Bug 190897 - net_raw access (to network printer) is denied to (python) hp-info
net_raw access (to network printer) is denied to (python) hp-info
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
5
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-05-05 22:02 EDT by Ross Tyler
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-03-28 16:06:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ross Tyler 2006-05-05 22:02:22 EDT
Description of problem:

I have an HP OfficeJet 7310xi network printer.
I can set it up using system-config-printer without a problem but there is no
way to use its other all-in-one features (scan, fax, etc.).
I should be able to use the HPLIP package to do this.

There are several problems involved with getting this to work.
The first problem is that there is not a PPD file for my printer under
/usr/share/foomatic/db/source/PPD/HP.
I know how to fix this:

foomatic-ppdfile -p HP-OfficeJet_7300 >
/usr/share/foomatic/db/source/PPD/HP/all_in_one/HP-OfficeJet_7300-hpijs.ppd

With a PPD file I can use hp-setup or cups add printer to add a printer.
I can print but I can't do too much else due to selinux policy problems.

When I do an hp-info on the device, it fails with a "Device not found" error.

hp-info -dhp:/net/Officejet_7300_series?ip=192.168.0.5

I also get the following /var/log/messages:

May  5 18:57:29 localhost kernel: audit(1146880649.326:549): avc:  denied  {
net_raw } for  pid=4157 comm="python" capability=13
scontext=root:system_r:hplip_t:s0 tcontext=root:system_r:hplip_t:s0
tclass=capability

When I run hp-toolbox, the HPLIP hpssd process dies (can restart with service
hplip restart).
I get something like the following in /var/log/messages:

May  5 19:03:14 localhost python: hpssd [FATAL] Traceback (innermost last):  
File "./hpssd.py", line 1385, in main     loop(timeout=0.5)   File "./hpssd.py",
line 283, in loop     obj.handle_read_event()   File "./hpssd.py", line 433, in
handle_read_event     self.handle_read()   File "./hpssd.py", line 639, in
handle_read     self.handlers.get(msg_type, self.handle_unknown)()   File
"./hpssd.py", line 1027, in handle_event     loopback_trigger.pull_trigger()  
File "./hpssd.py", line 520, in pull_trigger     os.write(self.trigger, '.') 
OSError: [Errno 13] Permission denied
May  5 19:03:14 localhost kernel: audit(1146880994.388:561): avc:  denied  {
net_raw } for  pid=4291 comm="python" capability=13
scontext=root:system_r:hplip_t:s0 tcontext=root:system_r:hplip_t:s0
tclass=capability
May  5 19:03:14 localhost kernel: audit(1146880994.392:562): avc:  denied  {
write } for  pid=4291 comm="python" name="[14737]" dev=pipefs ino=14737
scontext=root:system_r:hplip_t:s0 tcontext=root:system_r:hplip_t:s0 tclass=fifo_file
May  5 19:03:14 localhost python: toolbox [WARN] Device not found

When I disable selinux (setenforce 0), both of these commands work


Version-Release number of selected component (if applicable):

hplip-0.9.8-6
selinux-policy-targeted-2.2.23-15


How reproducible:


Steps to Reproduce:
see above
  
Actual results:


Expected results:


Additional info:
Comment 1 Ross Tyler 2006-05-06 15:33:33 EDT
When running xsane as a non-root user, I get

*** glibc detected *** xsane: munmap_chunk(): invalid pointer: 0x009c0097 ***
======= Backtrace: =========
/lib/libc.so.6(__libc_free+0x17b)[0x16851f]
...

as well as the follwing in /var/log/messages

May  6 12:39:43 localhost hpiod: ParDevice::nibble_read failed: Input/output error
May  6 12:39:43 localhost kernel: audit(1146944383.808:542): avc:  denied  {
name_connect } for  pid=5480 comm="hpiod" dest=9290
scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:port_t:s0
tclass=tcp_socket
May  6 12:39:43 localhost hpiod: unable to connect to scan err=13 port 9290
JetDirectChannel::Open: Permission denied
May  6 12:39:44 localhost hpiod: device cleanup
uri=hp:/net/Officejet_7300_series?ip=192.168.0.5
Comment 2 Ross Tyler 2006-05-06 16:41:18 EDT
# Disabling SELinux entirely or just setting a SELinux boolean to only
#       Disable SELinux protection for cups hplip daemon
# is a workaround to this problem.
# This may be done from the system-config-securitylevel or with setsebool:

        setsebool -P hplip_disable_trans=1
        service hplip restart
Comment 3 Daniel Walsh 2006-05-07 06:40:02 EDT
Fix yum update to the latest policy version which fixes your net_raw problem.

You can add the 9290 port to policy by executing

semanage port -a -t hplip_port_t -p tcp 9290

I will add this port in  selinux-policy-2.2.38-1.fc5
Comment 4 Ross Tyler 2006-05-07 13:43:20 EDT
I ran

    yum update selinux-policy

I then undid my workaround:

    setsebool -P hplip_disable_trans=1

and replaced it with yours

    semanage port -a -t hplip_port_t -p tcp 9290

I was able to recreate the print queue successfully, access the hp-toolbox and scan.
I was _not_ able to use hp-unload to access the memory card reader.
However, following your lead, I was able to fix this as well:

    semanage port -a -t hplip_port_t -p tcp 9220

Now everything seems to work.

Can I expect that both of these changes will be added to
selinux-policy-2.2.38-1.fc5?

Thanks!



Comment 5 Daniel Walsh 2006-05-09 09:03:31 EDT
Nope I missed 9220, I have updated rawhide with the following for hplib

network_port(hplip, tcp,50000,s0, tcp,50002,s0, tcp,1782,s0, tcp,9100,s0,
tcp,9102,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0,
tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)

I think that covers them all.  I will add this update to FC5 in about a week.
Comment 6 Daniel Walsh 2007-03-28 16:06:27 EDT
Closing bugs

Note You need to log in before you can comment on or make changes to this bug.