I'm getting some messages from hpoj that I don't remember getting before, shown below. After starting in permissive mode, checking on '/var/run/ptal-mlcd and ptal-printd' shows files (fifos) with context 'system_u:object_r:var_run_t'. I was expecting them to be 'system_u:object_r:ptal_var_run_t'.
Have I missed configuring this properly?
thanks, tom
Audit2allow on permissive avc's yield: allow ptal_t etc_runtime_t:file { getattr }; allow ptal_t etc_t:file { read }; allow ptal_t staff_home_dir_t:dir { search }; allow ptal_t usbdevfs_t:dir { getattr read }; allow ptal_t var_run_t:fifo_file { create read setattr }; allow ptal_t var_run_t:sock_file { create setattr };
(enforcing); Jul 19 09:58:07 fedora kernel: audit(1090256287.964:0): avc: denied { create } for pid=5638 exe=/usr/sbin/ptal-mlcd name=usb:PSC_900_Series scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:var_run_t tclass=sock_file Jul 19 09:58:07 fedora ptal-mlcd: FATAL ERROR at ExMgr.cpp:1250, dev=mlc:usb:PSC_900_Series, pid=5638, e=13, t=1090256287 bind(/var/run/ptal-mlcd/usb:PSC_900_Series) failed! Ensure /var/run/ptal-mlcd/ exists. Jul 19 09:58:07 fedora kernel: audit(1090256287.972:0): avc: denied { search } for pid=5639 exe=/usr/sbin/ptal-printd name=root dev=hda2 ino=1196033 scontext=system_u:system_r:ptal_t tcontext=root:object_r:staff_home_dir_t tclass=dir Jul 19 09:58:07 fedora kernel: audit(1090256287.972:0): avc: denied { read } for pid=5639 exe=/usr/sbin/ptal-printd name=mlc:usb:PSC_900_Series dev=hda2 ino=738368 scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:etc_t tclass=file Jul 19 09:58:07 fedora kernel: audit(1090256287.972:0): avc: denied { getattr } for pid=5639 exe=/usr/sbin/ptal-printd path=/etc/ptal/ptal-printd-like dev=hda2 ino=737289 scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:etc_runtime_t tclass=file Jul 19 09:58:07 fedora ptal-printd: ptal-printd(mlc:usb:PSC_900_Series): Unable to read file permissions from "/etc/ptal/ptal-printd-like"! Jul 19 09:58:09 fedora ptal-photod: ptal-photod(mlc:usb:PSC_900_Series) successfully initialized, listening on port 5703.
(permissive): Jul 19 09:59:41 fedora ptal-mlcd: SYSLOG at ExMgr.cpp:652, dev=mlc:usb:PSC_900_Series, pid=5694, e=2, t=1090256381 ptal-mlcd successfully initialized.
Jul 19 09:59:41 fedora ptal-printd: ptal-printd(mlc:usb:PSC_900_Series) successfully initialized using /var/run/ptal-printd/mlc_usb_PSC_900_Series*. Jul 19 09:59:41 fedora kernel: audit(1090256381.301:0): avc: denied { create } for pid=5693 exe=/usr/sbin/ptal-mlcd name=usb:PSC_900_Series scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:var_run_t tclass=sock_file Jul 19 09:59:41 fedora kernel: audit(1090256381.301:0): avc: denied { setattr } for pid=5693 exe=/usr/sbin/ptal-mlcd name=usb:PSC_900_Series dev=hda2 ino=4493726 scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:var_run_t tclass=sock_file Jul 19 09:59:41 fedora kernel: audit(1090256381.301:0): avc: denied { read } for pid=5693 exe=/usr/sbin/ptal-mlcd dev=usbdevfs ino=1417 scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:usbdevfs_t tclass=dir Jul 19 09:59:41 fedora kernel: audit(1090256381.301:0): avc: denied { getattr } for pid=5693 exe=/usr/sbin/ptal-mlcd path=/proc/bus/usb dev=usbdevfs ino=1417 scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:usbdevfs_t tclass=dir Jul 19 09:59:41 fedora kernel: audit(1090256381.308:0): avc: denied { search } for pid=5695 exe=/usr/sbin/ptal-printd name=root dev=hda2 ino=1196033 scontext=system_u:system_r:ptal_t tcontext=root:object_r:staff_home_dir_t tclass=dir Jul 19 09:59:41 fedora kernel: audit(1090256381.309:0): avc: denied { read } for pid=5695 exe=/usr/sbin/ptal-printd name=mlc:usb:PSC_900_Series dev=hda2 ino=738368 scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:etc_t tclass=file Jul 19 09:59:41 fedora kernel: audit(1090256381.309:0): avc: denied { getattr } for pid=5695 exe=/usr/sbin/ptal-printd path=/etc/ptal/ptal-printd-like dev=hda2 ino=737289 scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:etc_runtime_t tclass=file Jul 19 09:59:41 fedora kernel: audit(1090256381.309:0): avc: denied { create } for pid=5695 exe=/usr/sbin/ptal-printd name=mlc_usb_PSC_900_Series scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:var_run_t tclass=fifo_file Jul 19 09:59:41 fedora kernel: audit(1090256381.309:0): avc: denied { setattr } for pid=5695 exe=/usr/sbin/ptal-printd name=mlc_usb_PSC_900_Series dev=hda2 ino=4493727 scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:var_run_t tclass=fifo_file Jul 19 09:59:41 fedora kernel: audit(1090256381.309:0): avc: denied { read } for pid=5695 exe=/usr/sbin/ptal-printd name=mlc_usb_PSC_900_Series dev=hda2 ino=4493727 scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:var_run_t tclass=fifo_file Jul 19 09:59:43 fedora ptal-photod: ptal-photod(mlc:usb:PSC_900_Series) successfully initialized, listening on port 5703.
