Description of problem: The HP OfficeJet driver provides services through sockets, located in /var/run/ptal-printd and /var/run/ptal-mlcd. These are created post-install by running 'ptal-init setup', and are not in the package manifest. So one example of something that fails is trying to scan. Start GIMP, go to 'Acquire->XSane device dialog', and among the audit messages is: audit(1081182775.619:0): avc: denied { write } for pid=30702 exe=/usr/bin/xsane-gimp name=usb:PSC_2200_Series dev=hda2 ino=1017121 scontext=user_u:user_r:user_t tcontext=system_u:object_r:var_run_t tclass=sock_file Version-Release number of selected component (if applicable): hpoj-0.91-6 policy-1.9.2-11 How reproducible: 100% What's the best way to fix this?
Here's another audit message. This comes from trying to print to an HP all-in-one: audit(1081184286.786:0): avc: denied { write } for pid=30952 exe=/usr/bin/ptal-connect name=usb:PSC_2200_Series dev=hda2 ino=1017121 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:var_run_t tclass=sock_file
For completeness here are the audit messages from permissive mode, so we can see all the hurdles at once. Printing something: audit(1082384337.766:0): avc: denied { write } for pid=10888 exe=/usr/bin/ptal-connect name=usb:PSC_2200_Series dev=hda2 ino=1017118 scontext=system_u:system_r:cupsd_t tcontext=root:object_r:var_run_t tclass=sock_file audit(1082384337.804:0): avc: denied { connectto } for pid=10888 exe=/usr/bin/ptal-connect path=/var/run/ptal-mlcd/usb:PSC_2200_Series scontext=system_u:system_r:cupsd_t tcontext=root:system_r:initrc_t tclass=unix_stream_socket And scanning: audit(1082384628.518:0): avc: denied { write } for pid=10937 exe=/usr/bin/xsane-gimp name=usb:PSC_2200_Series dev=hda2 ino=1017118 scontext=user_u:user_r:user_t tcontext=root:object_r:var_run_t tclass=sock_file audit(1082384628.519:0): avc: denied { connectto } for pid=10937 exe=/usr/bin/xsane-gimp path=/var/run/ptal-mlcd/usb:PSC_2200_Series scontext=user_u:user_r:user_t tcontext=root:system_r:initrc_t tclass=unix_stream_socket So what's the best way to fix this do you think?
Created attachment 99995 [details] policy-hpoj.patch Here is a first stab at getting printing working, at least. How does it look? Should I try the same approach for scanning?
Created attachment 100034 [details] policy-hpoj.patch Here's a fixed version of the print patch.
For scanning I'm not sure what to do. Make xsane-gimp, xsane, scanimage et al all 'scan_t' or something, and go from there? Or should we let user_t processes connect to ptal sockets (as normal)?
Created attachment 100118 [details] policy-hpoj-fc.patch Here's an incremental fix to correct the file contexts on /var/run/ptal-{printd,mlcd}/* if they already exist. (It's only a problem if you run setfiles on /var while hpoj is running.)
No idea what to do for scanning, as I mentioned in comment #5. Needs input from someone who has better judgment about policy.
Russell do you have ideas on this?
We are working the scanning problem in #140059 So I am closing this bug report.