JOhn ROss POrter wrote:
> I don't know how to distinguish between "to get extra functionality",
> and "driver is requesting." I submit a print job to the device which
> uses the hp:/net/Office... URI and I get AVC denial pop-ups.
You had mentioned that the hplip driver allows you to get more
functionality than just printing. I was wondering if the AVCs were
generated from those requests, or the printing requests, or what was
seemingly random from the driver.
> I should also mention, again(?), that I run SELinux in "permissive"
> mode. The AVC warnings are just an annoyance and to not prohibit
> further activities.
It could be interesting to see how the system behaves in enforcing mode.
You could remove your policy additions and see if you're still able to
print and access the scanning and printer display feedback
functionality, then add your policy module back in, and see what works.
> My reason for filing this bug report derived from following
> suggestions
> received from the #selinux channel on the freenode IRC Network.
> From my own point of view, this issue may be dropped. The thread may
> prove helpful, however, to anyone else installing the 2.8.7 level of
> hplip.
I don't recall you posting the rules in your policy module here. It
might be good to do that so that its all archived in the same place.
> Thanks for your attention,
> Joropo
Thanks for bringing it up.
-matt
Matt Anderson wrote:
> JOhn ROss POrter wrote:
>
>
> You had mentioned that the hplip driver allows you to get more
> functionality than just printing. I was wondering if the AVCs were
> generated from those requests, or the printing requests, or what was
> seemingly random from the driver.
>
The AVC warnings occur only as a result of print activity. I get no such
warnings from the scanner interface.
>
>
> It could be interesting to see how the system behaves in enforcing mode.
> You could remove your policy additions and see if you're still able to
> print and access the scanning and printer display feedback
> functionality, then add your policy module back in, and see what works.
>
I suppose I could follow this path. However, I'm less willing to put in
the effort. I've gotten warnings in the past *only* when I print. I've
never heard from SELinux while playing with the scanner interface.
>
>
> I don't recall you posting the rules in your policy module here. It
> might be good to do that so that its all archived in the same place.
>
follows: /usr/share/selinux/locals/local.te
as generated by assist2allow(?) - unedited, not really understood.
--begin copy--
module local 1.0;
require {
type system_dbusd_var_run_t;
type hplip_t;
type xdm_t;
type system_dbusd_t;
class process { execstack execmem };
class sock_file write;
class dbus send_msg;
class dir search;
class unix_stream_socket connectto;
}
require {
type system_dbusd_var_run_t;
type hplip_t;
type xdm_t;
type system_dbusd_t;
class process { execstack execmem };
class sock_file write;
class dbus send_msg;
class dir search;
class unix_stream_socket connectto;
}
require {
type system_dbusd_var_run_t;
type hplip_t;
type xdm_t;
type system_dbusd_t;
class process { execstack execmem };
class sock_file write;
class dbus send_msg;
class dir search;
class unix_stream_socket connectto;
}
#============= hplip_t ==============
allow hplip_t system_dbusd_t:dbus send_msg;
allow hplip_t system_dbusd_t:unix_stream_socket connectto;
allow hplip_t system_dbusd_var_run_t:dir search;
allow hplip_t system_dbusd_var_run_t:sock_file write;
#============= xdm_t ==============
allow xdm_t self:process { execstack execmem };
---end copy---
>
>
> Thanks for bringing it up.
> -matt
>
>
Joropo
On Wed, 2008-08-27 at 15:01 -0400, JOhn ROss POrter wrote:
> Matt Anderson wrote:
> > JOhn ROss POrter wrote:
> >
> > You had mentioned that the hplip driver allows you to get more
> > functionality than just printing. I was wondering if the AVCs were
> > generated from those requests, or the printing requests, or what was
> > seemingly random from the driver.
> >
> The AVC warnings occur only as a result of print activity. I get no such
> warnings from the scanner interface.
[...]
> allow hplip_t system_dbusd_t:dbus send_msg;
> allow hplip_t system_dbusd_t:unix_stream_socket connectto;
> allow hplip_t system_dbusd_var_run_t:dir search;
> allow hplip_t system_dbusd_var_run_t:sock_file write;
A quick look into hplip reveals that it uses dbus, so this isn't
surprising. I have added this access to refpolicy.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150