Getting these denials when printing through cups.
type=AVC msg=audit(1219156658.544:2005): avc: denied { search } for
pid=6591 comm="hp" name="dbus" dev=dm-0 ino=12799869
scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir
type=AVC msg=audit(1219156658.544:2005): avc: denied { write } for
pid=6591 comm="hp" name="system_bus_socket" dev=dm-0 ino=12800311
scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1219156658.544:2005): avc: denied { connectto } for
pid=6591 comm="hp" path="/var/run/dbus/system_bus_socket"
scontext=system_u:system_r:hplip_t:s0-s0:c0.c1023
tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tclass=unix_stream_socket
I've created and applied a local policy to allow this access but have
been instructed to file a bug report about the situation.
Printer description from cups:
*Description:* new driver
*Location:* corner
*Printer Driver:* HP OfficeJet G85 Foomatic/hpijs (recommended)
*Printer State:* idle,
accepting jobs, published.
*Device URI:* hp:/net/OfficeJet_G85?ip=192.168.1.105
Unfortunatly, I'm unable to locate specific data about the pinter
driver. I'll claim it is the latest version available from HP.
Another driver (with same id) does not cause problems.
On Mon, Aug 25, 2008 at 10:21:40AM -0400, JOhn ROss POrter wrote:
> *Printer Driver:* HP OfficeJet G85 Foomatic/hpijs (recommended)
> *Device URI:* hp:/net/OfficeJet_G85?ip=192.168.1.105
> Unfortunatly, I'm unable to locate specific data about the pinter
> driver. I'll claim it is the latest version available from HP.
> Another driver (with same id) does not cause problems.
Is the driver included with the hplip package? You might be able to
look there for version information. If your on a Debian based distro it
might be in hpijs.
When you say the other driver does not cause the same problems, are you
using the same configuration to setup the printer? Specifically the
same device URI and PPD file? And these both point to the same printer?
-matt
Matt Anderson wrote:
> On Mon, Aug 25, 2008 at 10:21:40AM -0400, JOhn ROss POrter wrote:
>
>
> Is the driver included with the hplip package?
show following from /home/joropo/.hplip/hplip.conf
[installation]
version = 2.8.7
date_time = 08/10/08 09:51:53
In addition to 2.8.7 I have directories&files refelecting 2.8.5 & 2.8.2
> You might be able to
> look there for version information. If your on a Debian based distro it
> might be in hpijs.
>
using fedora 9 with kernel 2.6.25.14-108.fc9.i686
> When you say the other driver does not cause the same problems, are you
> using the same configuration to setup the printer? Specifically the
> same device URI and PPD file?
different URI's
no AVC -- socket://192.168.1.105:9100
w/AVC -- hp:/net/OfficeJet_G85?ip=192.168.1.105 (was created
auto-magically by hplip install procedure. Additionally, extra
functionality enabled with this device [scanning and printer display
feedback])
PPD files more difficult to distinguish.
Both appear in cups as *Printer Driver:* HP OfficeJet G85 Foomatic/hpijs
(recommended)
but I can not find direct feedback about any version differences between
these two. (expect there is some.)
> And these both point to the same printer?
>
yes, same physical device.
> -matt
>
>
On Tue, Aug 26, 2008 at 02:10:02PM -0400, JOhn ROss POrter wrote:
> Matt Anderson wrote:
>> same device URI and PPD file?
> different URI's
> no AVC -- socket://192.168.1.105:9100
> w/AVC -- hp:/net/OfficeJet_G85?ip=192.168.1.105 (was created
> auto-magically by hplip install procedure. Additionally, extra
> functionality enabled with this device [scanning and printer display
> feedback])
Okay, it sounds like you've got a patch for the hplip policy then. Do
you need these additional allow rules to get the extra functionality or
are they permissions the driver is requesting? If it works, but
generates AVCs as is, you might consider using dontaudit rules.
-matt