Bug 190897

Summary: net_raw access (to network printer) is denied to (python) hp-info
Product: [Fedora] Fedora Reporter: Ross Tyler <rossetyler>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-03-28 20:06:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ross Tyler 2006-05-06 02:02:22 UTC
Description of problem:

I have an HP OfficeJet 7310xi network printer.
I can set it up using system-config-printer without a problem but there is no
way to use its other all-in-one features (scan, fax, etc.).
I should be able to use the HPLIP package to do this.

There are several problems involved with getting this to work.
The first problem is that there is not a PPD file for my printer under
/usr/share/foomatic/db/source/PPD/HP.
I know how to fix this:

foomatic-ppdfile -p HP-OfficeJet_7300 >
/usr/share/foomatic/db/source/PPD/HP/all_in_one/HP-OfficeJet_7300-hpijs.ppd

With a PPD file I can use hp-setup or cups add printer to add a printer.
I can print but I can't do too much else due to selinux policy problems.

When I do an hp-info on the device, it fails with a "Device not found" error.

hp-info -dhp:/net/Officejet_7300_series?ip=192.168.0.5

I also get the following /var/log/messages:

May  5 18:57:29 localhost kernel: audit(1146880649.326:549): avc:  denied  {
net_raw } for  pid=4157 comm="python" capability=13
scontext=root:system_r:hplip_t:s0 tcontext=root:system_r:hplip_t:s0
tclass=capability

When I run hp-toolbox, the HPLIP hpssd process dies (can restart with service
hplip restart).
I get something like the following in /var/log/messages:

May  5 19:03:14 localhost python: hpssd [FATAL] Traceback (innermost last):  
File "./hpssd.py", line 1385, in main     loop(timeout=0.5)   File "./hpssd.py",
line 283, in loop     obj.handle_read_event()   File "./hpssd.py", line 433, in
handle_read_event     self.handle_read()   File "./hpssd.py", line 639, in
handle_read     self.handlers.get(msg_type, self.handle_unknown)()   File
"./hpssd.py", line 1027, in handle_event     loopback_trigger.pull_trigger()  
File "./hpssd.py", line 520, in pull_trigger     os.write(self.trigger, '.') 
OSError: [Errno 13] Permission denied
May  5 19:03:14 localhost kernel: audit(1146880994.388:561): avc:  denied  {
net_raw } for  pid=4291 comm="python" capability=13
scontext=root:system_r:hplip_t:s0 tcontext=root:system_r:hplip_t:s0
tclass=capability
May  5 19:03:14 localhost kernel: audit(1146880994.392:562): avc:  denied  {
write } for  pid=4291 comm="python" name="[14737]" dev=pipefs ino=14737
scontext=root:system_r:hplip_t:s0 tcontext=root:system_r:hplip_t:s0 tclass=fifo_file
May  5 19:03:14 localhost python: toolbox [WARN] Device not found

When I disable selinux (setenforce 0), both of these commands work


Version-Release number of selected component (if applicable):

hplip-0.9.8-6
selinux-policy-targeted-2.2.23-15


How reproducible:


Steps to Reproduce:
see above
  
Actual results:


Expected results:


Additional info:

Comment 1 Ross Tyler 2006-05-06 19:33:33 UTC
When running xsane as a non-root user, I get

*** glibc detected *** xsane: munmap_chunk(): invalid pointer: 0x009c0097 ***
======= Backtrace: =========
/lib/libc.so.6(__libc_free+0x17b)[0x16851f]
...

as well as the follwing in /var/log/messages

May  6 12:39:43 localhost hpiod: ParDevice::nibble_read failed: Input/output error
May  6 12:39:43 localhost kernel: audit(1146944383.808:542): avc:  denied  {
name_connect } for  pid=5480 comm="hpiod" dest=9290
scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:port_t:s0
tclass=tcp_socket
May  6 12:39:43 localhost hpiod: unable to connect to scan err=13 port 9290
JetDirectChannel::Open: Permission denied
May  6 12:39:44 localhost hpiod: device cleanup
uri=hp:/net/Officejet_7300_series?ip=192.168.0.5

Comment 2 Ross Tyler 2006-05-06 20:41:18 UTC
# Disabling SELinux entirely or just setting a SELinux boolean to only
#       Disable SELinux protection for cups hplip daemon
# is a workaround to this problem.
# This may be done from the system-config-securitylevel or with setsebool:

        setsebool -P hplip_disable_trans=1
        service hplip restart


Comment 3 Daniel Walsh 2006-05-07 10:40:02 UTC
Fix yum update to the latest policy version which fixes your net_raw problem.

You can add the 9290 port to policy by executing

semanage port -a -t hplip_port_t -p tcp 9290

I will add this port in  selinux-policy-2.2.38-1.fc5

Comment 4 Ross Tyler 2006-05-07 17:43:20 UTC
I ran

    yum update selinux-policy

I then undid my workaround:

    setsebool -P hplip_disable_trans=1

and replaced it with yours

    semanage port -a -t hplip_port_t -p tcp 9290

I was able to recreate the print queue successfully, access the hp-toolbox and scan.
I was _not_ able to use hp-unload to access the memory card reader.
However, following your lead, I was able to fix this as well:

    semanage port -a -t hplip_port_t -p tcp 9220

Now everything seems to work.

Can I expect that both of these changes will be added to
selinux-policy-2.2.38-1.fc5?

Thanks!





Comment 5 Daniel Walsh 2006-05-09 13:03:31 UTC
Nope I missed 9220, I have updated rawhide with the following for hplib

network_port(hplip, tcp,50000,s0, tcp,50002,s0, tcp,1782,s0, tcp,9100,s0,
tcp,9102,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0,
tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)

I think that covers them all.  I will add this update to FC5 in about a week.

Comment 6 Daniel Walsh 2007-03-28 20:06:27 UTC
Closing bugs