
    Target RPM Packages          
    Policy RPM                    selinux-policy-3.13.1-268.el7.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Enforcing
    Host Name                     birdinhand.localdomain
    Platform                      Linux birdinhand.localdomain
                                  3.10.0-1160.2.2.el7.x86_64 #1 SMP Tue Oct 20
                                  16:53:08 UTC 2020 x86_64 x86_64
    Alert Count                   4
    First Seen                    2020-11-14 13:19:38 PST
    Last Seen                     2020-11-17 11:46:45 PST
    Local ID                      7b02eac1-b561-464f-b8db-9fba1365a3e0

    Raw Audit Messages
    type=AVC msg=audit(1605642405.745:294): avc:  denied  { read } for  pid=4592 comm="cups-pk-helper-" name="cups.sock" dev="tmpfs" ino=21810 scontext=system_u:system_r:cupsd_config_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cupsd_var_run_t:s0 tclass=sock_file permissive=0


    type=SYSCALL msg=audit(1605642405.745:294): arch=x86_64 syscall=access success=no exit=EACCES a0=7fbe0802c841 a1=4 a2=74736f68 a3=7ffc4bbb97a0 items=0 ppid=4591 pid=4592 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cups-pk-helper- exe=/usr/libexec/cups-pk-helper-mechanism subj=system_u:system_r:cupsd_config_t:s0-s0:c0.c1023 key=(null)

    Hash: cups-pk-helper-,cupsd_config_t,cupsd_var_run_t,sock_file,read

4 of 4:

    SELinux is preventing /usr/lib/cups/backend/hp from write access on the file /var/lib/net-snmp/mib_indexes/0.

    *****  Plugin catchall (100. confidence) suggests   **************************

    If you believe that hp should be allowed write access on the 0 file by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'hp' --raw | audit2allow -M my-hp
    # semodule -i my-hp.pp

    Additional Information:
    Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
    Target Context                unconfined_u:object_r:snmpd_var_lib_t:s0
    Target Objects                /var/lib/net-snmp/mib_indexes/0 [ file ]
    Source                        hp
    Source Path                   /usr/lib/cups/backend/hp
    Port                          <Unknown>
    Host                          birdinhand.localdomain
    Source RPM Packages           hplip-3.15.9-5.el7.x86_64
    Target RPM Packages          
    Policy RPM                    selinux-policy-3.13.1-268.el7.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Enforcing
    Host Name                     birdinhand.localdomain
    Platform                      Linux birdinhand.localdomain
                                  3.10.0-1160.2.2.el7.x86_64 #1 SMP Tue Oct 20
                                  16:53:08 UTC 2020 x86_64 x86_64
    Alert Count                   7
    First Seen                    2020-11-14 13:19:38 PST
    Last Seen                     2020-11-17 11:48:28 PST
    Local ID                      36d1bac6-7c71-406b-97e7-7f1e772b877e

    Raw Audit Messages
    type=AVC msg=audit(1605642508.783:315): avc:  denied  { write } for  pid=4742 comm="hp" name="0" dev="md126" ino=1058380 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:snmpd_var_lib_t:s0 tclass=file permissive=0


    type=SYSCALL msg=audit(1605642508.783:315): arch=x86_64 syscall=open success=no exit=EACCES a0=7fdc8f57fd20 a1=241 a2=1b6 a3=24 items=0 ppid=1669 pid=4742 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm=hp exe=/usr/lib/cups/backend/hp subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)

    Hash: hp,cupsd_t,snmpd_var_lib_t,file,write
alerts_17nov20.txt (7,851 bytes)
pnewell

pnewell

2020-11-18 19:50

reporter   ~0037930

To all:

I ran a full check of printing via different means today doing a full reboot before each. All four (tBird, Firefox, lpr, and atril) gave alerts. I could not repeat the open attachment in tBird with atril to print and have it not generate any alerts ... so please pardon the red herring into from yesterday.

