Hello,
Please see https://www.redhat.com/archives/fedora-list/2005-July/msg03159.html
Any suggestions, please?
TIA,
Vinicius.
Vinicius wrote:
Hello,
Please see https://www.redhat.com/archives/fedora-list/2005-July/msg03159.html
Any suggestions, please?
Well first put in a bugzilla. Secondly what port is it trying to connect to?
Did you change the port number of the hpssd?
TIA,
Vinicius.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
Daniel J Walsh wrote:
Vinicius wrote:
Hello,
Please see https://www.redhat.com/archives/fedora-list/2005-July/msg03159.html
Any suggestions, please?
Well first put in a bugzilla. Secondly what port is it trying to connect to?
Did you change the port number of the hpssd?
TIA,
Vinicius.
--
Hello,
I filled the bug report number 163434 (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=163434).
The port is 32774.
No, I didn't change the port number of the hpssd. And I don't know how to do this.
from /var/log/messages: Jul 16 10:02:54 ronin hpiod: 0.9.3 accepting connections at 32774... Jul 16 10:03:04 ronin python: hpssd [ERROR] Unable to connect to hpiod.
from /var/log/audit/audit.log: type=CWD msg=audit(1121518984.285:13005806): cwd="/usr/share/hplip" type=PATH msg=audit(1121518984.285:13005806): item=0 name="/usr/share/hplip/base/strings.pyc" flags=310 inode=1181808 dev= fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1121518984.905:13008633): avc: denied { name_connect } for pid=4841 comm="python" dest=32774 scontext =root:system_r:hplip_t tcontext=system_u:object_r:port_t tclass=tcp_socket type=SYSCALL msg=audit(1121518984.905:13008633): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfd6cf50 a2=98b114 a 3=b7c99b48 items=0 pid=4841 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="python" exe="/usr /bin/python" type=SOCKADDR msg=audit(1121518984.905:13008633): saddr=020080067F0000010000000000000000 type=SOCKETCALL msg=audit(1121518984.905:13008633): nargs=3 a0=5 a1=b7c99b60 a2=10
TIA,
Vinicius.
Vinicius wrote:
Daniel J Walsh wrote:
Vinicius wrote:
Hello,
Please see https://www.redhat.com/archives/fedora-list/2005-July/msg03159.html
Any suggestions, please?
Well first put in a bugzilla. Secondly what port is it trying to connect to?
Did you change the port number of the hpssd?
TIA,
Vinicius.
--
Hello,
I filled the bug report number 163434 (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=163434).
The port is 32774.
No, I didn't change the port number of the hpssd. And I don't know how to do this.
from /var/log/messages: Jul 16 10:02:54 ronin hpiod: 0.9.3 accepting connections at 32774... Jul 16 10:03:04 ronin python: hpssd [ERROR] Unable to connect to hpiod.
from /var/log/audit/audit.log: type=CWD msg=audit(1121518984.285:13005806): cwd="/usr/share/hplip" type=PATH msg=audit(1121518984.285:13005806): item=0 name="/usr/share/hplip/base/strings.pyc" flags=310 inode=1181808 dev= fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1121518984.905:13008633): avc: denied { name_connect } for pid=4841 comm="python" dest=32774 scontext =root:system_r:hplip_t tcontext=system_u:object_r:port_t tclass=tcp_socket type=SYSCALL msg=audit(1121518984.905:13008633): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfd6cf50 a2=98b114 a 3=b7c99b48 items=0 pid=4841 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="python" exe="/usr /bin/python" type=SOCKADDR msg=audit(1121518984.905:13008633): saddr=020080067F0000010000000000000000 type=SOCKETCALL msg=audit(1121518984.905:13008633): nargs=3 a0=5 a1=b7c99b60 a2=10
TIA,
Vinicius.
