Bug 187079 - HPLIP policy fix: usb_device_t:chr_file
Summary: HPLIP policy fix: usb_device_t:chr_file
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 5
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-03-28 11:12 UTC by Tim Waugh
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-03-28 20:03:52 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Tim Waugh 2006-03-28 11:12:34 UTC 
Description of problem:
The 'hp' CUPS backend needs to use USB device files to do its job.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.2.23-15

How reproducible:
100%

Steps to Reproduce:
1. setenforce 0
2. Run /usr/lib/cups/backend/hp (with HP multi-function device plugged in)
  
Actual results:
audit(1143543819.520:190): avc:  denied  { read write } for  pid=27691
comm="hpiod" name="001" dev=tmpfs ino=3990 scontext=user_u:system_r:hplip_t:s0
tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file
audit(1143543819.520:191): avc:  denied  { ioctl } for  pid=27691 comm="hpiod"
name="001" dev=tmpfs ino=3990 scontext=user_u:system_r:hplip_t:s0
tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file

(With 'setenforce 1', no device is found.)

Additional info:
This should fix it:

allow hplip_t usb_device_t:chr_file { ioctl read write };
Comment 1 Tim Waugh 2006-03-28 11:25:40 UTC 
Also needs this when running hp-toolbox:

allow hplip_t self:fifo_file { read write };
Comment 2 Tim Waugh 2006-03-30 14:41:40 UTC 
FWIW, this is blocking FC5 updates for hplip and (transitively) CUPS.
Comment 3 Daniel Walsh 2006-03-30 16:49:45 UTC 
Fixed in selinux-policy-2.2.25-3.fc5
Comment 4 Tim Waugh 2006-03-31 09:57:10 UTC 
Great, works perfectly here.  Thanks!
Comment 6 Daniel Walsh 2007-03-28 20:03:52 UTC 
Closing bugs
Note You need to log in before you can comment on or make changes to this bug.