Paul
ManuelWolfshant

ManuelWolfshant

2020-11-18 21:33

manager   ~0037931

What does rpm -qi cups-pk-helper come back with ?
pnewell

pnewell

2020-11-18 21:36

reporter   ~0037932

Manuel:

[paul@birdinhand ~]$ rpm -qi cups-pk-helper
Name : cups-pk-helper
Version : 0.2.6
Release : 2.el7
Architecture: x86_64
Install Date: Fri 09 Oct 2020 01:36:41 PM PDT
Group : System Environment/Base
Size : 363678
License : GPLv2+
Signature : RSA/SHA256, Thu 10 Aug 2017 08:30:43 AM PDT, Key ID 24c6a8a7f4a80eb5
Source RPM : cups-pk-helper-0.2.6-2.el7.src.rpm
Build Date : Sat 05 Aug 2017 02:09:44 PM PDT
Build Host : c1bm.rdu2.centos.org
Relocations : (not relocatable)
Packager : CentOS BuildSystem <http://bugs.centos.org>
Vendor : CentOS
URL : http://www.vuntz.net/download/cups-pk-helper/
Summary : A helper that makes system-config-printer use PolicyKit
Description :
cups-pk-helper is an application which makes cups configuration
interfaces available under control of PolicyKit.
[paul@birdinhand ~]$

Paul
ManuelWolfshant

ManuelWolfshant

2020-11-18 21:45

manager   ~0037933

Last edited: 2020-11-18 21:46

View 2 revisions

And " ls -lZ /etc/systemd/system/sockets.target.wants/cups.socket " and "rpm -qi cups" ?

pnewell

pnewell

2020-11-18 21:46

reporter   ~0037934

Manuel:

[paul@birdinhand ~]$ ls -lZ /etc/systemd/system/sockets.target.wants/cups.socket
lrwxrwxrwx. root root system_u:object_r:systemd_unit_file_t:s0 /etc/systemd/system/sockets.target.wants/cups.socket -> /usr/lib/systemd/system/cups.socket
[paul@birdinhand ~]$
pnewell

pnewell

2020-11-19 01:46

reporter   ~0037935

Manuel and/or Trevor:

I see that a kernel update (3.10.0-1160.6.1.el7) has arrived with associated other updates (on my machine, its 121 of them including the kernel). I am on 3.10.0-1160.2.2.el7. I see nothing related to printing, tBird, or Firefox in the updates ... and nothing about cups (I wouldn't expect that given my having to use a newer version than the one that comes with Centos7. i do, however, see a new selinux-policy (3.13.1-268.el7_9.2). It looks like I updated to 3.13.1-268.el7 from 3.13.1-266.el7_8.1 on 12nov20 as part of the upgrade to Centos 7.9

Do you want me to update or should I leave everything as is while you are looking into the report? I would normally assume that I should update but want to make sure in case you have reason to want me to not disturb existing packages

Thanks,
Paul
ManuelWolfshant

ManuelWolfshant

2020-11-19 07:08

manager   ~0037937

Yes, please, do update maybe it gets fixed by magic
Thing is that I try to be open minded and not assume that your non-standard hplip is at fault ( hence me asking about cups , cups-pk-helper and the selinux context of the socket ). Because if the root cause is your upgraded version of hplip, th eonly way out is to apply the solution mentioned by the error message.
pnewell

pnewell

2020-11-19 07:38

reporter   ~0037938

Manual:

Thanks for reply.

I will update tomorrow morning and hope "maybe it gets fixed by magic" (smile).

I am prepared for "non-standard hplip" to be part of the problem (or the problem) in which something has changed in Centos packages between 7.8 and 7.9 which no longer plays nice with hplip 3.18.5. I have to assume that everything is playing fair between Centos 8, its default hplip 3.18.4-9, and my printer which first appeared in hplip 3.17.9 (see https://developers.hp.com/hp-linux-imaging-and-printing/supported_devices/index for HP Envy Photo 7855 All-in-one). The reason I picked 3.18.5 was to try to catch any bug fixes. So whatever changed must have been properly adjusted. No, I am not expecting you to spend that much time trying to solve it, don't worry. I am very happy that you have spent time trying to help.

Hopefully, there will be an "aha" so we either know it can be fixed in next update on your end or what the problem is even if it can't be fixed and, therefore, having to do the solution mentioned. I will need a bit of help on understanding what I am doing if I have to do that as adding exceptions in SELinux is not the sort of thing I either do or know what I am doing.

