Bug 120054 - user_r cannot connect to socket
user_r cannot connect to socket
Product: Fedora
Classification: Fedora
Component: hpoj (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Russell Coker
: SELinux
Depends On:
Blocks: FC2Target FC3Target FC4Target
  Show dependency treegraph
Reported: 2004-04-05 12:50 EDT by Tim Waugh
Modified: 2007-11-30 17:10 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-12-02 10:58:25 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
policy-hpoj.patch (1.60 KB, patch)
2004-05-05 13:20 EDT, Tim Waugh
no flags Details | Diff
policy-hpoj.patch (1.63 KB, patch)
2004-05-06 05:23 EDT, Tim Waugh
no flags Details | Diff
policy-hpoj-fc.patch (544 bytes, patch)
2004-05-10 05:47 EDT, Tim Waugh
no flags Details | Diff

  None (edit)
Description Tim Waugh 2004-04-05 12:50:32 EDT
Description of problem:
The HP OfficeJet driver provides services through sockets, located in
/var/run/ptal-printd and /var/run/ptal-mlcd.  These are created
post-install by running 'ptal-init setup', and are not in the package

So one example of something that fails is trying to scan.  Start GIMP,
go to 'Acquire->XSane device dialog', and among the audit messages is:

audit(1081182775.619:0): avc:  denied  { write
} for  pid=30702 exe=/usr/bin/xsane-gimp name=usb:PSC_2200_Series
dev=hda2 ino=1017121 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:var_run_t tclass=sock_file

Version-Release number of selected component (if applicable):

How reproducible:

What's the best way to fix this?
Comment 1 Tim Waugh 2004-04-05 12:53:20 EDT
Here's another audit message.  This comes from trying to print to an
HP all-in-one:

audit(1081184286.786:0): avc:  denied  { write } for  pid=30952
exe=/usr/bin/ptal-connect name=usb:PSC_2200_Series dev=hda2
ino=1017121 scontext=system_u:system_r:cupsd_t
tcontext=system_u:object_r:var_run_t tclass=sock_file
Comment 2 Tim Waugh 2004-04-19 10:19:38 EDT
For completeness here are the audit messages from permissive mode, so
we can see all the hurdles at once.

Printing something:

audit(1082384337.766:0): avc:  denied  { write } for  pid=10888
exe=/usr/bin/ptal-connect name=usb:PSC_2200_Series dev=hda2
ino=1017118 scontext=system_u:system_r:cupsd_t
tcontext=root:object_r:var_run_t tclass=sock_file
audit(1082384337.804:0): avc:  denied  { connectto } for  pid=10888
exe=/usr/bin/ptal-connect path=/var/run/ptal-mlcd/usb:PSC_2200_Series
scontext=system_u:system_r:cupsd_t tcontext=root:system_r:initrc_t

And scanning:

audit(1082384628.518:0): avc:  denied  { write } for  pid=10937
exe=/usr/bin/xsane-gimp name=usb:PSC_2200_Series dev=hda2 ino=1017118
scontext=user_u:user_r:user_t tcontext=root:object_r:var_run_t
audit(1082384628.519:0): avc:  denied  { connectto } for  pid=10937
exe=/usr/bin/xsane-gimp path=/var/run/ptal-mlcd/usb:PSC_2200_Series
scontext=user_u:user_r:user_t tcontext=root:system_r:initrc_t

So what's the best way to fix this do you think?
Comment 3 Tim Waugh 2004-05-05 13:20:45 EDT
Created attachment 99995 [details]

Here is a first stab at getting printing working, at least.  How does it look? 
Should I try the same approach for scanning?
Comment 4 Tim Waugh 2004-05-06 05:23:28 EDT
Created attachment 100034 [details]

Here's a fixed version of the print patch.
Comment 5 Tim Waugh 2004-05-06 05:29:00 EDT
For scanning I'm not sure what to do.  Make xsane-gimp, xsane,
scanimage et al all 'scan_t' or something, and go from there?

Or should we let user_t processes connect to ptal sockets (as normal)?
Comment 6 Tim Waugh 2004-05-10 05:47:30 EDT
Created attachment 100118 [details]

Here's an incremental fix to correct the file contexts on
/var/run/ptal-{printd,mlcd}/* if they already exist. (It's only a problem if
you run setfiles on /var while hpoj is running.)
Comment 7 Tim Waugh 2004-08-24 12:02:44 EDT
No idea what to do for scanning, as I mentioned in comment #5.  Needs
input from someone who has better judgment about policy.
Comment 8 Daniel Walsh 2004-08-25 11:44:22 EDT
Russell do you have ideas on this?
Comment 9 Daniel Walsh 2004-12-02 10:58:25 EST
We are working the scanning problem in #140059

So I am closing this bug report.

Note You need to log in before you can comment on or make changes to this bug.