Bug 151475

Summary: Adding LPD printer through system-config-printer fails due to selinux
Product: [Fedora] Fedora Reporter: Keith Sharp <kms>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: 4CC: gerry, lux, twaugh
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-03-22 12:44:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Keith Sharp 2005-03-18 12:44:52 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050309 Epiphany/1.5.8

Description of problem:
I don't seem to be able to add a remote LPD printer using
system-config-printer.  In the GUI I get the error:

        Unable to reserve port: Permission denied

when I try and print a test page.  In /var/log/audit.log I get the
following:

type=KERNEL msg=audit(1111142292.822:5285658): avc:  denied  { name_bind } for pid=7333 exe=/usr/lib/cups/backend/lpd src=883 scontext=user_u:system_r:cupsd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
type=KERNEL msg=audit(1111142293.825:5287764): avc:  denied  { name_bind } for pid=7333 exe=/usr/lib/cups/backend/lpd src=882 scontext=user_u:system_r:cupsd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
type=KERNEL msg=audit(1111142293.825:5287764): syscall=102 exit=-13 a0=2 a1=bfec7004 a2=bc7ff4 a3=372 items=0 pid=7333 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
type=KERNEL msg=audit(1111142294.827:5288825): syscall=102 exit=-13 a0=2 a1=bfec7004 a2=bc7ff4 a3=371 items=0 pid=7333 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
type=KERNEL msg=audit(1111142294.827:5288825): avc:  denied  { name_bind } for pid=7333 exe=/usr/lib/cups/backend/lpd src=881 scontext=user_u:system_r:cupsd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
type=KERNEL msg=audit(1111142295.830:5290758): syscall=102 exit=-13 a0=2 a1=bfec7004 a2=bc7ff4 a3=370 items=0 pid=7333 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
type=KERNEL msg=audit(1111142295.830:5290758): avc:  denied  { name_bind } for pid=7333 exe=/usr/lib/cups/backend/lpd src=880 scontext=user_u:system_r:cupsd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
type=KERNEL msg=audit(1111142296.833:5293169): syscall=102 exit=-13 a0=2 a1=bfec7004 a2=bc7ff4 a3=36f items=0 pid=7333 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
type=KERNEL msg=audit(1111142296.833:5293169): avc:  denied  { name_bind } for pid=7333 exe=/usr/lib/cups/backend/lpd src=879 scontext=user_u:system_r:cupsd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
type=KERNEL msg=audit(1111142297.836:5294586): syscall=102 exit=-13 a0=2 a1=bfec7004 a2=bc7ff4 a3=36e items=0 pid=7333 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
type=KERNEL msg=audit(1111142297.836:5294586): avc:  denied  { name_bind } for pid=7333 exe=/usr/lib/cups/backend/lpd src=878 scontext=user_u:system_r:cupsd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
type=KERNEL msg=audit(1111142298.839:5295089): syscall=102 exit=-13 a0=2 a1=bfec7004 a2=bc7ff4 a3=36d items=0 pid=7333 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
type=KERNEL msg=audit(1111142298.839:5295089): avc:  denied  { name_bind } for pid=7333 exe=/usr/lib/cups/backend/lpd src=877 scontext=user_u:system_r:cupsd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
type=KERNEL msg=audit(1111142299.842:5297669): syscall=102 exit=-13 a0=2 a1=bfec7004 a2=bc7ff4 a3=36c items=0 pid=7333 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
type=KERNEL msg=audit(1111142299.842:5297669): avc:  denied  { name_bind } for pid=7333 exe=/usr/lib/cups/backend/lpd src=876 scontext=user_u:system_r:cupsd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
type=KERNEL msg=audit(1111142300.845:5298902): syscall=102 exit=-13 a0=2 a1=bfec7004 a2=bc7ff4 a3=36b items=0 pid=7333 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
type=KERNEL msg=audit(1111142300.845:5298902): avc:  denied  { name_bind } for pid=7333 exe=/usr/lib/cups/backend/lpd src=875 scontext=user_u:system_r:cupsd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket
type=KERNEL msg=audit(1111142301.847:5300512): syscall=102 exit=-13 a0=2 a1=bfec7004 a2=bc7ff4 a3=36a items=0 pid=7333 loginuid=-1 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
type=KERNEL msg=audit(1111142301.847:5300512): avc:  denied  { name_bind } for pid=7333 exe=/usr/lib/cups/backend/lpd src=874 scontext=user_u:system_r:cupsd_t tcontext=system_u:object_r:reserved_port_t tclass=tcp_socket

Version-Release number of selected component (if applicable):
selinux-policy-targeted-sources-1.23.2-1

How reproducible:
Always

Steps to Reproduce:
1. Fresh install of FC4T1
2. Run system-config-printer, entering root password if necessary
3. Add new remote LPD printer, finish by saying yes to "Print test page" question
  

Actual Results:  No test page is printed, error message in GUI printer list:

Unable to reserve port: Permission denied

Expected Results:  Test page should be printed, printer should be available for use.

