Bug 294731 - CUPS/HPLIP changes needed
CUPS/HPLIP changes needed
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-18 10:00 EDT by Tim Waugh
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-28 09:20:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
policy-hplip.patch (722 bytes, patch)
2007-09-25 09:40 EDT, Tim Waugh
no flags Details | Diff
policy-hplip.patch (1.83 KB, patch)
2007-09-28 08:43 EDT, Tim Waugh
no flags Details | Diff

  None (edit)
Description Tim Waugh 2007-09-18 10:00:18 EDT
The /usr/lib/cups/backend/hp* CUPS backends need to be labelled as hplip_exec_t,
 since they need to be able to read /etc/hp/* and read/write /dev/bus/usb/*/*. 
Previously this was done by a daemon, but now it is done in a shared library.

/usr/bin/hp-* need to be labelled as hplip_exec_t as well, for the same reason.

This affects Fedora 8 only.
Comment 1 Daniel Walsh 2007-09-18 10:40:26 EDT
Fixed in selinux-policy-3.0.8-2
Comment 2 Tim Waugh 2007-09-20 12:32:21 EDT
Er.. really?

[root@rook backend]# restorecon -nv /usr/lib/cups/backend/hp* /usr/bin/hp-*
[root@rook backend]# rpm -q selinux-policy
selinux-policy-3.0.8-4.fc8
[root@rook backend]# ls -Z /usr/lib/cups/backend/hp* /usr/bin/hp-*
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/hp-align ->
../share/hplip/align.py
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/hp-clean ->
../share/hplip/clean.py
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/hp-colorcal ->
../share/hplip/colorcal.py
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/hp-fab ->
../share/hplip/fab.py
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/hp-firmware ->
../share/hplip/firmware.py
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/hp-info ->
../share/hplip/info.py
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/hp-levels ->
../share/hplip/levels.py
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/hp-makecopies ->
../share/hplip/makecopies.py
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/hp-makeuri ->
../share/hplip/makeuri.py
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/hp-probe ->
../share/hplip/probe.py
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/hp-scan ->
../share/hplip/scan.py
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/hp-sendfax ->
../share/hplip/sendfax.py
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/hp-setup ->
../share/hplip/setup.py
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/hp-testpage ->
../share/hplip/testpage.py
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/hp-timedate ->
../share/hplip/timedate.py
lrwxrwxrwx  root root system_u:object_r:bin_t:s0       /usr/bin/hp-unload ->
../share/hplip/unload.py
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       /usr/lib/cups/backend/hp
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       /usr/lib/cups/backend/hpfax

These should all be hplip_exec_t.  This is a separate change from the one
discussed on the mailing list a couple of days ago.
Comment 3 Daniel Walsh 2007-09-21 15:39:39 EDT
Fixed in selinux-policy*3.0.8-7.fc8.noarch.rpm
Comment 4 Tim Waugh 2007-09-24 12:40:19 EDT
* Fri Sep 21 2007 Dan Walsh <dwalsh@redhat.com> 3.0.8-7
- Allow cupsd_config_t to read/write usb_device_t

Dan, this is incorrect.  We don't really want cupsd to be able to do this.

The way it needs to happen is that cupsd (running as cupsd_t) needs to be able
to execute programs that are labelled hplip_exec_t.
Comment 5 Daniel Walsh 2007-09-24 16:41:26 EDT
Fixed in selinux-policy-3.0.8-11 
cups will now transition hplip_t when running exec_t.
 
Comment 6 Tim Waugh 2007-09-25 09:40:33 EDT
Created attachment 205461 [details]
policy-hplip.patch

Thanks.  It nearly works now; this patch (attached) fixes the rest now.

The only problems I get now are from HPLIP trying to read config files in its
home directory when running from CUPS (again!!).  I'll look at fixing those in
hplip next.
Comment 7 Tim Waugh 2007-09-28 08:42:44 EDT
*sigh*
I found some more changes needed:

* the /usr/bin/hp-* files are actually symlinks, so I've changed the file
contexts pattern to match the targets of the links

* hal_lpadmin now invokes the hp-* programs directly, and so we need to
transition to the right domain
Comment 8 Tim Waugh 2007-09-28 08:43:31 EDT
Created attachment 210221 [details]
policy-hplip.patch

Relative to 3.0.8-14.fc8.
Comment 9 Tim Waugh 2007-09-28 08:44:57 EDT
The last remaining message is this one:

type=AVC msg=audit(1190981734.866:457): avc:  denied  { use } for  pid=23880
comm="hp-probe" path="/dev/null" dev=tmpfs ino=217
scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=fd

This seems to be when hald runs hal_lpadmin (cupsd_config_t), which runs
hp-probe (hplip_t) -- but I can't quite figure out exactly what's causing it or
how to stop it.
Comment 10 Daniel Walsh 2007-09-28 09:20:32 EDT
Added	hal_dontaudit_use_fds(hplip_t)

Hal is reassiging stdout/stderr to an open file descriptor, Probably a log file.

Other fixes added to 

selinux-policy-3.0.8-15

Note You need to log in before you can comment on or make changes to this bug.