The /usr/lib/cups/backend/hp* CUPS backends need to be labelled as hplip_exec_t, since they need to be able to read /etc/hp/* and read/write /dev/bus/usb/*/*. Previously this was done by a daemon, but now it is done in a shared library. /usr/bin/hp-* need to be labelled as hplip_exec_t as well, for the same reason. This affects Fedora 8 only.
Fixed in selinux-policy-3.0.8-2
Er.. really? [root@rook backend]# restorecon -nv /usr/lib/cups/backend/hp* /usr/bin/hp-* [root@rook backend]# rpm -q selinux-policy selinux-policy-3.0.8-4.fc8 [root@rook backend]# ls -Z /usr/lib/cups/backend/hp* /usr/bin/hp-* lrwxrwxrwx root root system_u:object_r:bin_t:s0 /usr/bin/hp-align -> ../share/hplip/align.py lrwxrwxrwx root root system_u:object_r:bin_t:s0 /usr/bin/hp-clean -> ../share/hplip/clean.py lrwxrwxrwx root root system_u:object_r:bin_t:s0 /usr/bin/hp-colorcal -> ../share/hplip/colorcal.py lrwxrwxrwx root root system_u:object_r:bin_t:s0 /usr/bin/hp-fab -> ../share/hplip/fab.py lrwxrwxrwx root root system_u:object_r:bin_t:s0 /usr/bin/hp-firmware -> ../share/hplip/firmware.py lrwxrwxrwx root root system_u:object_r:bin_t:s0 /usr/bin/hp-info -> ../share/hplip/info.py lrwxrwxrwx root root system_u:object_r:bin_t:s0 /usr/bin/hp-levels -> ../share/hplip/levels.py lrwxrwxrwx root root system_u:object_r:bin_t:s0 /usr/bin/hp-makecopies -> ../share/hplip/makecopies.py lrwxrwxrwx root root system_u:object_r:bin_t:s0 /usr/bin/hp-makeuri -> ../share/hplip/makeuri.py lrwxrwxrwx root root system_u:object_r:bin_t:s0 /usr/bin/hp-probe -> ../share/hplip/probe.py lrwxrwxrwx root root system_u:object_r:bin_t:s0 /usr/bin/hp-scan -> ../share/hplip/scan.py lrwxrwxrwx root root system_u:object_r:bin_t:s0 /usr/bin/hp-sendfax -> ../share/hplip/sendfax.py lrwxrwxrwx root root system_u:object_r:bin_t:s0 /usr/bin/hp-setup -> ../share/hplip/setup.py lrwxrwxrwx root root system_u:object_r:bin_t:s0 /usr/bin/hp-testpage -> ../share/hplip/testpage.py lrwxrwxrwx root root system_u:object_r:bin_t:s0 /usr/bin/hp-timedate -> ../share/hplip/timedate.py lrwxrwxrwx root root system_u:object_r:bin_t:s0 /usr/bin/hp-unload -> ../share/hplip/unload.py -rwxr-xr-x root root system_u:object_r:bin_t:s0 /usr/lib/cups/backend/hp -rwxr-xr-x root root system_u:object_r:bin_t:s0 /usr/lib/cups/backend/hpfax These should all be hplip_exec_t. This is a separate change from the one discussed on the mailing list a couple of days ago.
Fixed in selinux-policy*3.0.8-7.fc8.noarch.rpm
* Fri Sep 21 2007 Dan Walsh <dwalsh> 3.0.8-7 - Allow cupsd_config_t to read/write usb_device_t Dan, this is incorrect. We don't really want cupsd to be able to do this. The way it needs to happen is that cupsd (running as cupsd_t) needs to be able to execute programs that are labelled hplip_exec_t.
Fixed in selinux-policy-3.0.8-11 cups will now transition hplip_t when running exec_t.
Created attachment 205461 [details] policy-hplip.patch Thanks. It nearly works now; this patch (attached) fixes the rest now. The only problems I get now are from HPLIP trying to read config files in its home directory when running from CUPS (again!!). I'll look at fixing those in hplip next.
*sigh* I found some more changes needed: * the /usr/bin/hp-* files are actually symlinks, so I've changed the file contexts pattern to match the targets of the links * hal_lpadmin now invokes the hp-* programs directly, and so we need to transition to the right domain
Created attachment 210221 [details] policy-hplip.patch Relative to 3.0.8-14.fc8.
The last remaining message is this one: type=AVC msg=audit(1190981734.866:457): avc: denied { use } for pid=23880 comm="hp-probe" path="/dev/null" dev=tmpfs ino=217 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=fd This seems to be when hald runs hal_lpadmin (cupsd_config_t), which runs hp-probe (hplip_t) -- but I can't quite figure out exactly what's causing it or how to stop it.
Added hal_dontaudit_use_fds(hplip_t) Hal is reassiging stdout/stderr to an open file descriptor, Probably a log file. Other fixes added to selinux-policy-3.0.8-15