On Tue, 20 Jul 2004 03:15, Tom London selinux@comcast.net wrote:
Audit2allow on permissive avc's yield: allow ptal_t etc_runtime_t:file { getattr }; allow ptal_t etc_t:file { read };
For file access whenever read access is requested you should allow getattr. For a file type such etc_runtime_t which contains nothing secret if you allow getattr you should allow read. So I added the following to my tree:
allow ptal_t { etc_t etc_runtime_t }:file { getattr read };
allow ptal_t staff_home_dir_t:dir { search };
What does ptal do? Why does it need such access?
allow ptal_t usbdevfs_t:dir { getattr read };
Again, what is it trying to do here? I've never used ptal so I don't know what we should be permitting it to do.
allow ptal_t var_run_t:fifo_file { create read setattr }; allow ptal_t var_run_t:sock_file { create setattr };
For the sock_file and the fifo_file in question you didn't provide enough information to determine which directory they are in. Please repeat the tests and use "find /var/run -inum ..." to find the full path.
If they are under /var/run/ptal-printd or /var/run/ptal-mlcd then they should have the correct type and there should not be any problem (in which case there is some strange mis-labelling issue). If they are not under those directories then I will need to know the directories that they are in to write the correct policy.
From what I understand, ptal implements the mechanism to connect to bidirectional printers/scanners/.... In my case, I have a USB connected HP office jet (an HP PSC-950). I'm guessing it scans through /proc/bus/usb to discover appropriate devices.
I made the change you suggested (adding 'allow' for etc_t and etc_runtime_t), and did a 'make install'. 'run_init /etc/rc.d/init.d/hpoj start' now gets a quick 'denied' when attemping to create the socket ('usb:PSC_900_Series'):
Jul 20 07:17:56 fedora kernel: audit(1090333076.788:0): avc: denied { create } for pid=3684 exe=/usr/sbin/ptal-mlcd name=usb:PSC_900_Series scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:var_run_t tclass=sock_file Jul 20 07:17:56 fedora ptal-mlcd: FATAL ERROR at ExMgr.cpp:1250, dev=mlc:usb:PSC_900_Series, pid=3684, e=13, t=1090333076 bind(/var/run/ptal-mlcd/usb:PSC_900_Series) failed! Ensure /var/run/ptal-mlcd/ exists.
The above shows ptal failing to create sock-file '/var/run/ptal-mcld/usb:....'). (Shouldn't the tcontext be 'ptal_var_run_t'????)
Jul 20 07:17:56 fedora kernel: audit(1090333076.799:0): avc: denied { search } for pid=3685 exe=/usr/sbin/ptal-printd name=root dev=hda2 ino=1196033 scontext=system_u:system_r:ptal_t tcontext=root:object_r:staff_home_dir_t tclass=dir
I don't know why ptal is trying to seach '/root'.
Jul 20 07:17:56 fedora kernel: audit(1090333076.800:0): avc: denied { read } for pid=3685 exe=/usr/sbin/ptal-printd name=mlc:usb:PSC_900_Series dev=hda2 ino=738368 scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:etc_t tclass=file
'find / -inum 738368' -> /etc/ptal/mlc:usb:PSC_900_Series -rw-rw---- root lp system_u:object_r:etc_runtime_t ptal-printd-like
Jul 20 07:17:56 fedora kernel: audit(1090333076.800:0): avc: denied { getattr } for pid=3685 exe=/usr/sbin/ptal-printd path=/etc/ptal/ptal-printd-like dev=hda2 ino=737289 scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:etc_runtime_t tclass=file Jul 20 07:17:56 fedora ptal-printd: ptal-printd(mlc:usb:PSC_900_Series): Unable to read file permissions from "/etc/ptal/ptal-printd-like"! Jul 20 07:17:58 fedora ptal-photod: ptal-photod(mlc:usb:PSC_900_Series) successfully initialized, listening on port 5703. One of the 'ptal' daemons has started, but others have not.
