Description of problem: We have 2 problems. 1. The file /usr/lib/cups/backend/boomaga in the RPM package has the wrong permissions. It should have have 700(rwx------) permissions. Here is a quote from the CUPS man backend: > Permissions > Backends without world read and execute permissions are run as the root user. > Otherwise, the backend is run using an unprivileged user account, typically "lp". > https://www.cups.org/doc/man-backend.html 2. The /usr/lib64/boomaga/boomagabackend requires SELinux policy. It requires Write to ~/.cache directory Send DBus messages How reproducible: always Steps to Reproduce: The first problem. 1. sudo dnf install boomaga 2. Print to virtual printer (tried Firefox and Chrome) 3. lpr /usr/share/doc/boomaga/README.md Actual results: System-config-printer GUI gives printer state error. In the cups logs we can found 'Can't change GID to 1000: Operation not permitted' line. The second problem. 1. chmod chmod 700 /usr/lib/cups/backend/boomaga 2. cupsenable boomaga 3. lpr /usr/share/doc/boomaga/README.md Actual results: - if SELinux is set to Enforcing, nothing is printed and the boomaga virtual printer is immediately disabled. Error conditions are logged by SELinux. - if SELinux is set to Permissive, the document is correctly printed but error conditions are still logged. Additional info: Issue on github https://github.com/Boomaga/boomaga/issues/43 I am the author of the program, and willing to answer questions.
I've started creating a selinux package for boomage, unfortunately without success: https://martinkg.fedorapeople.org/Review/test/boomaga/
@MartinKG Maybe following information will help for you. Package cups-pdf has similar requirements and has correct SELinux policy. The difference is that cups-pdf writes files to the user desktop instead of ~/.cache.
boomaga-0.8.0-6.git97f52c1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-da50adf63e
boomaga-0.8.0-6.git97f52c1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5d0871e3fd
boomaga-0.8.0-6.git97f52c1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-5d0871e3fd
boomaga-0.8.0-6.git97f52c1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-da50adf63e
boomaga-0.8.0-6.git97f52c1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
boomaga-0.8.0-8.gitb495615.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5bd6a83c49
boomaga-0.8.0-8.gitb495615.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-5bd6a83c49
boomaga-0.8.0-8.gitb495615.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
I can print to boomaga printer, but with a delay about 30 seconds per task. SELinux Troubleshooter reports an error. SELinux is preventing boomagabackend from 'sys_ptrace' accesses on the cap_userns Unknown. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that boomagabackend should be allowed sys_ptrace access on the Unknown cap_userns by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'boomagabackend' --raw | audit2allow -M my-boomagabackend # semodule -X 300 -i my-boomagabackend.pp Additional Information: Source Context system_u:system_r:boomaga_cups_t:s0-s0:c0.c1023 Target Context system_u:system_r:boomaga_cups_t:s0-s0:c0.c1023 Target Objects Unknown [ cap_userns ] Source boomagabackend Source Path boomagabackend Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-225.11.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.9.14-200.fc25.x86_64 #1 SMP Mon Mar 13 19:26:40 UTC 2017 x86_64 x86_64 Alert Count 3 First Seen 2017-03-25 00:29:09 MSK Last Seen 2017-03-25 00:32:12 MSK Local ID 531f80ea-deab-40c6-9bd0-c7375eef6639 Raw Audit Messages type=AVC msg=audit(1490391132.808:798): avc: denied { sys_ptrace } for pid=12332 comm="boomagabackend" capability=19 scontext=system_u:system_r:boomaga_cups_t:s0-s0:c0.c1023 tcontext=system_u:system_r:boomaga_cups_t:s0-s0:c0.c1023 tclass=cap_userns permissive=1 Hash: boomagabackend,boomaga_cups_t,boomaga_cups_t,cap_userns,sys_ptrace
