120054 – user_r cannot connect to socket

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 120054 - user_r cannot connect to socket

Summary: user_r cannot connect to socket

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	hpoj
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Russell Coker
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	FC2Target FC3Target FC4Target
TreeView+	depends on / blocked

Reported:	2004-04-05 16:50 UTC by Tim Waugh
Modified:	2007-11-30 22:10 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2004-12-02 15:58:25 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
policy-hpoj.patch (deleted) 2004-05-05 17:20 UTC, Tim Waugh	no flags	Details \| Diff
policy-hpoj.patch (deleted) 2004-05-06 09:23 UTC, Tim Waugh	no flags	Details \| Diff
policy-hpoj-fc.patch (deleted) 2004-05-10 09:47 UTC, Tim Waugh	no flags	Details \| Diff
Show Obsolete (1) View All

Description Tim Waugh 2004-04-05 16:50:32 UTC

Description of problem:
The HP OfficeJet driver provides services through sockets, located in
/var/run/ptal-printd and /var/run/ptal-mlcd.  These are created
post-install by running 'ptal-init setup', and are not in the package
manifest.

So one example of something that fails is trying to scan.  Start GIMP,
go to 'Acquire->XSane device dialog', and among the audit messages is:

audit(1081182775.619:0): avc:  denied  { write
} for  pid=30702 exe=/usr/bin/xsane-gimp name=usb:PSC_2200_Series
dev=hda2 ino=1017121 scontext=user_u:user_r:user_t
tcontext=system_u:object_r:var_run_t tclass=sock_file

Version-Release number of selected component (if applicable):
hpoj-0.91-6
policy-1.9.2-11

How reproducible:
100%

What's the best way to fix this?

Comment 1 Tim Waugh 2004-04-05 16:53:20 UTC

Here's another audit message.  This comes from trying to print to an
HP all-in-one:

audit(1081184286.786:0): avc:  denied  { write } for  pid=30952
exe=/usr/bin/ptal-connect name=usb:PSC_2200_Series dev=hda2
ino=1017121 scontext=system_u:system_r:cupsd_t
tcontext=system_u:object_r:var_run_t tclass=sock_file

Comment 2 Tim Waugh 2004-04-19 14:19:38 UTC

For completeness here are the audit messages from permissive mode, so
we can see all the hurdles at once.

Printing something:

audit(1082384337.766:0): avc:  denied  { write } for  pid=10888
exe=/usr/bin/ptal-connect name=usb:PSC_2200_Series dev=hda2
ino=1017118 scontext=system_u:system_r:cupsd_t
tcontext=root:object_r:var_run_t tclass=sock_file
audit(1082384337.804:0): avc:  denied  { connectto } for  pid=10888
exe=/usr/bin/ptal-connect path=/var/run/ptal-mlcd/usb:PSC_2200_Series
scontext=system_u:system_r:cupsd_t tcontext=root:system_r:initrc_t
tclass=unix_stream_socket

And scanning:

audit(1082384628.518:0): avc:  denied  { write } for  pid=10937
exe=/usr/bin/xsane-gimp name=usb:PSC_2200_Series dev=hda2 ino=1017118
scontext=user_u:user_r:user_t tcontext=root:object_r:var_run_t
tclass=sock_file
audit(1082384628.519:0): avc:  denied  { connectto } for  pid=10937
exe=/usr/bin/xsane-gimp path=/var/run/ptal-mlcd/usb:PSC_2200_Series
scontext=user_u:user_r:user_t tcontext=root:system_r:initrc_t
tclass=unix_stream_socket

So what's the best way to fix this do you think?

Comment 3 Tim Waugh 2004-05-05 17:20:45 UTC

Created attachment 99995 [details]
policy-hpoj.patch

Here is a first stab at getting printing working, at least.  How does it look? 
Should I try the same approach for scanning?

Comment 4 Tim Waugh 2004-05-06 09:23:28 UTC

Created attachment 100034 [details]
policy-hpoj.patch

Here's a fixed version of the print patch.

Comment 5 Tim Waugh 2004-05-06 09:29:00 UTC

For scanning I'm not sure what to do.  Make xsane-gimp, xsane,
scanimage et al all 'scan_t' or something, and go from there?

Or should we let user_t processes connect to ptal sockets (as normal)?

Comment 6 Tim Waugh 2004-05-10 09:47:30 UTC

Created attachment 100118 [details]
policy-hpoj-fc.patch

Here's an incremental fix to correct the file contexts on
/var/run/ptal-{printd,mlcd}/* if they already exist. (It's only a problem if
you run setfiles on /var while hpoj is running.)

Comment 7 Tim Waugh 2004-08-24 16:02:44 UTC

No idea what to do for scanning, as I mentioned in comment #5.  Needs
input from someone who has better judgment about policy.

Comment 8 Daniel Walsh 2004-08-25 15:44:22 UTC

Russell do you have ideas on this?

Comment 9 Daniel Walsh 2004-12-02 15:58:25 UTC

We are working the scanning problem in #140059

So I am closing this bug report.

Note You need to log in before you can comment on or make changes to this bug.