Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 120054
Summary: | user_r cannot connect to socket | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Tim Waugh <twaugh> | ||||||||
Component: | hpoj | Assignee: | Russell Coker <rcoker> | ||||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | |||||||||
Severity: | medium | Docs Contact: | |||||||||
Priority: | medium | ||||||||||
Version: | rawhide | CC: | dwalsh, twaugh | ||||||||
Target Milestone: | --- | Keywords: | SELinux | ||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2004-12-02 15:58:25 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | |||||||||||
Bug Blocks: | 114963, 123268, 136451 | ||||||||||
Attachments: |
|
Description
Tim Waugh
2004-04-05 16:50:32 UTC
Here's another audit message. This comes from trying to print to an HP all-in-one: audit(1081184286.786:0): avc: denied { write } for pid=30952 exe=/usr/bin/ptal-connect name=usb:PSC_2200_Series dev=hda2 ino=1017121 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:var_run_t tclass=sock_file For completeness here are the audit messages from permissive mode, so we can see all the hurdles at once. Printing something: audit(1082384337.766:0): avc: denied { write } for pid=10888 exe=/usr/bin/ptal-connect name=usb:PSC_2200_Series dev=hda2 ino=1017118 scontext=system_u:system_r:cupsd_t tcontext=root:object_r:var_run_t tclass=sock_file audit(1082384337.804:0): avc: denied { connectto } for pid=10888 exe=/usr/bin/ptal-connect path=/var/run/ptal-mlcd/usb:PSC_2200_Series scontext=system_u:system_r:cupsd_t tcontext=root:system_r:initrc_t tclass=unix_stream_socket And scanning: audit(1082384628.518:0): avc: denied { write } for pid=10937 exe=/usr/bin/xsane-gimp name=usb:PSC_2200_Series dev=hda2 ino=1017118 scontext=user_u:user_r:user_t tcontext=root:object_r:var_run_t tclass=sock_file audit(1082384628.519:0): avc: denied { connectto } for pid=10937 exe=/usr/bin/xsane-gimp path=/var/run/ptal-mlcd/usb:PSC_2200_Series scontext=user_u:user_r:user_t tcontext=root:system_r:initrc_t tclass=unix_stream_socket So what's the best way to fix this do you think? Created attachment 99995 [details]
policy-hpoj.patch
Here is a first stab at getting printing working, at least. How does it look?
Should I try the same approach for scanning?
Created attachment 100034 [details]
policy-hpoj.patch
Here's a fixed version of the print patch.
For scanning I'm not sure what to do. Make xsane-gimp, xsane, scanimage et al all 'scan_t' or something, and go from there? Or should we let user_t processes connect to ptal sockets (as normal)? Created attachment 100118 [details]
policy-hpoj-fc.patch
Here's an incremental fix to correct the file contexts on
/var/run/ptal-{printd,mlcd}/* if they already exist. (It's only a problem if
you run setfiles on /var while hpoj is running.)
No idea what to do for scanning, as I mentioned in comment #5. Needs input from someone who has better judgment about policy. Russell do you have ideas on this? We are working the scanning problem in #140059 So I am closing this bug report. |