LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   SELinux is preventing hp (hplip_t) "search" to ./dbus (system_dbusd_var_run_t). (http://www.linuxquestions.org/questions/linux-newbie-8/selinux-is-preventing-hp-hplip_t-search-to-dbus-system_dbusd_var_run_t-682648/)

CyberJet 11-11-2008 11:54 AM

SELinux is preventing hp (hplip_t) "search" to ./dbus (system_dbusd_var_run_t).
 
Hi All,

I'm running Fedora Core 9. Everything is working fine with the exception of my printer installation.


SELinux is preventing hp (hplip_t) "search" to ./dbus (system_dbusd_var_run_t).

I tried to disable SELinux prior to the install. The install worked fine. I reenabled SELinux and the printer does not work.
.
I tried to restore the default system file context for ./dbus, restorecon -v './dbus', this is also a no go.

I typed these two commands still nothing.

audit2allow -M local < /tmp/avcs
audit2allow -m local -l -i /var/log/messages > local.te


Does anyone know or have a step-by-step solutions to this problem, I'm new to Linux.How can I tell if I running the audit daemon?

Thanks in advance,

R@m0ne

unSpawn 11-12-2008 02:09 PM

Quote:

Originally Posted by CyberJet (Post 3338482)
I typed these two commands still nothing.

I don't know if the method changed (Fedora docs or Wiki should tell you: do look) but heres two examples for building a local policy: http://www.linuxquestions.org/questi...51#post3311051 or http://www.linuxquestions.org/questi...48#post3137548.


Quote:

Originally Posted by CyberJet (Post 3338482)
I'm new to Linux.How can I tell if I running the audit daemon?

Is it installed?: 'rpm -qf /sbin/auditd',
What's the service status?: '/etc/rc.d/init.d/auditd status',
Grep process name?: 'pgrep -lf "^auditd"' (the "^" to avoid confusion with kauditd or those running say ccs-auditd),
What's using the default logfile?: 'fuser -v /var/log/audit/audit.log'.

unSpawn 11-12-2008 02:10 PM

And welcome to LQ BTW.

CyberJet 11-13-2008 08:22 AM

Good Morning,

Thanks, unSpawn!

Here are the results form the suggested commands.

[cyberjet@Hermes ~]$ su -
Password:
[root@Hermes ~]# /etc/rc.d/init.d/auditd status
auditd (pid 1476) is running...

[root@Hermes ~]# pgrep -lf "^auditd
>

[root@Hermes ~]# fuser -v /var/log/audit/audit.log
USER PID ACCESS COMMAND
/var/log/audit/audit.log:
root 1476 F.... auditd
[root@Hermes ~]#

So now I know auditd is running. Regarding the examples on creating the policy, I don't have the fundamental knowledge to create a policy. I don't know what statements need to replaced to give the desired results. The SELinux troubleshooter gives me all this info but I don't know how to interpret it.

Summary
ELinux is preventing hp (hplip_t) "search" to ./dbus (system_dbusd_var_run_t).


Detail Description
SELinux denied access requested by hp. It is not expected that this access is required by hp and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.


Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./dbus, restorecon -v './dbus' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package.


Additional Information
Source Context:**system_u:system_r:hplip_t:s0-s0:c0.c1023Target Context:**system_u:object_r:system_dbusd_var_run_t:s0Target Objects:**./dbus [ dir ]Source:**hpSource Path:**/usr/lib/cups/backend/hpPort:**<Unknown>Host:**HermesSource RPM Packages:**hplip-2.8.2-2.fc9Target RPM Packages:**Policy RPM:**selinux-policy-3.3.1-103.fc9Selinux Enabled:**TruePolicy Type:**targetedMLS Enabled:**TrueEnforcing Mode:**EnforcingPlugin Name:**catchall_fileHost Name:**HermesPlatform:**Linux Hermes 2.6.26.6-79.fc9.i686 #1 SMP Fri Oct 17 14:52:14 EDT 2008 i686 i686Alert Count:**6First Seen:**Fri 07 Nov 2008 01:53:57 PM ESTLast Seen:**Tue 11 Nov 2008 12:20:39 PM ESTLocal ID:**b5f8be53-c8d5-4abd-9bbb-c0bf566448c6Line Numbers:**Raw Audit Messages :host=Hermes type=AVC msg=audit(1226424039.391:109): avc: denied { search } for pid=13488 comm="hp" name="dbus" dev=dm-0 ino=2293851 scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir host=Hermes type=SYSCALL msg=audit(1226424039.391:109): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfad9220 a2=db9ff4 a3=1f items=0 ppid=1937 pid=13488 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="hp" exe="/usr/lib/cups/backend/hp" subj=system_u:system_r:hplip_t:s0-s0:c0.c1023 key=(null)

I am hopeful that you can interpret this info for me.

Kind Regards,

R@m0ne

unSpawn 11-13-2008 12:41 PM

Quote:

Originally Posted by CyberJet (Post 3340604)
I don't have the fundamental knowledge to create a policy. I don't know what statements need to replaced to give the desired results.

Sure you do. The first example should work:
Code:

umask 027; mkdir /root/.selinux/ && cd /root/.selinux/ || exit 127
( cat /var/log/audit/audit.log; cat /var/log/messages ) | audit2allow -M localpolicy
checkmodule -M -m -o localpolicy.mod localpolicy.te
semodule_package -o localpolicy.pp -m localpolicy.mod
semodule -i modules/localpolicy.pp


Quote:

Originally Posted by CyberJet (Post 3340604)
denied { search } for comm="hp" scontext=hplip_t tcontext=system_dbusd_var_run_t tclass=dir

The code should look something like:
Code:

module local 1.1;

require {
        type hplip_t;
        type system_dbusd_var_run_t;
        class dir search;
}

allow hplip_t system_dbusd_var_run_t:dir search;

meaning allow the "hp" process in the "hplip_t" domain to search the dir in the "system_dbusd_var_run_t" domain. But you'd better run the 5 lines of code in the top of this post because there might be other AVC messages. Creating and loading a policy is reversible, so shouldn't permanently fsck up your machine.


All times are GMT -5. The time now is 01:20 PM.