Bug 120054
| Summary: | user_r cannot connect to socket | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Tim Waugh <twaugh> | ||||||||
| Component: | hpoj | Assignee: | Russell Coker <rcoker> | ||||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | medium | ||||||||||
| Version: | rawhide | CC: | dwalsh, twaugh | ||||||||
| Target Milestone: | --- | Keywords: | SELinux | ||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2004-12-02 15:58:25 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | |||||||||||
| Bug Blocks: | 114963, 123268, 136451 | ||||||||||
| Attachments: |
|
||||||||||
Here's another audit message. This comes from trying to print to an
HP all-in-one:
audit(1081184286.786:0): avc: denied { write } for pid=30952
exe=/usr/bin/ptal-connect name=usb:PSC_2200_Series dev=hda2
ino=1017121 scontext=system_u:system_r:cupsd_t
tcontext=system_u:object_r:var_run_t tclass=sock_file
For completeness here are the audit messages from permissive mode, so
we can see all the hurdles at once.
Printing something:
audit(1082384337.766:0): avc: denied { write } for pid=10888
exe=/usr/bin/ptal-connect name=usb:PSC_2200_Series dev=hda2
ino=1017118 scontext=system_u:system_r:cupsd_t
tcontext=root:object_r:var_run_t tclass=sock_file
audit(1082384337.804:0): avc: denied { connectto } for pid=10888
exe=/usr/bin/ptal-connect path=/var/run/ptal-mlcd/usb:PSC_2200_Series
scontext=system_u:system_r:cupsd_t tcontext=root:system_r:initrc_t
tclass=unix_stream_socket
And scanning:
audit(1082384628.518:0): avc: denied { write } for pid=10937
exe=/usr/bin/xsane-gimp name=usb:PSC_2200_Series dev=hda2 ino=1017118
scontext=user_u:user_r:user_t tcontext=root:object_r:var_run_t
tclass=sock_file
audit(1082384628.519:0): avc: denied { connectto } for pid=10937
exe=/usr/bin/xsane-gimp path=/var/run/ptal-mlcd/usb:PSC_2200_Series
scontext=user_u:user_r:user_t tcontext=root:system_r:initrc_t
tclass=unix_stream_socket
So what's the best way to fix this do you think?
Created attachment 99995 [details]
policy-hpoj.patch
Here is a first stab at getting printing working, at least. How does it look?
Should I try the same approach for scanning?
Created attachment 100034 [details]
policy-hpoj.patch
Here's a fixed version of the print patch.
For scanning I'm not sure what to do. Make xsane-gimp, xsane, scanimage et al all 'scan_t' or something, and go from there? Or should we let user_t processes connect to ptal sockets (as normal)? Created attachment 100118 [details]
policy-hpoj-fc.patch
Here's an incremental fix to correct the file contexts on
/var/run/ptal-{printd,mlcd}/* if they already exist. (It's only a problem if
you run setfiles on /var while hpoj is running.)
No idea what to do for scanning, as I mentioned in comment #5. Needs input from someone who has better judgment about policy. Russell do you have ideas on this? We are working the scanning problem in #140059 So I am closing this bug report. |
Description of problem: The HP OfficeJet driver provides services through sockets, located in /var/run/ptal-printd and /var/run/ptal-mlcd. These are created post-install by running 'ptal-init setup', and are not in the package manifest. So one example of something that fails is trying to scan. Start GIMP, go to 'Acquire->XSane device dialog', and among the audit messages is: audit(1081182775.619:0): avc: denied { write } for pid=30702 exe=/usr/bin/xsane-gimp name=usb:PSC_2200_Series dev=hda2 ino=1017121 scontext=user_u:user_r:user_t tcontext=system_u:object_r:var_run_t tclass=sock_file Version-Release number of selected component (if applicable): hpoj-0.91-6 policy-1.9.2-11 How reproducible: 100% What's the best way to fix this?