Thanks,
Paul
ManuelWolfshant

ManuelWolfshant

2020-11-19 16:56

manager   ~0037943

ref: " I will need a bit of help on understanding what I am doing if I have to do that as adding exceptions in SELinux is not the sort of thing I either do or know what I am doing.": https://wiki.centos.org/HowTos/SELinux#Customizing_SELinux_Policies
pnewell

pnewell

2020-11-19 22:34

reporter   ~0037949

As expected, the kernel et al update did not "magically" fix everything. At what point is defeat admitted regarding the original cups-pk-helper "You should report this as a bug" and I go to Plan B of adding one or more of the three solutions?
ManuelWolfshant

ManuelWolfshant

2020-11-20 01:05

manager   ~0037951

from my point of view, in this moment there is only one thing to do. downgrade ( for testing purposes ) hplip to the version provided by CentOS. If the selinux warning goes away, you know it comes from the newer version you were using and you should create a custom policy (*). if it does not, further investigation is needed
(*) given that it has no impact on your ability to print, I would not _allow_ it in the custom policy but _dontaudit_ it. IIRC, the selinux page from our wiki I pointed to shows how to generate a source policy, edit and compile it
pnewell

pnewell

2020-11-20 01:25

reporter   ~0037953

Manuel:

Thank you for the reply.

Under normal circumstances, I would agree that downgrading to 3.15.9 is the correct next step. The problem is that 3.15.9 doesn't recognize my printer and I am unable to print/scan anything, let alone test to see if SELinux alerts stop or not.

As for the wiki link you sent in one of your earlier replies, I have gone through it and intend to go through it a couple more times until it makes sense. I will admit I am a bit confused (mild understatement) given the first alert I got which I sent a screenshot of implies that all I need to do is execute:

ausearch -c 'cups-pk-helper-' --raw | audit2allow -M my-cupspkhelper
semodule -i my-cupspkhelper.pp

which I assume is piping the ausearch into my-cupspkhelper.pp which I then add with semodule

The wiki looks like it is alot more complicated but seems to not have anything which has "Allow this access for now by executing". I am thinking the "for now" means the policy gets lost after I log out ... is the wiki about how to make it permanent. Apologies for not understanding.

Paul
TrevorH

TrevorH

2020-11-20 01:58

manager   ~0037954

If you install the version that supports your printer, do you have a /usr/share/ppd/HP/hp-envy_photo_7800_series.ppd.gz file? If you copy that elsewhere and then uninstall the newer one and install the distro one, can you use that saved ppd file to add your printer without needing the newer version?
pnewell

pnewell

2020-11-20 02:31

reporter   ~0037957

Trevor:

Thanks for reply. I do not see the file in /usr/share/ppd/HP but, when looking at the cut-and-paste of the output of the install of 3.18.5, I can see hp-envy_photo_7800_series is installed in /usr/share/cups/model/HP. There are a bunch of ppd.gz files in /usr/share/ppd/HP and I have a feeling that is from the original 3.15.9 install?

I have no idea whether your suggestion will work. Just because I was able to figure out how to upgrade the hplip doesn't mean I have any understand of what it was all about (smile).

My thinking is to take a scratch hard-drive, install the latest and greatest Centos, confirm what is there, add the envy ppd.gz file to /usr/share/ppd/HP (or /usr/share/cups/model/HP if it exists ... or both?). If I screw something up it won't affect my real hard drives (and if I need the printer it is a simple reboot onto the original hard drives). If things do work with just that file, then I can try installing 3.18.5 to confirm that it is the root problem.

Does that make sense or am I over simplifying things and missing something else that needs to be on the scratch hard drive?

Paul

ps: if I do this, I will do tomorrow
TrevorH

TrevorH

2020-11-20 02:35

manager   ~0037958

When you add the printer through the cups web gui, there is an option there to say I have a ppd file and this is where it is.
pnewell

pnewell

2020-11-20 02:44

reporter   ~0037959

Trevor:

I have a vague memory of bumping into something like that back in 2018 when I couldn't figure out why my new printer didn't work with 3.15.9.

