[refpolicy] AVC denials from cups

[refpolicy] AVC denials from cups

[Matt Anderson]

JOhn ROss POrter wrote:
> I don't know how to distinguish between "to get extra functionality", 
> and "driver is requesting."  I submit a print job to the device which 
> uses the hp:/net/Office... URI and I get AVC denial pop-ups.

You had mentioned that the hplip driver allows you to get more
functionality than just printing.  I was wondering if the AVCs were
generated from those requests, or the printing requests, or what was
seemingly random from the driver.

> I should also mention, again(?), that I run SELinux in "permissive" 
> mode.  The AVC warnings are just an annoyance and to not prohibit 
> further activities.

It could be interesting to see how the system behaves in enforcing mode.
You could remove your policy additions and see if you're still able to
print and access the scanning and printer display feedback
functionality, then add your policy module back in, and see what works.

> My reason for filing this bug report derived from following
> suggestions 
> received from the #selinux channel on the freenode IRC Network.
>  From my own point of view, this issue may be dropped.  The thread may 
> prove helpful, however, to anyone else installing the 2.8.7 level of
> hplip.

I don't recall you posting the rules in your policy module here.  It
might be good to do that so that its all archived in the same place.

> Thanks for your attention,
> Joropo

Thanks for bringing it up.
-matt

[refpolicy] AVC denials from cups

[JOhn ROss POrter]

Matt Anderson wrote:
> JOhn ROss POrter wrote:
>   
>
> You had mentioned that the hplip driver allows you to get more
> functionality than just printing.  I was wondering if the AVCs were
> generated from those requests, or the printing requests, or what was
> seemingly random from the driver.
>   
The AVC warnings occur only as a result of print activity. I get no such 
warnings from the scanner interface.
>   
>
> It could be interesting to see how the system behaves in enforcing mode.
> You could remove your policy additions and see if you're still able to
> print and access the scanning and printer display feedback
> functionality, then add your policy module back in, and see what works.
>   
I suppose I could follow this path. However, I'm less willing to put in 
the effort. I've gotten warnings in the past *only* when I print. I've 
never heard from SELinux while playing with the scanner interface.
>   
>
> I don't recall you posting the rules in your policy module here.  It
> might be good to do that so that its all archived in the same place.
>   
follows: /usr/share/selinux/locals/local.te
as generated by assist2allow(?) - unedited, not really understood.
--begin copy--

module local 1.0;

require {
type system_dbusd_var_run_t;
type hplip_t;
type xdm_t;
type system_dbusd_t;
class process { execstack execmem };
class sock_file write;
class dbus send_msg;
class dir search;
class unix_stream_socket connectto;
}
require {
type system_dbusd_var_run_t;
type hplip_t;
type xdm_t;
type system_dbusd_t;
class process { execstack execmem };
class sock_file write;
class dbus send_msg;
class dir search;
class unix_stream_socket connectto;
}
require {
type system_dbusd_var_run_t;
type hplip_t;
type xdm_t;
type system_dbusd_t;
class process { execstack execmem };
class sock_file write;
class dbus send_msg;
class dir search;
class unix_stream_socket connectto;
}

#============= hplip_t ==============
allow hplip_t system_dbusd_t:dbus send_msg;
allow hplip_t system_dbusd_t:unix_stream_socket connectto;
allow hplip_t system_dbusd_var_run_t:dir search;
allow hplip_t system_dbusd_var_run_t:sock_file write;

#============= xdm_t ==============
allow xdm_t self:process { execstack execmem };
---end copy---
>   
>
> Thanks for bringing it up.
> -matt
>
>   
Joropo

[refpolicy] AVC denials from cups

[Christopher J. PeBenito]

On Wed, 2008-08-27 at 15:01 -0400, JOhn ROss POrter wrote:
> Matt Anderson wrote:
> > JOhn ROss POrter wrote:   
> >
> > You had mentioned that the hplip driver allows you to get more
> > functionality than just printing.  I was wondering if the AVCs were
> > generated from those requests, or the printing requests, or what was
> > seemingly random from the driver.
> >   
> The AVC warnings occur only as a result of print activity. I get no such 
> warnings from the scanner interface.
[...]
> allow hplip_t system_dbusd_t:dbus send_msg;
> allow hplip_t system_dbusd_t:unix_stream_socket connectto;
> allow hplip_t system_dbusd_var_run_t:dir search;
> allow hplip_t system_dbusd_var_run_t:sock_file write;

A quick look into hplip reveals that it uses dbus, so this isn't
surprising.  I have added this access to refpolicy.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

[refpolicy] AVC denials from cups

[JOhn ROss POrter]

I don't know how to distinguish between "to get extra functionality", 
and "driver is requesting."  I submit a print job to the device which 
uses the hp:/net/Office... URI and I get AVC denial pop-ups.

My current status is that I've generated allow rules which, 
successfully, permit the printer interface to function without warnings.
I would mention that the FAQ which setroubleshoot directed be to was 
*very* helpful with respect to generating and applying the necessary 
rules.  Thanks for the assist!

I should also mention, again(?), that I run SELinux in "permissive" 
mode.  The AVC warnings are just an annoyance and to not prohibit 
further activities.