tom
Russell Coker wrote:
On Tue, 20 Jul 2004 03:15, Tom London selinux@comcast.net wrote:
Audit2allow on permissive avc's yield: allow ptal_t etc_runtime_t:file { getattr }; allow ptal_t etc_t:file { read };
For file access whenever read access is requested you should allow getattr. For a file type such etc_runtime_t which contains nothing secret if you allow getattr you should allow read. So I added the following to my tree:
allow ptal_t { etc_t etc_runtime_t }:file { getattr read };
allow ptal_t staff_home_dir_t:dir { search };
What does ptal do? Why does it need such access?
allow ptal_t usbdevfs_t:dir { getattr read };
Again, what is it trying to do here? I've never used ptal so I don't know what we should be permitting it to do.
allow ptal_t var_run_t:fifo_file { create read setattr }; allow ptal_t var_run_t:sock_file { create setattr };
For the sock_file and the fifo_file in question you didn't provide enough information to determine which directory they are in. Please repeat the tests and use "find /var/run -inum ..." to find the full path.
If they are under /var/run/ptal-printd or /var/run/ptal-mlcd then they should have the correct type and there should not be any problem (in which case there is some strange mis-labelling issue). If they are not under those directories then I will need to know the directories that they are in to write the correct policy.
I 'fiddled' a bit more with this. The following additions to cups.te seem to make it work:
allow ptal_t { etc_t etc_runtime_t }:file { getattr read }; ifdef(`usbmodules.te', ` r_dir_file(ptal_t, usbdevfs_t) ')
file_type_auto_trans(ptal_t, var_run_t, ptal_var_run_t)
The 'allow' you provided lets ptal read /etc/ptal, etc.
The 'ifdef' mimics the entries for cups. I'm guessing that ptal needs to 'discover' the USB devices it is to control.
The 'file_type_auto_trans' causes the files created in /var/run/ptal* have the correct context.
tom
Tom London wrote:
From what I understand, ptal implements the mechanism to connect to bidirectional printers/scanners/.... In my case, I have a USB connected HP office jet (an HP PSC-950). I'm guessing it scans through /proc/bus/usb to discover appropriate devices.
I made the change you suggested (adding 'allow' for etc_t and etc_runtime_t), and did a 'make install'. 'run_init /etc/rc.d/init.d/hpoj start' now gets a quick 'denied' when attemping to create the socket ('usb:PSC_900_Series'):
Jul 20 07:17:56 fedora kernel: audit(1090333076.788:0): avc: denied { create } for pid=3684 exe=/usr/sbin/ptal-mlcd name=usb:PSC_900_Series scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:var_run_t tclass=sock_file Jul 20 07:17:56 fedora ptal-mlcd: FATAL ERROR at ExMgr.cpp:1250, dev=mlc:usb:PSC_900_Series, pid=3684, e=13, t=1090333076 bind(/var/run/ptal-mlcd/usb:PSC_900_Series) failed! Ensure /var/run/ptal-mlcd/ exists.
The above shows ptal failing to create sock-file '/var/run/ptal-mcld/usb:....'). (Shouldn't the tcontext be 'ptal_var_run_t'????)
Jul 20 07:17:56 fedora kernel: audit(1090333076.799:0): avc: denied { search } for pid=3685 exe=/usr/sbin/ptal-printd name=root dev=hda2 ino=1196033 scontext=system_u:system_r:ptal_t tcontext=root:object_r:staff_home_dir_t tclass=dir
I don't know why ptal is trying to seach '/root'.
Jul 20 07:17:56 fedora kernel: audit(1090333076.800:0): avc: denied { read } for pid=3685 exe=/usr/sbin/ptal-printd name=mlc:usb:PSC_900_Series dev=hda2 ino=738368 scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:etc_t tclass=file
'find / -inum 738368' -> /etc/ptal/mlc:usb:PSC_900_Series -rw-rw---- root lp system_u:object_r:etc_runtime_t ptal-printd-like
Jul 20 07:17:56 fedora kernel: audit(1090333076.800:0): avc: denied { getattr } for pid=3685 exe=/usr/sbin/ptal-printd path=/etc/ptal/ptal-printd-like dev=hda2 ino=737289 scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:etc_runtime_t tclass=file Jul 20 07:17:56 fedora ptal-printd: ptal-printd(mlc:usb:PSC_900_Series): Unable to read file permissions from "/etc/ptal/ptal-printd-like"! Jul 20 07:17:58 fedora ptal-photod: ptal-photod(mlc:usb:PSC_900_Series) successfully initialized, listening on port 5703. One of the 'ptal' daemons has started, but others have not.