i post a comment from Lukas Vrabec on the Fedora selinux forum: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.org/thread/VUOKKV77ETH45QIFED2XZWHEIAUJARND/ boomaga SELinux module is not part of selinux-policy package, which means it's not maintained by Fedora SELinux team. I cloned boomaga repo and boomaga policy is part of permissivedomains, which means that boomaga rules won't be enforced by kernel, even if your system is in enforcing state. If you would like to fix this issue you can create local module: $ cat boomaga_local.cil (allow boomaga_cups_t boomaga_cups_t(cap_userns (sys_ptrace))) # semodule -i boomaga_local.cil #
new comment form Lukas Vrabec on the Fedora selinux forum: Update your boomaga_local.cil file: $ cat boomaga_local.cil (allow boomaga_cups_t boomaga_cups_t(cap_userns (sys_ptrace))) (allow systemd_logind_t boomaga_cups_t(dbus (send_msg))) and load it again: # semodule -i boomaga_local.cil
Thank you for supporting this issue. I got another bunch of errors, but I tried to solve it myself. $ journalctl -b Apr 04 19:17:47 magnolia.home.lan audit[938]: USER_AVC pid=938 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied {send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Introspectable member=Introspect dest=org.freedesktop.login1 spid=5692 tpid=952 scontext=system_u:system_r:boomaga_cups_t:s0-s0:c0.c1023 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' $ cat boomaga_local.cil (allow boomaga_cups_t boomaga_cups_t(cap_userns (sys_ptrace))) (allow systemd_logind_t boomaga_cups_t(dbus (send_msg))) (allow boomaga_cups_t systemd_logind_t(dbus (send_msg))) $ sudo semodule -i boomaga_local.cil $ journalctl -b Apr 04 19:30:48 magnolia.home.lan dbus-daemon[1597]: avc: denied { send_msg } for msgtype=method_call interface=org.boomaga member=add dest=org.boomaga spid=6894 tpid=6852 scontext=system_u:system_r:boomaga_cups_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dbus $ cat boomaga_local.cil (allow boomaga_cups_t boomaga_cups_t(cap_userns (sys_ptrace))) (allow systemd_logind_t boomaga_cups_t(dbus (send_msg))) (allow boomaga_cups_t systemd_logind_t(dbus (send_msg))) (allow boomaga_cups_t unconfined_t(dbus (send_msg))) $ sudo semodule -i boomaga_local.cil Printing to boomaga is working without errors and delays now.
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'.
This issue is still present on Fedora 36. After installing the `boomaga-selinux` package I still get the following SELinux errors: ``` SELinux is preventing boomaga from setattr access on the directory /var/cache/boomaga/chris. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow boomaga to have setattr access on the chris directory Then you need to change the label on /var/cache/boomaga/chris Do # semanage fcontext -a -t FILE_TYPE '/var/cache/boomaga/chris' where FILE_TYPE is one of the following: cupsd_etc_t, cupsd_log_t, cupsd_rw_etc_t, cupsd_tmp_t, cupsd_var_run_t, fonts_cache_t, print_spool_t. Then execute: restorecon -v '/var/cache/boomaga/chris' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that boomaga should be allowed setattr access on the chris directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'boomaga' --raw | audit2allow -M my-boomaga # semodule -X 300 -i my-boomaga.pp Additional Information: Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_t:s0 Target Objects /var/cache/boomaga/chris [ dir ] Source boomaga Source Path boomaga Port <Unknown> Host fedora Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-36.8-2.fc36.noarch Local Policy RPM selinux-policy-targeted-36.8-2.fc36.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora Platform Linux fedora 5.17.7-300.fc36.x86_64 #1 SMP PREEMPT Thu May 12 14:56:44 UTC 2022 x86_64 x86_64 Alert Count 1 First Seen 2022-05-18 09:25:42 CEST Last Seen 2022-05-18 09:25:42 CEST Local ID fcf9d05e-bd5b-4ef6-8a1f-a9a1f94705ff Raw Audit Messages type=AVC msg=audit(1652858742.233:473): avc: denied { setattr } for pid=16952 comm="boomaga" name="chris" dev="nvme0n1p7" ino=2129750 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0 Hash: boomaga,cupsd_t,var_t,dir,setattr ```
@entodoays you opened a upstream ticket https://github.com/Boomaga/boomaga/issues/115
It is true that I opened the upstream ticket, but the developer answered with, "Unfortunately I don't have enough time to support this project. Excuse me!". So it is unlikely that anything gets solved there.