Bug 120054 - user_r cannot connect to socket
Summary: user_r cannot connect to socket
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: hpoj
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Russell Coker
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: FC2Target FC3Target FC4Target
TreeView+ depends on / blocked
 
Reported: 2004-04-05 16:50 UTC by Tim Waugh
Modified: 2007-11-30 22:10 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-12-02 15:58:25 UTC


Attachments (Terms of Use)
policy-hpoj.patch (1.60 KB, patch)
2004-05-05 17:20 UTC, Tim Waugh
no flags Details | Diff
policy-hpoj.patch (1.63 KB, patch)
2004-05-06 09:23 UTC, Tim Waugh
no flags Details | Diff
policy-hpoj-fc.patch (544 bytes, patch)
2004-05-10 09:47 UTC, Tim Waugh
no flags Details | Diff

Description Tim Waugh 2004-04-05 16:50:32 UTC
Description of problem:
The HP OfficeJet driver provides services through sockets, located in
/var/run/ptal-printd and /var/run/ptal-mlcd.  These are created
post-install by running 'ptal-init setup', and are not in the package
manifest.

So one example of something that fails is trying to scan.  Start GIMP,
go to 'Acquire->XSane device dialog', and among the audit messages is:

audit(1081182775.619:0): avc:  denied  { write
} for  pid=30702 exe=/usr/bin/xsane-gimp name=usb:PSC_2200_Series
dev=hda2 ino=1017121 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:var_run_t tclass=sock_file

Version-Release number of selected component (if applicable):
hpoj-0.91-6
policy-1.9.2-11

How reproducible:
100%

What's the best way to fix this?

Comment 1 Tim Waugh 2004-04-05 16:53:20 UTC
Here's another audit message.  This comes from trying to print to an
HP all-in-one:

audit(1081184286.786:0): avc:  denied  { write } for  pid=30952
exe=/usr/bin/ptal-connect name=usb:PSC_2200_Series dev=hda2
ino=1017121 scontext=system_u:system_r:cupsd_t
tcontext=system_u:object_r:var_run_t tclass=sock_file

Comment 2 Tim Waugh 2004-04-19 14:19:38 UTC
For completeness here are the audit messages from permissive mode, so
we can see all the hurdles at once.

Printing something:

audit(1082384337.766:0): avc:  denied  { write } for  pid=10888
exe=/usr/bin/ptal-connect name=usb:PSC_2200_Series dev=hda2
ino=1017118 scontext=system_u:system_r:cupsd_t
tcontext=root:object_r:var_run_t tclass=sock_file
audit(1082384337.804:0): avc:  denied  { connectto } for  pid=10888
exe=/usr/bin/ptal-connect path=/var/run/ptal-mlcd/usb:PSC_2200_Series
scontext=system_u:system_r:cupsd_t tcontext=root:system_r:initrc_t
tclass=unix_stream_socket

And scanning:

audit(1082384628.518:0): avc:  denied  { write } for  pid=10937
exe=/usr/bin/xsane-gimp name=usb:PSC_2200_Series dev=hda2 ino=1017118
scontext=user_u:user_r:user_t tcontext=root:object_r:var_run_t
tclass=sock_file
audit(1082384628.519:0): avc:  denied  { connectto } for  pid=10937
exe=/usr/bin/xsane-gimp path=/var/run/ptal-mlcd/usb:PSC_2200_Series
scontext=user_u:user_r:user_t tcontext=root:system_r:initrc_t
tclass=unix_stream_socket

So what's the best way to fix this do you think?

Comment 3 Tim Waugh 2004-05-05 17:20:45 UTC
Created attachment 99995 [details]
policy-hpoj.patch

Here is a first stab at getting printing working, at least.  How does it look? 
Should I try the same approach for scanning?

Comment 4 Tim Waugh 2004-05-06 09:23:28 UTC
Created attachment 100034 [details]
policy-hpoj.patch

Here's a fixed version of the print patch.

Comment 5 Tim Waugh 2004-05-06 09:29:00 UTC
For scanning I'm not sure what to do.  Make xsane-gimp, xsane,
scanimage et al all 'scan_t' or something, and go from there?

Or should we let user_t processes connect to ptal sockets (as normal)?

Comment 6 Tim Waugh 2004-05-10 09:47:30 UTC
Created attachment 100118 [details]
policy-hpoj-fc.patch

Here's an incremental fix to correct the file contexts on
/var/run/ptal-{printd,mlcd}/* if they already exist. (It's only a problem if
you run setfiles on /var while hpoj is running.)

Comment 7 Tim Waugh 2004-08-24 16:02:44 UTC
No idea what to do for scanning, as I mentioned in comment #5.  Needs
input from someone who has better judgment about policy.

Comment 8 Daniel Walsh 2004-08-25 15:44:22 UTC
Russell do you have ideas on this?

Comment 9 Daniel Walsh 2004-12-02 15:58:25 UTC
We are working the scanning problem in #140059

So I am closing this bug report.


Note You need to log in before you can comment on or make changes to this bug.