Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1363829 - SELinux is preventing hp from 'wake_alarm' accesses on the capability2 Unknown.
Summary: SELinux is preventing hp from 'wake_alarm' accesses on the capability2 Unknown.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 25
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:5b72b441e4bc965a1c66f3039c9...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-03 16:36 UTC by Joachim Frieben
Modified: 2016-11-18 15:16 UTC (History)
15 users (show)

Fixed In Version: selinux-policy-3.13.1-224.fc25
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-18 15:16:44 UTC


Attachments (Terms of Use)

Description Joachim Frieben 2016-08-03 16:36:31 UTC
Description of problem:
SELinux is preventing hp from 'wake_alarm' accesses on the capability2 Unknown.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that hp should be allowed wake_alarm access on the Unknown capability2 by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'hp' --raw | audit2allow -M my-hp
# semodule -X 300 -i my-hp.pp

Additional Information:
Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Objects                Unknown [ capability2 ]
Source                        hp
Source Path                   hp
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-206.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.8.0-0.rc0.git3.1.fc25.x86_64 #1
                              SMP Fri Jul 29 15:09:59 UTC 2016 x86_64 x86_64
Alert Count                   4
First Seen                    2016-08-03 18:24:17 CEST
Last Seen                     2016-08-03 18:24:26 CEST
Local ID                      db9f12ae-e6f8-463d-8fcb-eea10d4c5551

Raw Audit Messages
type=AVC msg=audit(1470241466.118:265): avc:  denied  { wake_alarm } for  pid=2515 comm="gutenprint52+us" capability=35  scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=capability2 permissive=0


Hash: hp,cupsd_t,cupsd_t,capability2,wake_alarm

Version-Release number of selected component:
selinux-policy-3.13.1-206.fc25.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc0.git3.1.fc25.x86_64
type:           libreport

Comment 1 Mikhail 2016-09-25 16:25:37 UTC
Description of problem:
switch on HP printer

Version-Release number of selected component:
selinux-policy-3.13.1-215.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc7.git0.1.fc25.x86_64
type:           libreport

Comment 2 Göran Uddeborg 2016-10-08 13:43:50 UTC
In which errata was this supposed to be fixed?  I updated to 3.13.1-215.fc25 which is the most recent in the F25 channels.  But I still get the same AVC.

Comment 3 Joachim Frieben 2016-10-08 18:01:20 UTC
(In reply to Göran Uddeborg from comment #2)
The latest available version is selinux-policy-3.13.1-218.fc25 which was released two days ago and which you should have had already unless you forgot to update or use an outdated mirror.
As of selinux-policy-3.13.1-218.fc25, I do not see any alert of type "SELinux is preventing hp from 'wake_alarm' accesses on the capability2 Unknown.".
I do actually still see "SELinux is preventing hpfax from using the 'wake_alarm' capabilities." but that relates to bug 1374990, thus, it is "hpfax" and -not- "hp".
It is a bad idea to reopen other people's closed bugs without having a clear idea of the present situation. Please recheck for selinux-policy-3.13.1-218.fc25, make sure that the alert was triggered by "hp" and not by "hpfax"; otherwise close the bug, thanks.

Comment 4 Göran Uddeborg 2016-10-08 18:23:05 UTC
I tried an update once more now, and this time dnf did indeed find a -218 release.  I don't quite understand why it wasn't found when I checked earlier today.  Some kind of caching could be a reason, but if it was released two days ago it seems a bit strange to me.  My issue was with "hp", not "hpfax" or any other binary.  So I did actually think I had the latest update and the same error, why I ventured a reopen.

Since I obviously was wrong, I'm closing again.

Comment 5 Joachim Frieben 2016-10-08 19:30:46 UTC
(In reply to Göran Uddeborg from comment #4)
A good place to check for the latest updates is the Fedora Update System at https://bodhi.fedoraproject.org. This allows you to verify whether an update to the package in question is already in the testing stage or scheduled for being released to updates-testing.
Unfortunately, you do not mention whether selinux-policy-3.13.1-218.fc25 -does- resolve the issue successfully for you. Testing the latter with a positive result would have been the prerequisite for closing this bug report again as you have done.

