Bug 160343 - HPLIP support
HPLIP support
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-14 11:48 EDT by Tim Waugh
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-27 16:39:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
selinux-hplip.patch (2.47 KB, patch)
2005-06-14 11:48 EDT, Tim Waugh
no flags Details | Diff

  None (edit)
Description Tim Waugh 2005-06-14 11:48:53 EDT
Description of problem:
This patch adds support for HPLIP, the new replacement for HPOJ/PTAL.

Does it look okay?

Version-Release number of selected component (if applicable):
selinux-policy-targeted-1.23.16-6

(I would also like to be able to release HPLIP packages for Fedora Core 4 at
some point.)
Comment 1 Tim Waugh 2005-06-14 11:48:53 EDT
Created attachment 115415 [details]
selinux-hplip.patch
Comment 2 Daniel Walsh 2005-06-14 12:42:25 EDT
Ok I trimmed it down to the following, but what ports does it need to connect too?

This rule allows it to connect to any port?
allow hplip_t port_t:tcp_socket name_connect;

# HPLIP
daemon_domain(hplip)
etcdir_domain(hplip)
allow hplip_t etc_t:file r_file_perms;
allow hplip_t printer_device_t:chr_file rw_file_perms;
allow cupsd_t hplip_var_run_t:file { read getattr };
allow hplip_t cupsd_etc_t:dir search;
can_network_client(hplip_t)
allow hplip_t ipp_port_t:tcp_socket name_connect;

# Uses networking to talk to the daemons
allow hplip_t self:unix_dgram_socket create_socket_perms;
allow hplip_t self:unix_stream_socket create_socket_perms;
allow hplip_t port_t:tcp_socket name_connect;

# for python
can_exec(hplip_t, bin_t)
allow hplip_t { sbin_t bin_t }:dir search;
allow hplip_t self:file { getattr read };
allow hplip_t proc_t:file r_file_perms;
allow hplip_t urandom_device_t:chr_file { getattr read };
allow hplip_t usr_t:{ file lnk_file } r_file_perms;
Comment 3 Tim Waugh 2005-06-14 12:56:17 EDT
Thanks.  It also needs this:

can_network_server(hplip_t)  [hpiod and hpssd]

(Didn't know those macros..)

As for which port, there are two: one for hpiod and one for hpssd.  They can be
configured to be particular ports, but by default they are both dynamic (and the
actual port numbers stored in /var/run/hpiod.port and /var/run/hpssd.port).

Should I get some static port numbers assigned?
Comment 4 Daniel Walsh 2005-06-15 10:40:25 EDT
Yes we need to fix these ports in order to better secure the application.

If the app is both a server and a client you can just call 

can_network(hplip_t)

I need the port numbers of what the server binds to, and what the client
connects to.  If they are the same, so much the better.

What are the default ports you are using now?
Comment 5 Tim Waugh 2005-06-15 11:03:31 EDT
The servers can listen on TCP ports 50000 and 50002, and the clients will
connect to both those ports.  These are the upstream default static port numbers
(although the upstream default is to use dynamic port numbers instead).
Comment 6 Daniel Walsh 2005-06-15 14:40:36 EDT
Fixed in selinux-policy-targeted-1.23.18-7
Comment 7 David Highley 2005-06-23 23:07:38 EDT
If it was fixed in selinux-policy-targeted-1.23.18-7 it is now broke again in
selinux-policy-targeted-1.23.18-12. I had to drop selinux back to permissive or
I could not add an hplip uri via cups.
Comment 8 Daniel Walsh 2005-06-24 07:15:02 EDT
What AVC messages are you seeing?
Comment 9 David Highley 2005-06-25 23:44:20 EDT
I hope this is the right one, the log is hard to read an no apparent date time info.

type=AVC_PATH msg=audit(1119579156.548:93822):  path="/var/run/hpiod.port"
type=SYSCALL msg=audit(1119579156.548:93822): arch=c000003e syscall=5 success=ye
s exit=0 a0=0 a1=7fffffd0b7c0 a2=7fffffd0b7c0 a3=0 items=0 pid=3234 auid=4294967
295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hp" exe="/usr/
lib64/cups/backend/hp"
type=AVC msg=audit(1119579156.548:93822): avc:  denied  { getattr } for  pid=323
4 comm="hp" name=hpiod.port dev=dm-0 ino=29230111 scontext=system_u:system_r:cup
sd_t tcontext=system_u:object_r:initrc_var_run_t tclass=file
type=PATH msg=audit(1119579156.548:93821): item=0 name="/var/run/hpiod.port" ino
de=29230111 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=SYSCALL msg=audit(1119579156.548:93821): arch=c000003e syscall=2 success=ye
s exit=0 a0=403396 a1=0 a2=1b6 a3=0 items=1 pid=3234 auid=4294967295 uid=0 gid=0
 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hp" exe="/usr/lib64/cups/back
end/hp"

type=PATH msg=audit(1119414575.762:9696407): item=1 name="/etc/cups/printers.con
f.O" inode=33358702 dev=fd:00 mode=040775 ouid=0 ogid=3 rdev=00:00
type=PATH msg=audit(1119414575.762:9696407): item=0 name="/etc/cups/printers.con
f" inode=33358702 dev=fd:00 mode=040775 ouid=0 ogid=3 rdev=00:00
type=SYSCALL msg=audit(1119414575.762:9696407): arch=c000003e syscall=82 success
=no exit=-13 a0=7fffff844ba0 a1=7fffff8447a0 a2=19 a3=2aaaaaac5000 items=2 pid=7
683 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm
="cupsd" exe="/usr/sbin/cupsd"
type=AVC msg=audit(1119414575.762:9696407): avc:  denied  { rename } for  pid=76
83 comm="cupsd" name=printers.conf dev=dm-0 ino=33358706 scontext=root:system_r:
cupsd_t tcontext=system_u:object_r:cupsd_etc_t tclass=file
type=PATH msg=audit(1119414575.763:9696413): item=0 name="/etc/cups/printers.con
f" inode=33358702 dev=fd:00 mode=040775 ouid=0 ogid=3 rdev=00:00
type=SYSCALL msg=audit(1119414575.763:9696413): arch=c000003e syscall=2 success=
no exit=-13 a0=7fffff844ba0 a1=241 a2=1a4 a3=3 items=1 pid=7683 auid=4294967295 
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cupsd" exe="/usr/s
bin/cupsd"
type=AVC msg=audit(1119414575.763:9696413): avc:  denied  { write } for  pid=768
3 comm="cupsd" name=printers.conf dev=dm-0 ino=33358706 scontext=root:system_r:c
upsd_t tcontext=system_u:object_r:cupsd_etc_t tclass=file
Comment 10 David Highley 2005-06-26 12:11:16 EDT
I did some more testing and found that I had to disable selinux to add the
printer. After printer is added it seems to work if selinux is set back to
enforcing.

Note You need to log in before you can comment on or make changes to this bug.