Hello,
after the recent FC4 updates such as gcc and libtool (thanks to them, I think), hplip 0.9.4 from http://sourceforge.net/projects/hpinkjet/ is working fine with FC4, printing e scanning. I think the hplip component from the Fedora development team will work too. But I'm running with SELinux disabled, so I will turn it on and to see what happens.
Cheers,
Vinicius.
Vinicius wrote:
Vinicius wrote:
Daniel J Walsh wrote:
Vinicius wrote:
Hello,
Please see https://www.redhat.com/archives/fedora-list/2005-July/msg03159.html
Any suggestions, please?
Well first put in a bugzilla. Secondly what port is it trying to connect to?
Did you change the port number of the hpssd?
TIA,
Vinicius.
--
Hello,
I filled the bug report number 163434 (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=163434).
The port is 32774.
No, I didn't change the port number of the hpssd. And I don't know how to do this.
from /var/log/messages: Jul 16 10:02:54 ronin hpiod: 0.9.3 accepting connections at 32774... Jul 16 10:03:04 ronin python: hpssd [ERROR] Unable to connect to hpiod.
from /var/log/audit/audit.log: type=CWD msg=audit(1121518984.285:13005806): cwd="/usr/share/hplip" type=PATH msg=audit(1121518984.285:13005806): item=0 name="/usr/share/hplip/base/strings.pyc" flags=310 inode=1181808 dev= fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1121518984.905:13008633): avc: denied { name_connect } for pid=4841 comm="python" dest=32774 scontext =root:system_r:hplip_t tcontext=system_u:object_r:port_t tclass=tcp_socket type=SYSCALL msg=audit(1121518984.905:13008633): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfd6cf50 a2=98b114 a 3=b7c99b48 items=0 pid=4841 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="python" exe="/usr /bin/python" type=SOCKADDR msg=audit(1121518984.905:13008633): saddr=020080067F0000010000000000000000 type=SOCKETCALL msg=audit(1121518984.905:13008633): nargs=3 a0=5 a1=b7c99b60 a2=10
TIA,
Vinicius.
Hello,
after the recent FC4 updates such as gcc and libtool (thanks to them, I think), hplip 0.9.4 from http://sourceforge.net/projects/hpinkjet/ is working fine with FC4, printing e scanning. I think the hplip component from the Fedora development team will work too. But I'm running with SELinux disabled, so I will turn it on and to see what happens.
Cheers,
Vinicius.
I think I have to thank to the SELinux policies updates too.
Just to make the things clear, I compiled the hplip 0.9.4 after the recents updates under.
After SELinux enabled with "enforcing" and "targeted", the PSC 1315 prints but no scans. I see the following avc's: "type=AVC msg=audit(1122548966.016:259603): avc: denied { rename } for pid=2103 comm="cupsd" name="classes.conf" dev=dm-0 ino=3692813 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:cupsd_etc_t tclass=file type=AVC msg=audit(1122548966.016:259604): avc: denied { write } for pid=2103 comm="cupsd" name="classes.conf" dev=dm-0 ino=3692813 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:cupsd_etc_t tclass=file"
Vinicius.
Vinicius wrote:
Vinicius wrote:
Vinicius wrote:
Daniel J Walsh wrote:
Vinicius wrote:
Hello,
Please see https://www.redhat.com/archives/fedora-list/2005-July/msg03159.html
Any suggestions, please?
Well first put in a bugzilla. Secondly what port is it trying to connect to?
Did you change the port number of the hpssd?
TIA,
Vinicius.
--
Hello,
I filled the bug report number 163434 (https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=163434).
The port is 32774.