Additional info:

This is a regression from FC3, printing with same printer and settings worked perfectly.

Comment 1 Gerry Tool 2005-03-18 13:52:39 UTC
I am having the same identical problem.  I filed bug #151345 against
system-config-printer.  This may be the better component for that bug

Comment 2 Tim Waugh 2005-03-18 14:11:32 UTC
*** Bug 151345 has been marked as a duplicate of this bug. ***

Comment 3 Tim Waugh 2005-03-18 14:12:57 UTC
I've merged these two bugs.  The actual change needs to happen in the SELinux
policy, since the lpd backend really does need to do use port 515 for outbound
connections.

Comment 4 Tim Waugh 2005-03-18 16:29:10 UTC
Please run 'setenforce 0' and try again, and then post the resulting messages. 
Are there any new ones?

Comment 5 Keith Sharp 2005-03-18 16:46:12 UTC
After running "setenforce 0" I can add the printer and it will print the test
page.  I get the following in /var/log/audit.log:

type=KERNEL msg=audit(1111164267.701:10910176): item=1 inode=131075 dev=00:00
type=KERNEL msg=audit(1111164267.701:10910176): item=0 name=/bin/hostname
inode=229610 dev=00:00
type=KERNEL msg=audit(1111164267.701:10910176): syscall=11 exit=0 a0=9d888e0
a1=9d82dc0 a2=9a2c220 a3=9a2c25d items=2 pid=13683 loginuid=-1 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
type=KERNEL msg=audit(1111164267.701:10910176): avc:  denied  { write } for 
pid=13683 exe=/bin/hostname
path=/var/cache/alchemist/printconf.rpm/wm/_PRINTCONF_BACKEND_ dev=dm-4
ino=524334 scontext=root:system_r:hostname_t
tcontext=user_u:object_r:cupsd_rw_etc_t tclass=file
type=KERNEL msg=audit(1111164267.701:10910176): avc:  denied  { write } for 
pid=13683 exe=/bin/hostname path=pipe:[60342] dev=pipefs ino=60342
scontext=root:system_r:hostname_t tcontext=root:system_r:unconfined_t
tclass=fifo_file
type=KERNEL msg=audit(1111164267.701:10910176): avc:  denied  { read } for 
pid=13683 exe=/bin/hostname path=pipe:[60342] dev=pipefs ino=60342
scontext=root:system_r:hostname_t tcontext=root:system_r:unconfined_t
tclass=fifo_file
type=KERNEL msg=audit(1111164267.701:10910176): avc:  denied  { read } for 
pid=13683 exe=/bin/hostname
path=/var/cache/alchemist/printconf.rpm/wm/_PRINTCONF_BACKEND_ dev=dm-4
ino=524334 scontext=root:system_r:hostname_t
tcontext=user_u:object_r:cupsd_rw_etc_t tclass=file
type=KERNEL msg=audit(1111164267.701:10910176): avc:  denied  { read } for 
pid=13683 exe=/bin/hostname path=/usr/share/printconf/util/queueTree.py dev=dm-3
ino=2556993 scontext=root:system_r:hostname_t
tcontext=system_u:object_r:printconf_t tclass=file


Comment 6 Daniel Walsh 2005-03-18 20:01:37 UTC
The hostname bugs make no sence.  I have fixed the original 
problem in fixed in selinux-policy-targeted-1.23.3-2

Dan

Comment 7 Kim Lux 2005-03-18 22:01:17 UTC
Does this have anything to do with bug# 145292 ? 

Comment 8 Keith Sharp 2005-03-22 09:16:42 UTC
selinux-policy-targeted-1.23.3-2 fixes the original problem for me.  I can now
add a remote LPD printer using system-config-printer and print a test page.

Who is repsonsible for marking this bug as fixed?

Comment 9 Daniel Walsh 2005-03-22 12:44:42 UTC
Usually the poster if he is satisfied with the fix.