My reason for filing this bug report derived from following suggestions 
received from the #selinux channel on the freenode IRC Network.
 From my own point of view, this issue may be dropped.  The thread may 
prove helpful, however, to anyone else installing the 2.8.7 level of hplip.

Thanks for your attention,
Joropo
-------- Original Message --------

On Tue, Aug 26, 2008 at 02:10:02PM -0400, JOhn ROss POrter wrote:
> Matt Anderson wrote:
>> same device URI and PPD file?  
> different URI's
> no AVC -- socket://192.168.1.105:9100
> w/AVC -- hp:/net/OfficeJet_G85?ip=192.168.1.105 (was created  
> auto-magically by hplip install procedure. Additionally, extra  
> functionality enabled with this device [scanning and printer display  
> feedback])

Okay, it sounds like you've got a patch for the hplip policy then.  Do
you need these additional allow rules to get the extra functionality or
are they permissions the driver is requesting?  If it works, but
generates AVCs as is, you might consider using dontaudit rules.

-matt

[refpolicy] AVC denials from cups

[JOhn ROss POrter]

Getting these denials when printing through cups.

type=AVC msg=audit(1219156658.544:2005): avc:  denied  { search } for 
pid=6591 comm="hp" name="dbus" dev=dm-0 ino=12799869 
scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir
type=AVC msg=audit(1219156658.544:2005): avc:  denied  { write } for 
pid=6591 comm="hp" name="system_bus_socket" dev=dm-0 ino=12800311 
scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1219156658.544:2005): avc:  denied  { connectto } for 
  pid=6591 comm="hp" path="/var/run/dbus/system_bus_socket" 
scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023 
tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 
tclass=unix_stream_socket


I've created and applied a local policy to allow this access but have 
been instructed to file a bug report about the situation.
Printer description from cups:
*Description:* new driver

*Location:* corner

*Printer Driver:* HP OfficeJet G85 Foomatic/hpijs (recommended)

*Printer State:* idle,
accepting jobs,  published.

*Device URI:* hp:/net/OfficeJet_G85?ip=192.168.1.105

Unfortunatly, I'm unable to locate specific data about the pinter 
driver.  I'll claim it is the latest version available from HP.
Another driver (with same id) does not cause problems.

[refpolicy] AVC denials from cups

[Matt Anderson]

On Mon, Aug 25, 2008 at 10:21:40AM -0400, JOhn ROss POrter wrote:
> *Printer Driver:* HP OfficeJet G85 Foomatic/hpijs (recommended)

> *Device URI:* hp:/net/OfficeJet_G85?ip=192.168.1.105

> Unfortunatly, I'm unable to locate specific data about the pinter 
> driver.  I'll claim it is the latest version available from HP.
> Another driver (with same id) does not cause problems.

Is the driver included with the hplip package?  You might be able to
look there for version information.  If your on a Debian based distro it
might be in hpijs.

When you say the other driver does not cause the same problems, are you
using the same configuration to setup the printer?  Specifically the
same device URI and PPD file?  And these both point to the same printer?

-matt

[refpolicy] AVC denials from cups

[JOhn ROss POrter]

Matt Anderson wrote:
> On Mon, Aug 25, 2008 at 10:21:40AM -0400, JOhn ROss POrter wrote:
>   
>
> Is the driver included with the hplip package? 
show following from /home/joropo/.hplip/hplip.conf
[installation]
version = 2.8.7
date_time = 08/10/08 09:51:53
In addition to 2.8.7 I have directories&files refelecting 2.8.5 & 2.8.2

>  You might be able to
> look there for version information.  If your on a Debian based distro it
> might be in hpijs.
>   
using fedora 9 with kernel 2.6.25.14-108.fc9.i686
> When you say the other driver does not cause the same problems, are you
> using the same configuration to setup the printer?  Specifically the
> same device URI and PPD file?  
different URI's
no AVC -- socket://192.168.1.105:9100
w/AVC -- hp:/net/OfficeJet_G85?ip=192.168.1.105 (was created 
auto-magically by hplip install procedure. Additionally, extra 
functionality enabled with this device [scanning and printer display 
feedback])
PPD files more difficult to distinguish.
Both appear in cups as *Printer Driver:* HP OfficeJet G85 Foomatic/hpijs 
(recommended)
but I can not find direct feedback about any version differences between 
these two. (expect there is some.)
> And these both point to the same printer?
>   
yes, same physical device.
> -matt
>
>   

[refpolicy] AVC denials from cups

[Matt Anderson]

On Tue, Aug 26, 2008 at 02:10:02PM -0400, JOhn ROss POrter wrote:
> Matt Anderson wrote:
>> same device URI and PPD file?  
> different URI's
> no AVC -- socket://192.168.1.105:9100
> w/AVC -- hp:/net/OfficeJet_G85?ip=192.168.1.105 (was created  
> auto-magically by hplip install procedure. Additionally, extra  
> functionality enabled with this device [scanning and printer display  
> feedback])

Okay, it sounds like you've got a patch for the hplip policy then.  Do
you need these additional allow rules to get the extra functionality or
are they permissions the driver is requesting?  If it works, but
generates AVCs as is, you might consider using dontaudit rules.

-matt