No, I didn't change the port number of the hpssd. And I don't know how to do this.
from /var/log/messages:
Jul 16 10:02:54 ronin hpiod: 0.9.3 accepting connections at 32774... Jul 16 10:03:04 ronin python: hpssd [ERROR] Unable to connect to hpiod.
from /var/log/audit/audit.log:
type=CWD msg=audit(1121518984.285:13005806): cwd="/usr/share/hplip" type=PATH msg=audit(1121518984.285:13005806): item=0 name="/usr/share/hplip/base/strings.pyc" flags=310 inode=1181808 dev= fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 type=AVC msg=audit(1121518984.905:13008633): avc: denied { name_connect } for pid=4841 comm="python" dest=32774 scontext =root:system_r:hplip_t tcontext=system_u:object_r:port_t tclass=tcp_socket type=SYSCALL msg=audit(1121518984.905:13008633): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfd6cf50 a2=98b114 a 3=b7c99b48 items=0 pid=4841 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="python" exe="/usr /bin/python" type=SOCKADDR msg=audit(1121518984.905:13008633): saddr=020080067F0000010000000000000000 type=SOCKETCALL msg=audit(1121518984.905:13008633): nargs=3 a0=5 a1=b7c99b60 a2=10
TIA,
Vinicius.
Hello,
after the recent FC4 updates such as gcc and libtool (thanks to them, I think), hplip 0.9.4 from http://sourceforge.net/projects/hpinkjet/ is working fine with FC4, printing e scanning. I think the hplip component from the Fedora development team will work too. But I'm running with SELinux disabled, so I will turn it on and to see what happens.
Cheers,
Vinicius.
I think I have to thank to the SELinux policies updates too.
Just to make the things clear, I compiled the hplip 0.9.4 after the recents updates under.
After SELinux enabled with "enforcing" and "targeted", the PSC 1315 prints but no scans. I see the following avc's: "type=AVC msg=audit(1122548966.016:259603): avc: denied { rename } for pid=2103 comm="cupsd" name="classes.conf" dev=dm-0 ino=3692813 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:cupsd_etc_t tclass=file type=AVC msg=audit(1122548966.016:259604): avc: denied { write } for pid=2103 comm="cupsd" name="classes.conf" dev=dm-0 ino=3692813 scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:cupsd_etc_t tclass=file"
Can you change classes.conf to cupsd_etc_rw_t?
chcon -t cupsd_etc_rw_t classes.conf
And see if it works?
Vinicius.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Thu, Jul 28, 2005 at 11:16:31AM -0400, Daniel J Walsh wrote:
Can you change classes.conf to cupsd_etc_rw_t?
chcon -t cupsd_etc_rw_t classes.conf
And see if it works?
It's worth pointing out that I finally gave up and changed the way that system-config-printer writes out configuration files, just to make selinux happy. This week's Fedora Update contains that change, so possibly the reporter did not have that package updated.
I had been getting it to write to a new file in the correct directory, then rename over the original file. The new way is to overwrite the original file and cross our fingers that CUPS doesn't want to read the file before we've finished writing it.
Daniel, for the record: what is the recommended way for system tools to write configuration files?
Tim. */
On Thu, 2005-07-28 at 16:50 +0100, Tim Waugh wrote:
On Thu, Jul 28, 2005 at 11:16:31AM -0400, Daniel J Walsh wrote:
Can you change classes.conf to cupsd_etc_rw_t?
chcon -t cupsd_etc_rw_t classes.conf
And see if it works?
It's worth pointing out that I finally gave up and changed the way that system-config-printer writes out configuration files, just to make selinux happy. This week's Fedora Update contains that change, so possibly the reporter did not have that package updated.
I had been getting it to write to a new file in the correct directory, then rename over the original file. The new way is to overwrite the original file and cross our fingers that CUPS doesn't want to read the file before we've finished writing it.
Daniel, for the record: what is the recommended way for system tools to write configuration files?
Creating a new file and renaming it over the old one is obviously safer. As far as the security context goes, you can either define an automatic file type transition if the (process domain, parent directory type) is sufficient to distinguish the file or you can have the program do an explicit setfscreatecon() before creating the new file, either using the result of a getfilecon() on the original file to get the old context or using matchpathcon() to get it from the policy based on the path.
