Description of problem: This patch adds support for HPLIP, the new replacement for HPOJ/PTAL. Does it look okay? Version-Release number of selected component (if applicable): selinux-policy-targeted-1.23.16-6 (I would also like to be able to release HPLIP packages for Fedora Core 4 at some point.)
Created attachment 115415 [details] selinux-hplip.patch
Ok I trimmed it down to the following, but what ports does it need to connect too? This rule allows it to connect to any port? allow hplip_t port_t:tcp_socket name_connect; # HPLIP daemon_domain(hplip) etcdir_domain(hplip) allow hplip_t etc_t:file r_file_perms; allow hplip_t printer_device_t:chr_file rw_file_perms; allow cupsd_t hplip_var_run_t:file { read getattr }; allow hplip_t cupsd_etc_t:dir search; can_network_client(hplip_t) allow hplip_t ipp_port_t:tcp_socket name_connect; # Uses networking to talk to the daemons allow hplip_t self:unix_dgram_socket create_socket_perms; allow hplip_t self:unix_stream_socket create_socket_perms; allow hplip_t port_t:tcp_socket name_connect; # for python can_exec(hplip_t, bin_t) allow hplip_t { sbin_t bin_t }:dir search; allow hplip_t self:file { getattr read }; allow hplip_t proc_t:file r_file_perms; allow hplip_t urandom_device_t:chr_file { getattr read }; allow hplip_t usr_t:{ file lnk_file } r_file_perms;
Thanks. It also needs this: can_network_server(hplip_t) [hpiod and hpssd] (Didn't know those macros..) As for which port, there are two: one for hpiod and one for hpssd. They can be configured to be particular ports, but by default they are both dynamic (and the actual port numbers stored in /var/run/hpiod.port and /var/run/hpssd.port). Should I get some static port numbers assigned?
Yes we need to fix these ports in order to better secure the application. If the app is both a server and a client you can just call can_network(hplip_t) I need the port numbers of what the server binds to, and what the client connects to. If they are the same, so much the better. What are the default ports you are using now?
The servers can listen on TCP ports 50000 and 50002, and the clients will connect to both those ports. These are the upstream default static port numbers (although the upstream default is to use dynamic port numbers instead).
Fixed in selinux-policy-targeted-1.23.18-7
If it was fixed in selinux-policy-targeted-1.23.18-7 it is now broke again in selinux-policy-targeted-1.23.18-12. I had to drop selinux back to permissive or I could not add an hplip uri via cups.
What AVC messages are you seeing?
I hope this is the right one, the log is hard to read an no apparent date time info. type=AVC_PATH msg=audit(1119579156.548:93822): path="/var/run/hpiod.port" type=SYSCALL msg=audit(1119579156.548:93822): arch=c000003e syscall=5 success=ye s exit=0 a0=0 a1=7fffffd0b7c0 a2=7fffffd0b7c0 a3=0 items=0 pid=3234 auid=4294967 295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hp" exe="/usr/ lib64/cups/backend/hp" type=AVC msg=audit(1119579156.548:93822): avc: denied { getattr } for pid=323 4 comm="hp" name=hpiod.port dev=dm-0 ino=29230111 scontext=system_u:system_r:cup sd_t tcontext=system_u:object_r:initrc_var_run_t tclass=file type=PATH msg=audit(1119579156.548:93821): item=0 name="/var/run/hpiod.port" ino de=29230111 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 type=SYSCALL msg=audit(1119579156.548:93821): arch=c000003e syscall=2 success=ye s exit=0 a0=403396 a1=0 a2=1b6 a3=0 items=1 pid=3234 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hp" exe="/usr/lib64/cups/back end/hp" type=PATH msg=audit(1119414575.762:9696407): item=1 name="/etc/cups/printers.con f.O" inode=33358702 dev=fd:00 mode=040775 ouid=0 ogid=3 rdev=00:00 type=PATH msg=audit(1119414575.762:9696407): item=0 name="/etc/cups/printers.con f" inode=33358702 dev=fd:00 mode=040775 ouid=0 ogid=3 rdev=00:00 type=SYSCALL msg=audit(1119414575.762:9696407): arch=c000003e syscall=82 success =no exit=-13 a0=7fffff844ba0 a1=7fffff8447a0 a2=19 a3=2aaaaaac5000 items=2 pid=7 683 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm ="cupsd" exe="/usr/sbin/cupsd" type=AVC msg=audit(1119414575.762:9696407): avc: denied { rename } for pid=76 83 comm="cupsd" name=printers.conf dev=dm-0 ino=33358706 scontext=root:system_r: cupsd_t tcontext=system_u:object_r:cupsd_etc_t tclass=file type=PATH msg=audit(1119414575.763:9696413): item=0 name="/etc/cups/printers.con f" inode=33358702 dev=fd:00 mode=040775 ouid=0 ogid=3 rdev=00:00 type=SYSCALL msg=audit(1119414575.763:9696413): arch=c000003e syscall=2 success= no exit=-13 a0=7fffff844ba0 a1=241 a2=1a4 a3=3 items=1 pid=7683 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cupsd" exe="/usr/s bin/cupsd" type=AVC msg=audit(1119414575.763:9696413): avc: denied { write } for pid=768 3 comm="cupsd" name=printers.conf dev=dm-0 ino=33358706 scontext=root:system_r:c upsd_t tcontext=system_u:object_r:cupsd_etc_t tclass=file
I did some more testing and found that I had to disable selinux to add the printer. After printer is added it seems to work if selinux is set back to enforcing.