Bug 234621 - selinux prevents cups from printing
selinux prevents cups from printing
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
6
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-03-30 12:36 EDT by Craig Goodyear
Modified: 2007-11-30 17:12 EST (History)
3 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-04-11 10:13:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Craig Goodyear 2007-03-30 12:36:55 EDT
Description of problem:
With selinux set to enforcing, the printer will not print.
With selinux set to permissive, the printer has no problems.

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-46.fc6
selinux-policy-targeted-2.4.6-46.fc6

How reproducible:
Problem occures every time selinux is set to enforcing.

Steps to Reproduce:
1. set seliux to enforcing
2. submit job to printer
  
Actual results:
Printer does not print.

Expected results:
Get output from printer.

Additional info:
The following error is logged to /var/log/cups/error_log ever
second until selinux is set to permissive and the job prints:

E [30/Mar/2007:10:54:54 -0500] [Job 68] Unable to reserve 
port: Permission denied

There are no selinux error messages entered in /var/logs/messages
file.

The printer is attached to a ethernet print server and is
installed using cups with a lpd connection.
Comment 1 James 2007-03-31 06:59:34 EDT
Seen here too.
Comment 2 Daniel Walsh 2007-04-02 12:15:27 EDT
Are there AVC messages in /var/log/audit/audit.log?
Comment 3 James 2007-04-02 12:44:12 EDT
In mine: no, it's odd. I can't see any "avc: denied" messages pertaining to the
printing subsystem. Nor do I get any "SELinux problem" alerts from the
troubleshooter application (except for "SELinux is preventing the
/usr/bin/python from using potentially mislabeled files (.hplip.conf).", but I'm
not using an HP printer).
Comment 4 Craig Goodyear 2007-04-02 13:07:48 EDT
I don't have selinux set up to log errors to 
/var/log/audit/audit.log.  All avc messages go
to /var/log/messages.  No errors are entered in
this file when trying to print.
Comment 5 Daniel Walsh 2007-04-02 13:23:53 EDT
You can turn off the dontaudit rules with the following command

semodule -b /usr/share/selinux/targeted/enableaudit.pp

See if the kernel reports any avc messages now?

Any idea which port it is trying to communicate with?

Then turn them back on with this command.

semodule -b /usr/share/selinux/targeted/base.pp
Comment 6 James 2007-04-02 13:53:21 EDT
avc: denied { name_bind } for comm="lpd" egid=7 euid=0
exe="/usr/lib/cups/backend/lpd" exit=-13 fsgid=7 fsuid=0 gid=7 items=0 pid=14912
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=7 src=993
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=0 tclass=tcp_socket
tcontext=system_u:object_r:pop_port_t:s0 tty=(none) uid=0 
Comment 7 Daniel Walsh 2007-04-02 16:49:24 EDT
Tim does this make sense to you?  

Do you know if cups/lpd does a bindresvport?

Comment 8 Craig Goodyear 2007-04-02 17:04:51 EDT
This is the avc message I get after turning off dontaudit rules:

Apr  2 16:00:13 cm kernel: audit(1175547613.491:60): 
avc:  denied  { name_bind } for  pid=8204 comm="lpd" 
src=1016 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket

Comment 9 Tim Waugh 2007-04-03 09:06:40 EDT
The CUPS lpd backend (for sending a job to an LPR server) does a regular bind().
 It's actually after a priveleged port between 721 and 731 (this is from RFC 1179):

3.1 Message formats

   LPR is a a TCP-based protocol.  The port on which a line printer
   daemon listens is 515.  The source port must be in the range 721 to
   731, inclusive.

The way the CUPS lpd backend tries to do this is by trying bind() for port 731,
retrying with a lower port number until it gets to 721, then starting back at 731.

Should it be using bindresvport() instead?
Comment 10 Daniel Walsh 2007-04-03 09:38:58 EDT
The strange part above is that the avc's are reporting that cupsd tried to bind
to ports 993 and 1016.

I can give it the policy that allows cups to bind to ports between 600-1023
which is what we usually give for bindresvport.

Comment 11 Tim Waugh 2007-04-03 10:09:07 EDT
The 'strict' 721-731 requirement is an option in the lpd backend.  If it is not
set to strict RFC 1179 compliance it will try any port between 512 and 1023. 
Also when it is not running as root it will just take any port (but we run the
lpd backend as root).

So giving it policy to allow it to bind to ports between 600 and 1023 would be fine.
Comment 12 Daniel Walsh 2007-04-05 13:46:48 EDT
Fixed in selinux-policy-2.4.6-52
Comment 13 Craig Goodyear 2007-04-11 09:46:05 EDT
After updating to selinux-policy-2.4.6-54.fc6, I am
now able to print with selinux set to enforcing.

Thank you for the fix.

Note You need to log in before you can comment on or make changes to this bug.