Bug 186205 - printing denied by selinux targeted policy
printing denied by selinux targeted policy
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Russell Coker
: Regression
Depends On:
  Show dependency treegraph
Reported: 2006-03-22 03:43 EST by Bernard Johnson
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: 2.2.29-2.fc5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-04-11 16:59:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Bernard Johnson 2006-03-22 03:43:30 EST
Description of problem:
Printing, either by hp-setup or File->Print in Firefox is denied by selinux
targeted policy.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.  Run /usr/bin/hp-setup to try to setup a printer and print a test page
2. or, if a printer is setup
3. File->Print from Firefox
Actual results:
Output from hp-setup:
[root@localhost ~]# hp-setup -m

 HP Linux Imaging and Printing System (ver. 0.9.8)
 Printer/Fax Setup Utility ver. 0.7

 Copyright (c) 2003-5 Hewlett-Packard Development Company, LP
 This software comes with ABSOLUTELY NO WARRANTY.
 This is free software, and you are welcome to distribute it
 under certain conditions. See COPYING file for more details.

 Found device: hp:/net/HP_Color_LaserJet_2840?ip=

 (Note: Defaults for each question are maked with a '*'. Press <enter> to accept
the default.)


Please enter a name for this print queue (m=use model
name:'HP_Color_LaserJet_2840'*, q=quit) ?m
 Using queue name: HP_Color_LaserJet_2840

Found a possible PPD file:
 Note: The model number may vary slightly from the actual model number on the

Does this PPD file appear to be the correct one (y=yes*, n=no, q=quit) ?y
Enter a location description for this printer (q=quit) ?MyNetwork
Enter additonal information or notes for this printer (q=quit) ?

Adding print queue to CUPS:
 Device URI: hp:/net/HP_Color_LaserJet_2840?ip=
 Queue name: HP_Color_LaserJet_2840
 PPD file:
 Location: MyNetwork

Would you like to print a test page (y=yes*, n=no, q=quit) ?y

Load plain paper into printer and press 'enter' ?
 [ERROR]: Unable to print to printer. Please check device and try again.


Please enter a name for this fax queue (m=use model
name:'HP_Color_LaserJet_2840_fax'*, q=quit) ?
 Using queue name: HP_Color_LaserJet_2840_fax
 [ERROR]: Unable to find HP fax PPD file! Please check you HPLIP installation
and try again.

Output from /var/log/messages (when running hp-setup):
Mar 22 01:20:55 localhost python:  [ERROR] Unable to print to printer. Please
check device and try again.
Mar 22 01:20:55 localhost kernel: audit(1143015655.808:12): avc:  denied  {
net_raw } for  pid=1960 comm="python" capability=13
scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:system_r:hplip_t:s0
Mar 22 01:21:25 localhost python:  [ERROR] Unable to find HP fax PPD file!
Please check you HPLIP installation and try again.

Output from /var/log/messages (when printing from firefox):
Mar 22 01:21:56 localhost kernel: audit(1143015716.792:13): avc:  denied  {
name_connect } for  pid=2879 comm="hpiod" dest=9100
scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:port_t:s0
Mar 22 01:21:56 localhost hpiod: unable to connect to print port 9100
JetDirectChannel::Open: Permission denied
Mar 22 01:21:57 localhost HP_Color_LaserJet_2840?ip= INFO: open
print channel failed; will retry in 30 seconds...

Expected results:
Printing with no problems.

Additional info:
Modifying the selinux policy using system-config-securitylevel and disabling the
4 items related to printing does nothing to help the situation.  Putting the
system in permissive mode allows the print job to succeed.

This was on a freshly installed system.
Comment 1 Bernard Johnson 2006-03-27 14:50:57 EST
This is occuring in rawhide as well.  Here is the audit2allow output.

[root@localhost ~]# audit2allow -i /var/log/messages
allow hplip_t port_t:tcp_socket name_connect;
Comment 2 Daniel Walsh 2006-03-27 15:44:07 EST
You can fix this with 

semanage port -a -p tcp -t hplip_port_t 9100

I will add this to policy but this should fix it for you.
Comment 3 Daniel Walsh 2006-04-03 12:41:17 EDT
Fixed in selinux-policy-2.2.29-2.fc5
Comment 4 Bernard Johnson 2006-04-07 11:51:54 EDT
I tested the selinux-policy-2.2.29-2.fc5 in updates-testing and the problem
seems to be resolved.

Note You need to log in before you can comment on or make changes to this bug.