Tim Waugh wrote:
On Thu, Jul 28, 2005 at 11:16:31AM -0400, Daniel J Walsh wrote:
Can you change classes.conf to cupsd_etc_rw_t?
chcon -t cupsd_etc_rw_t classes.conf
And see if it works?
It's worth pointing out that I finally gave up and changed the way that system-config-printer writes out configuration files, just to make selinux happy. This week's Fedora Update contains that change, so possibly the reporter did not have that package updated.
I had been getting it to write to a new file in the correct directory, then rename over the original file. The new way is to overwrite the original file and cross our fingers that CUPS doesn't want to read the file before we've finished writing it.
Daniel, for the record: what is the recommended way for system tools to write configuration files?
Is system-config-printer or the backend server rewrting the file? Changing classes.conf to cupsd_etc_rw_t should allow the backend to rewrite the file.
Tim. */
On Thu, Jul 28, 2005 at 11:56:48AM -0400, Daniel J Walsh wrote:
Is system-config-printer or the backend server rewrting the file? Changing classes.conf to cupsd_etc_rw_t should allow the backend to rewrite the file.
The backend is doing it -- printconf-backend.
As I mentioned before, the previous behaviour had been to create a new file and rename it over the old file, and the SELinux policy does not seem to allow that. Can you clarify what the correct procedure is for system tools that want to write configuration files for running daemons?
Thanks, Tim. */
Tim Waugh escreveu:
On Thu, Jul 28, 2005 at 11:56:48AM -0400, Daniel J Walsh wrote:
Is system-config-printer or the backend server rewrting the file? Changing classes.conf to cupsd_etc_rw_t should allow the backend to rewrite the file.
The backend is doing it -- printconf-backend.
As I mentioned before, the previous behaviour had been to create a new file and rename it over the old file, and the SELinux policy does not seem to allow that. Can you clarify what the correct procedure is for system tools that want to write configuration files for running daemons?
Thanks, Tim. */
Excuse me, I was confusing, because the avc message that I saw is related to when I changed the default printer using the cups web interface, one printer uses the hplip driver the another one no. I think that's it.
But, I did do strace xsane with SELinux enabled and with it disabled, and I get the following: "$ grep 32770 strace_xsane_with_selinux.txt read(6, "32770\n", 4096) = 6 connect(6, {sa_family=AF_INET, sin_port=htons(32770), sin_addr=inet_addr("127.0.0.1")}, 16) = 0
$ grep 32770 strace_xsane_without_selinux.txt read(6, "32770\n", 4096) = 6 connect(6, {sa_family=AF_INET, sin_port=htons(32770), sin_addr=inet_addr("127.0.0.1")}, 16) = 0
$ grep 32771 strace_xsane_with_selinux.txt read(6, "32771\n", 4096) = 6 connect(7, {sa_family=AF_INET, sin_port=htons(32771), sin_addr=inet_addr("127.0.0.1")}, 16) = -1 ECONNREFUSED (Connection refused)
$ grep 32771 strace_xsane_without_selinux.txt read(6, "32771\n", 4096) = 6 connect(7, {sa_family=AF_INET, sin_port=htons(32771), sin_addr=inet_addr("127.0.0.1")}, 16) = 0"
And the audit log doesn't show nothing about the port 32771, with SELinux enabled.
I'm lost. Any ideas, please?
Vinicius.
On Thu, 2005-07-28 at 17:00 +0100, Tim Waugh wrote:
As I mentioned before, the previous behaviour had been to create a new file and rename it over the old file, and the SELinux policy does not seem to allow that. Can you clarify what the correct procedure is for system tools that want to write configuration files for running daemons?
So, what precisely is the problem with allowing it to create a new file and rename it over the old file? While using a file type transition to put the new file into the correct type or modifying the program to use setfscreatecon() to explicitly label it with the correct type?
selinux@lists.fedoraproject.org