tom
Russell Coker wrote:
On Tue, 20 Jul 2004 03:15, Tom London selinux@comcast.net wrote:
Audit2allow on permissive avc's yield: allow ptal_t etc_runtime_t:file { getattr }; allow ptal_t etc_t:file { read };
For file access whenever read access is requested you should allow getattr. For a file type such etc_runtime_t which contains nothing secret if you allow getattr you should allow read. So I added the following to my tree:
allow ptal_t { etc_t etc_runtime_t }:file { getattr read };
allow ptal_t staff_home_dir_t:dir { search };
What does ptal do? Why does it need such access?
allow ptal_t usbdevfs_t:dir { getattr read };
Again, what is it trying to do here? I've never used ptal so I don't know what we should be permitting it to do.
allow ptal_t var_run_t:fifo_file { create read setattr }; allow ptal_t var_run_t:sock_file { create setattr };
For the sock_file and the fifo_file in question you didn't provide enough information to determine which directory they are in. Please repeat the tests and use "find /var/run -inum ..." to find the full path.
If they are under /var/run/ptal-printd or /var/run/ptal-mlcd then they should have the correct type and there should not be any problem (in which case there is some strange mis-labelling issue). If they are not under those directories then I will need to know the directories that they are in to write the correct policy.
On Wed, 21 Jul 2004 04:15, Tom London selinux@comcast.net wrote:
ifdef(`usbmodules.te', ` r_dir_file(ptal_t, usbdevfs_t) ')
I think that the above will be needed even without usbmodules.te. Also note that usbdevfs_t is defined in types/file.te so you won't have any compile errors, which is the main reason for ifdef's. I'll add that to my policy without the ifdef.
file_type_auto_trans(ptal_t, var_run_t, ptal_var_run_t)
This isn't what we want. It allows ptal_t to directly create sock_file, lnk_file, fifo_file, and dir entries under /var/run which is more access than it needs. Fixing the bug in cups.fc as described in my previous message will solve the problem.
EXCELLENT!
Combined with previous fix to cups.fc, all is working now, and a much better fix than the file_type_auto_trans() hack I came up with.
Thanks! tom
Russell Coker wrote:
On Wed, 21 Jul 2004 04:15, Tom London selinux@comcast.net wrote:
ifdef(`usbmodules.te', ` r_dir_file(ptal_t, usbdevfs_t) ')
I think that the above will be needed even without usbmodules.te. Also note that usbdevfs_t is defined in types/file.te so you won't have any compile errors, which is the main reason for ifdef's. I'll add that to my policy without the ifdef.
file_type_auto_trans(ptal_t, var_run_t, ptal_var_run_t)
This isn't what we want. It allows ptal_t to directly create sock_file, lnk_file, fifo_file, and dir entries under /var/run which is more access than it needs. Fixing the bug in cups.fc as described in my previous message will solve the problem.
On Wed, 21 Jul 2004 02:19, Tom London selinux@comcast.net wrote:
avc: denied { create } for pid=3684 exe=/usr/sbin/ptal-mlcd name=usb:PSC_900_Series scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:var_run_t tclass=sock_file
fedora ptal-mlcd: FATAL ERROR at ExMgr.cpp:1250, dev=mlc:usb:PSC_900_Series, pid=3684, e=13, t=1090333076 bind(/var/run/ptal-mlcd/usb:PSC_900_Series) failed! Ensure /var/run/ptal-mlcd/ exists.
The above shows ptal failing to create sock-file '/var/run/ptal-mcld/usb:....'). (Shouldn't the tcontext be 'ptal_var_run_t'????)
Correct. The directory /var/run/ptal-mcld should have type ptal_var_run_t.
The problem was that the below two lines in cups.fc had "--" specified for the type. Remove the "--" and relabel /var/run and things should be fine. /var/run/ptal-printd(/.*)? system_u:object_r:ptal_var_run_t /var/run/ptal-mlcd(/.*)? system_u:object_r:ptal_var_run_t
Jul 20 07:17:56 fedora kernel: audit(1090333076.799:0): avc:
denied { search } for pid=3685 exe=/usr/sbin/ptal-printd name=root dev=hda2 ino=1196033 scontext=system_u:system_r:ptal_t tcontext=root:object_r:staff_home_dir_t tclass=dir
I don't know why ptal is trying to seach '/root'.
Lots of daemons do that. dontaudit is the correct solution to that.
selinux@lists.fedoraproject.org