If I get confused I'll ask questions

Crossing my fingers this works,
Paul
ManuelWolfshant

ManuelWolfshant

2020-11-20 03:30

manager   ~0037960

Last edited: 2020-11-20 03:31

View 2 revisions

ref: "Under normal circumstances, I would agree that downgrading to 3.15.9 is the correct next step. The problem is that 3.15.9 doesn't recognize my printer and I am unable to print/scan anything, let alone test to see if SELinux alerts stop or not."
I suggested to do that temporarily, just to verify if the alert is triggered without 'your" upgraded package. After test you can upgrade back.

ref: "As for the wiki link you sent in one of your earlier replies, I have gone through it and intend to go through it a couple more times until it makes sense. I will admit I am a bit confused (mild understatement) given the first alert I got which I sent a screenshot of implies that all I need to do is execute:[...]"
https://wiki.centos.org/HowTos/SELinux#Manually_Customizing_Policy_Modules describes exactly the process of allowing an allow rule with a dontaudit one. Basically instead of generating and installing directly a new binary policy ( as described in 7.0 ) using audit2allow -M, you edit the source policy that was generated, modify it, compile it and then install it.

ref TrevorH's suggestion: 1) use rpm -ql hplip\*| grep ppd$ to find out what ppd files are brought in by the new hplip and where are they stored; 2) put aside in a convenient place I'll call for further reference "TheConvenientPlace" the one(s) related to your printer; 3) install the distro package; 4) use rpm -ql to find out where does this package store its ppd files; 5) copy the files from TheConvenientPlace (i.e. saved at step 2 ) in the place indicated at step 4 ; 6) attempt to reinstall the printer
You could even skip step 5 , go directly to step 6 and browse manually to TheConvenientPlace when the installer asks for the ppd to use.

pnewell

pnewell

2020-11-20 03:52

reporter   ~0037961

Manuel:

Thanks for reply to clarify things.

I think Trevor's suggestion is the best one to try now as it would mean I could use the default 3.15.9 by just adding the ppd.gz file. If that works, then I can run your suggestion of using the default 3.15.9 to print something and see if I got the SELinux alerts (as I have to have an operational printer to test). And by doing it on a scratch drive, I've got a sandbox to try things out without messing my hero machine.

I appreciate your additional suggestions regarding rpm -ql to figure out where to put things (and I like the name "TheConvenientPlace" ... I will probably use it verbatim)

We can take it from there once I get the test done and, if I do need to create an allow rule, I'll drill further into your explanations in the second paragraph of your reply

I'll get back tomorrow once I have done this test
Paul
pnewell

pnewell

2020-11-20 22:20

reporter   ~0037972

Manuel and Trevor:

I ran the test and, unfortunately, it didn't work. The steps I took were
1) installed a fresh copy of Centos 7.8.2003 (did not update as that would kick me to 7.9)
2) following my usual set of instructions for getting printing to work, observed that cups, hpijs, and system-config-printer are already installed so I did a yum install of hplip, hplip-gui, and xsane
3) did a system status cups to confirm it was running
4) observed that there is a /usr/share/ppd/HP but no /usr/share/cups/model/HP, so copied the ppd.gz from TheConvenientPlace to /usr/share/ppd/HP
5) did printer settings -> add -> network printer -> hp ENVY Photo 7800 and it said "can't find driver"
6) so did new printer -> choose driver -> the ppd.gz and then apply
7) everything looked like I expected, so I tried printing to which it started the job and then very quickly after stopped the job (the "Printer State" said "Idle -- filter failed")
8) I noticed that there was no "Print Test Page" under Tests and Maintenance
9) I ran a second test by firing up xsane and it said it couldn't find any devices
10) pretty certain the printer is not seen
11) rebooted and tried again just to make sure that wasn't a factor

I have left everything on that hard drive as is in case you want me to try something else. Otherwise, I think such is a dead end and suspect you will say "its time to do custom policy"

Paul
ManuelWolfshant

ManuelWolfshant

2020-11-21 03:46

manager   ~0037973

From my point of view now you are definitely in uncharted and unsupported territory. The official policy is "we support what we ship" and unfortunately via the bug tracker we can only attempt to ensure fixing of bugs related to what is shipped by the distro. Still from the same point of view, I'd suggest indeed that you install the custom policy while I'd close the bug as "unsupported config".
The best approach forward would be a request for enhancement via a bug opened at bugzilla.redhat.com with the request to add support for your printer to the official hplip package. Unfortunately ( God , I hate this word.. ) RHEL 7 ( and by matter of consequence, CentOS 7 as well ) is already rather late in its life and I am almost sure that such a request for enhancement will be rejected.
But maybe others have better ideas than mine so I will not close the bug... yet
pnewell

pnewell

2020-11-21 06:29

reporter   ~0037974

Manuel:

I appreciate both Trevor and your helping to see what is going on. And, yes, I understand that it appears that the problem is a change in Centos from 7.8 to 7.9 which affects a more recent version of hplip than you ship.