Comment 6 Göran Uddeborg 2016-10-08 21:04:25 UTC
I know about Bodhi, but when I'm only interested in released packages it should not be any point in going there.  A simple dnf command should give the same information.  Besides, normally there is a mention in a bugzilla which release is supposed to fix the issue I found missing here.

But since you seemed unhappy I reopened your bug, I wanted to leave it the way I found it.  If I can reproduce the problem with the new policy, I can open a separate case.

Comment 7 Joachim Frieben 2016-10-09 18:50:21 UTC
SELinux is preventing hp from using the 'wake_alarm' capabilities.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that hp should have the wake_alarm capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'hp' --raw | audit2allow -M my-hp
# semodule -X 300 -i my-hp.pp

Additional Information:
Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Objects                Unknown [ capability2 ]
Source                        hp
Source Path                   hp
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-218.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 4.8.1-1.fc25.x86_64 #1 SMP Fri Oct
                              7 14:38:22 UTC 2016 x86_64 x86_64
Alert Count                   2
First Seen                    2016-10-09 20:38:40 CEST
Last Seen                     2016-10-09 20:38:46 CEST
Local ID                      d225dc9f-0669-472c-95e5-312c1a51c6db

Raw Audit Messages
type=AVC msg=audit(1476038326.139:212): avc:  denied  { wake_alarm } for  pid=1938 comm="hpfax" capability=35  scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=capability2 permissive=1


Hash: hp,cupsd_t,cupsd_t,capability2,wake_alarm

Comment 8 Thomas Wright 2016-10-25 22:39:46 UTC
Description of problem:
Error encountered when adding network printer whilst testing Fedora 25.

Version-Release number of selected component:
selinux-policy-3.13.1-220.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.3-300.fc25.x86_64
type:           libreport

Comment 9 Thomas Wright 2016-10-25 22:43:05 UTC
This bug definitely occurs on uptodate Fedora 25, with the latest version of selinux-policy:
Installed Packages
Name        : selinux-policy
Arch        : noarch
Epoch       : 0
Version     : 3.13.1
Release     : 220.fc25
Size        : 20 k
Repo        : @System
Summary     : SELinux policy configuration
URL         : http://github.com/TresysTechnology/refpolicy/wiki
License     : GPLv2+
Description : SELinux Base package for SELinux Reference Policy - modular.
            : Based off of reference policy: Checked out revision  2.20091117

Comment 10 tstoeckler 2016-10-26 10:45:30 UTC
Description of problem:
Added a Canon MX 340 printer attached to a Synology DiskStation that was autodiscovered by the Gnome-Settings Printer section.

The printer was added and the screen said "Installing printer" (or similar) and then the SELinux violation came up

Version-Release number of selected component:
selinux-policy-3.13.1-220.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.3-300.fc25.x86_64
type:           libreport

Comment 11 Boricua 2016-11-02 15:44:50 UTC
Description of problem:
I tried to print from LibreOffice to my HP LaserJet p2055dn. Apparently SELinux prevented it.

Version-Release number of selected component:
selinux-policy-3.13.1-220.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.5-300.fc25.x86_64
type:           libreport

Comment 12 Berend De Schouwer 2016-11-10 11:00:45 UTC
Description of problem:
Scan for printers

Gnome Settings -> Printers -> Unlock -> '+' / Add a New Printer

The system scans for printers, and somewhere wakes an hp process (probably part of hplip or hpijs)

Version-Release number of selected component:
selinux-policy-3.13.1-220.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 13 Stephen Gallagher 2016-11-11 15:11:37 UTC
Description of problem:
I attempted to scan for available printers


Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport

Comment 14 Matthew Horn 2016-11-13 17:43:54 UTC
Description of problem:
Trying to wake my Surface Pro 3 by pressing the power button

Version-Release number of selected component:
selinux-policy-3.13.1-220.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.4-301.fc25.x86_64
type:           libreport

Comment 15 Zdenek Chmelar 2016-11-17 00:17:18 UTC
Description of problem:
Appeared when I opened Printers Settings and clicked on "Add a Printer" button. I typed some letters to search field.

Version-Release number of selected component:
selinux-policy-3.13.1-222.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.6-300.fc25.x86_64
type:           libreport


Note You need to log in before you can comment on or make changes to this bug.