Bug 294731

Summary: CUPS/HPLIP changes needed
Product: [Fedora] Fedora Reporter: Tim Waugh <twaugh>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-09-28 13:20:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
policy-hplip.patch
none
policy-hplip.patch none

Description Tim Waugh 2007-09-18 14:00:18 UTC 
The /usr/lib/cups/backend/hp* CUPS backends need to be labelled as hplip_exec_t,
 since they need to be able to read /etc/hp/* and read/write /dev/bus/usb/*/*. 
Previously this was done by a daemon, but now it is done in a shared library.

/usr/bin/hp-* need to be labelled as hplip_exec_t as well, for the same reason.

This affects Fedora 8 only.
Comment 1 Daniel Walsh 2007-09-18 14:40:26 UTC 
Fixed in selinux-policy-3.0.8-2
Comment 2 Tim Waugh 2007-09-20 16:32:21 UTC 
Er.. really?

[root@rook backend]# restorecon -nv /usr/lib/cups/backend/hp* /usr/bin/hp-*
[root@rook backend]# rpm -q selinux-policy
selinux-policy-3.0.8-4.fc8
[root@rook backend]# ls -Z /usr/lib/cups/backend/hp* /usr/bin/hp-*
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/hp-align ->
../share/hplip/align.py
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/hp-clean ->
../share/hplip/clean.py
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/hp-colorcal ->
../share/hplip/colorcal.py
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/hp-fab ->
../share/hplip/fab.py
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/hp-firmware ->
../share/hplip/firmware.py
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/hp-info ->
../share/hplip/info.py
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/hp-levels ->
../share/hplip/levels.py
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/hp-makecopies ->
../share/hplip/makecopies.py
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/hp-makeuri ->
../share/hplip/makeuri.py
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/hp-probe ->
../share/hplip/probe.py
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/hp-scan ->
../share/hplip/scan.py
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/hp-sendfax ->
../share/hplip/sendfax.py
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/hp-setup ->
../share/hplip/setup.py
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/hp-testpage ->
../share/hplip/testpage.py
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/hp-timedate ->
../share/hplip/timedate.py
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/hp-unload ->
../share/hplip/unload.py
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       /usr/lib/cups/backend/hp
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       /usr/lib/cups/backend/hpfax

These should all be hplip_exec_t.  This is a separate change from the one
discussed on the mailing list a couple of days ago.
Comment 3 Daniel Walsh 2007-09-21 19:39:39 UTC 
Fixed in selinux-policy*3.0.8-7.fc8.noarch.rpm
Comment 4 Tim Waugh 2007-09-24 16:40:19 UTC 
* Fri Sep 21 2007 Dan Walsh <dwalsh> 3.0.8-7
- Allow cupsd_config_t to read/write usb_device_t

Dan, this is incorrect.  We don't really want cupsd to be able to do this.

The way it needs to happen is that cupsd (running as cupsd_t) needs to be able
to execute programs that are labelled hplip_exec_t.
Comment 5 Daniel Walsh 2007-09-24 20:41:26 UTC 
Fixed in selinux-policy-3.0.8-11 
cups will now transition hplip_t when running exec_t.
Comment 6 Tim Waugh 2007-09-25 13:40:33 UTC 
Created attachment 205461 [details]
policy-hplip.patch

Thanks.  It nearly works now; this patch (attached) fixes the rest now.

The only problems I get now are from HPLIP trying to read config files in its
home directory when running from CUPS (again!!).  I'll look at fixing those in
hplip next.
Comment 7 Tim Waugh 2007-09-28 12:42:44 UTC 
*sigh*
I found some more changes needed:

* the /usr/bin/hp-* files are actually symlinks, so I've changed the file
contexts pattern to match the targets of the links

* hal_lpadmin now invokes the hp-* programs directly, and so we need to
transition to the right domain
Comment 8 Tim Waugh 2007-09-28 12:43:31 UTC 
Created attachment 210221 [details]
policy-hplip.patch

Relative to 3.0.8-14.fc8.
Comment 9 Tim Waugh 2007-09-28 12:44:57 UTC 
The last remaining message is this one:

type=AVC msg=audit(1190981734.866:457): avc:  denied  { use } for  pid=23880
comm="hp-probe" path="/dev/null" dev=tmpfs ino=217
scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=fd

This seems to be when hald runs hal_lpadmin (cupsd_config_t), which runs
hp-probe (hplip_t) -- but I can't quite figure out exactly what's causing it or
how to stop it.
Comment 10 Daniel Walsh 2007-09-28 13:20:32 UTC 
Added	hal_dontaudit_use_fds(hplip_t)

Hal is reassiging stdout/stderr to an open file descriptor, Probably a log file.

Other fixes added to 

selinux-policy-3.0.8-15