I am pretty certain that the RHEL answer will be "move to Centos 8" which I am certain will happen at some point. And, to some extent, I can't argue given that it appears full updates ended 2020_08_06 per Wiki (I can't find confirm on a Centos/RHEL site).

Nevertheless, I will submit something at bugzilla.redhat.com to see if the age of the default hplip is affecting others and maybe, just maybe, there might be a way to get a "maintenance fix" (as that is good until 2024)

I would appreciate giving me a couple days past this weekend to make sure I know what I am doing with custom policy before closing the bug. I really hope I can sort this out on my own, but I might need to ask another question.

Once again, thanks for the help and trying to see if there was something on your end that would get rid of the SELinux alerts.

Paul
pnewell

pnewell

2020-11-25 06:54

reporter   ~0037987

Manuel:

I followed your suggestions and link to create a policy change that does _dontallow_ instead of _audit_:
+++ start of my-cupspkhelper.te +++
    [root@birdinhand SELinux_custom_policy_module]# more my-cupspkhelper.te

    module my-cupspkhelper 1.0;

    require {
        type cupsd_var_run_t;
        type cupsd_config_t;
        class sock_file read;
    }

    #============= cupsd_config_t ==============
    dontaudit cupsd_config_t cupsd_var_run_t:sock_file read;
    [root@birdinhand SELinux_custom_policy_module]
+++ end of my-cupspkhelper.te +++

I see the directions for how to compile and install:
    # checkmodule -M -m -o postfixlocal.mod postfixlocal.te
    # semodule_package -o postfixlocal.pp -m postfixlocal.mod
    # semodule -i postfixlocal.pp
and then run semodule and they make sense.

My last questions before I do the deed are:
1) the link you sent me gave me the impression that I might have to do some or all of this with SELinux set to "permissive" but it seemed like that was only if I had to push stuff and then search logs rather than get the alert to "tell me what to do"
2) should this be done as root or as a regular user?
3) is the semodule permanent or just for that session? -- the SELinux Alert says "Allow this access for now by executing" which the "for now" implies it is not permanent. If it isn't permanent, how do I make it permanent?
4) how do I undo a custom policy should I need to? Or at least archive the original "whatever" so I can manually revert

There are three alerts that pop-up and I will them one at a time to test to see if I need the others. If I am only doing _dontaudit_ then I suspect I will have to do all of them. The other two are gnome-session-check-accelerated-gl-helper, which involved nvidia and I have only seen this before with Maya, and /usr/lib/cups/backend/hp, which makes sense as this is a printer issue. Any advice on these two?

Thanks for all your help,
Paul
pnewell

pnewell

2020-11-25 06:59

reporter   ~0037988

Manuel:

Realized I did a cut-and-paste of code to compile and install when I should have edited it to reflect my filename:

    # checkmodule -M -m -o my-cupspkhelper.mod my-cupspkhelper.te
    # semodule_package -o my-cupspkhelper.pp -m my-cupspkhelper.mod
    # semodule -i my-cupspkhelper.pp

Apologies,
Paul
ManuelWolfshant

ManuelWolfshant

2020-11-25 08:24

manager   ~0037989

1. enforcing works just as well. the idea of using permissive is to make sure the logs collect all the AVCs that would get triggered. In enforcing mode the first denial stops the application so you would need to create a lot of policies, one AVC at a time
2. root. regular users do not have access rights
3. permanent,
4. man semodule, look for "remove"

PS: the bug tracker is not a support avenue. there are better ways to ask and receive support.
pnewell

pnewell

2020-11-25 23:53

reporter   ~0037998

Manuel:

Apologies for using this bug tracker as a way to get some help on what to do with your suggestion for how to resolve on my own. I did include in my email of 21nov20 "I really hope I can sort this out on my own, but I might need to ask another question" and, since I didn't hear anything back, I thought it would okay to get one last round of questions after I went through everything.

That being said, I really appreciate your answers to my questions. I compiled and installed, rebooted, and tested to confirm that warning is gone. I will change the cups-backend-hp to _dontaudit_ and install as it shows up the second time I try to print something. Not certain what to do with the gnome-session-check-accelerated-gl-helper ... going to have to search online for more info to understand it better

I took your suggestion and submitted RHEL Bugzilla 1901750. I want to note here that I added the following additional info regarding RHEL/Centos 8: "I note that it appears RHEL/Centos 8 is defaulted to 3.18.4 which should be okay as the first release that has the HP Envy is 3.17.9 and, hopefully, any bugs were squashed by 3.18.4"

I think you can close this bug as "unsupported config" as you indicated you were going to do.

I want to thank both Trevor and you for your help and the education into doing custom policies

Paul
ManuelWolfshant

ManuelWolfshant

2020-11-26 07:36

manager   ~0037999

Paul, I have to be honest with you and tell you that I only helped you here because you've shown the willingness to spend time learning the proper way rather than blindly disabling selinux as [too] many users do.
If needed, feel free to ask for further help in any of our recommended avenues, i.e. fora, IRC or mailing lists.

Issue History

Date Modified Username Field Change
2020-11-16 06:27 pnewell New Issue
2020-11-16 06:27 pnewell File Added: Screenshot at 2020-11-15 21-57-25.png
2020-11-16 10:19 ManuelWolfshant Note Added: 0037907
2020-11-16 19:38 pnewell Note Added: 0037908
2020-11-16 19:46 TrevorH Note Added: 0037909
2020-11-16 19:54 pnewell Note Added: 0037910
2020-11-17 11:55 ManuelWolfshant Note Added: 0037913
2020-11-17 20:27 pnewell File Added: alerts_17nov20.txt
2020-11-17 20:27 pnewell Note Added: 0037917
2020-11-18 19:50 pnewell Note Added: 0037930
2020-11-18 21:33 ManuelWolfshant Note Added: 0037931
2020-11-18 21:36 pnewell Note Added: 0037932
2020-11-18 21:45 ManuelWolfshant Note Added: 0037933
2020-11-18 21:46 ManuelWolfshant Note Edited: 0037933 View Revisions
2020-11-18 21:46 pnewell Note Added: 0037934
2020-11-19 01:46 pnewell Note Added: 0037935
2020-11-19 07:08 ManuelWolfshant Note Added: 0037937
2020-11-19 07:38 pnewell Note Added: 0037938
2020-11-19 16:56 ManuelWolfshant Note Added: 0037943
2020-11-19 22:34 pnewell Note Added: 0037949
2020-11-20 01:05 ManuelWolfshant Note Added: 0037951
2020-11-20 01:25 pnewell Note Added: 0037953
2020-11-20 01:58 TrevorH Note Added: 0037954
2020-11-20 02:31 pnewell Note Added: 0037957
2020-11-20 02:35 TrevorH Note Added: 0037958
2020-11-20 02:44 pnewell Note Added: 0037959
2020-11-20 03:30 ManuelWolfshant Note Added: 0037960
2020-11-20 03:31 ManuelWolfshant Note Edited: 0037960 View Revisions
2020-11-20 03:52 pnewell Note Added: 0037961
2020-11-20 22:20 pnewell Note Added: 0037972
2020-11-21 03:46 ManuelWolfshant Note Added: 0037973
2020-11-21 06:29 pnewell Note Added: 0037974
2020-11-25 06:54 pnewell Note Added: 0037987
2020-11-25 06:59 pnewell Note Added: 0037988
2020-11-25 08:24 ManuelWolfshant Note Added: 0037989
2020-11-25 23:53 pnewell Note Added: 0037998
2020-11-26 07:36 ManuelWolfshant Status new => closed
2020-11-26 07:36 ManuelWolfshant Resolution open => no change required
2020-11-26 07:36 ManuelWolfshant Note Added: 0037999