SELinux policy for printing

[totaam]

Issue migrated from trac ticket # 815

component: core | priority: critical | resolution: fixed

2015-02-23 16:24:05: antoine created the issue

---

A simple policy is better than none.

The server needs a lot of permissions...
And we need the clients to be able to connect to the server using unix domain sockets (and also transition from cups backend domain to our new domain to be able to support printing #598)

[totaam]

2015-02-23 17:36:42: antoine uploaded file selinux.patch (2.0 KiB)

work in progress patch

[totaam]

2015-02-24 09:28:34: antoine uploaded file selinux-v2.patch (7.4 KiB)

much better patch - the server starts and client can connect!

[totaam]

2015-02-24 09:48:10: antoine changed status from new to assigned

[totaam]

2015-02-24 09:48:10: antoine commented

---

The patch above works surprisingly well!
Things left TODO:

• lots of testing
• fix shared memory: XShmWrapper.setup() shmat(20840475, NULL, 0) failed!
• fix pulseaudio: /bin/sh: /usr/bin/pulseaudio: Permission denied
• fix dbus access:

• server side:

cannot load dbus helper: org.freedesktop.DBus.Error.AccessDenied: \
    An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; \
    type="method_call", sender="(null)" (inactive) interface="org.freedesktop.DBus" member="Hello" \
    error name="(unset)" requested_reply="0" destination="org.freedesktop.DBus" (bus)

• client side:

dbus setup error: org.freedesktop.DBus.Error.AccessDenied: Failed to connect to socket \
    /var/run/dbus/system_bus_socket: Permission denied

• fix cups:

Unhandled error while processing a 'query-printers' packet from peer using <bound method XpraClient._process_query_printers of gtk2.client>
Traceback (most recent call last):
  File "/usr/lib64/python2.7/site-packages/xpra/client/client_base.py", line 733, in process_packet
    handler(packet)
  File "/usr/lib64/python2.7/site-packages/xpra/client/client_base.py", line 580, in _process_query_printers
    printers = get_printers()
  File "/usr/lib64/python2.7/site-packages/xpra/platform/pycups_printing.py", line 64, in get_printers
    conn = cups.Connection()
RuntimeError: failed to connect to server

• fix the cups backend (support for printing via a cups backend script #598)
• fix sound, at the very least client side:

sound source pipeline error: GStreamer encountered a general resource error. / pulsesink.c(570): gst_pulseringbuffer_open_device (): /GstPulseSink:autoaudiosink0-actual-sink-pulse
sound source pipeline error: Could not initialise supporting library. / gstautoaudiosink.c(369): gst_auto_audio_sink_detect (): /GstPipeline:pipeline0/GstAutoAudioSink:autoaudiosink0:
Failed to find a supported audio sink

• packaging

[totaam]

2015-02-24 16:45:17: antoine uploaded file selinux-v3.patch (8.1 KiB)

printing works, dbus and sound still do not

[totaam]

2015-04-14 17:21:19: antoine commented

---

out of time

[totaam]

2015-08-12 06:50:44: antoine commented

---

Note: this change might make things easier to implement if we use the sockets placed in /run instead of the home folder: #888.

[totaam]

2015-10-10 12:21:43: antoine uploaded file allow-cupsd-access-userhome.patch (0.6 KiB)

alternatively, this patch to the core policy is supposed to work

[totaam]

2015-12-30 16:32:59: antoine commented

---

Some minor changes in r11544 to better support new socket locations (#963).
Unfortunately, even using sockets in /tmp or /run does not allow us to talk to the socket from the cups backend.

But maybe the alternative locations will be more palatable for a merge upstream?

• for /tmp:

Hash: xpra,cupsd_t,user_tmp_t,sock_file,write

(this one may be acceptable? still better than home dir..)

• for /run/user/$UID/xpra/SOCKETNAME:

Hash: xpra,cupsd_t,unconfined_t,unix_stream_socket,connectto

(this one would require a specific policy for the directory?)

[totaam]

2016-04-05 08:21:47: antoine uploaded file selinux-v4.patch (8.4 KiB)

updated patch for Fedora 23

[totaam]

2016-04-05 10:14:15: antoine commented

---

TODO:

• gstreamer gets into a horrible spin and will just waste CPU cycles until you kill it
• fakexinerama should be converted to using /var/run (we can check and set an env var before using it)
• pulseaudio still won't run (no avc messages to investigate)
• printing works if I set the lpr module to permissive: semanage permissive -a lpr_t, but I can't find any avcs to fix! Some links:

• lpr_selinux
• Eating my own dogfood: mozilla plugin + lpr

[totaam]

2016-08-11 09:39:08: antoine commented

---

Trying to solve the printing problem first: xpra printer forwarding currently requires a change to the core policy on the Fedora SELinux mailing list

[totaam]

2016-08-12 10:13:58: antoine commented

---

As suggested in this reply: Could you try to label the backend.., after chcon -t cups_pdf_exec_t /usr/lib/cups/backend/xpraforwarder and the socket in .xpra:

AVC avc:  denied  { search } for  pid=12058 comm="xpra" name=".xpra" dev="md122" ino=3965034 scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
AVC avc:  denied  { create } for  pid=12057 comm="python" scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
AVC avc:  denied  { create } for  pid=12057 comm="python" scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
AVC avc:  denied  { create } for  pid=12057 comm="python" scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
PID 12057 (/usr/lib/cups/backend/xpraforwarder) stopped with status 1.

With the socket in /var/run/user/$UID/xpra:

AVC avc:  denied  { write } for  pid=12809 comm="xpra" name="desktop-100" dev="tmpfs" ino=454089 scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=0
AVC avc:  denied  { create } for  pid=12808 comm="python" scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
AVC avc:  denied  { create } for  pid=12808 comm="python" scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
AVC avc:  denied  { create } for  pid=12808 comm="python" scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
PID 12808 (/usr/lib/cups/backend/xpraforwarder) stopped with status 1.

[totaam]

2016-08-12 12:08:42: antoine commented

---

Continuing with the socket in /var/run/user/$UID/xpra and fixing with audit2allow every time:

AVC avc:  denied  { connectto } for  pid=16204 comm="xpra" path="/run/user/1000/xpra/desktop-100" scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
AVC avc:  denied  { connect } for  pid=16203 comm="python" scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
AVC avc:  denied  { connect } for  pid=16203 comm="python" scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
AVC avc:  denied  { connect } for  pid=16203 comm="python" scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0

This "fixes" it:

module xpraforwarder 1.0;

require {
	type user_tmp_t;
	type cups_pdf_t;
	type unconfined_t;
	class unix_dgram_socket create;
	class unix_dgram_socket connect;
	class sock_file write;
	class unix_stream_socket connectto;
}

allow cups_pdf_t self:unix_dgram_socket { create connect };
allow cups_pdf_t user_tmp_t:sock_file write;
allow cups_pdf_t unconfined_t:unix_stream_socket connectto;

[totaam]

2016-08-12 13:21:13: antoine commented

---

Managed to come up with a policy that allows the backend to run without warnings or errors: r13317.

Still TODO:

• get feedback and fix all the problems
• package it for fedora and centos, see SELinux Policy Modules Packaging Draft and PackagingDrafts/SELinux

[totaam]

2016-08-14 15:31:52: antoine commented

---

r13346 adds RPM packaging support for the "cups_xpra" selinux module.

Moving the full selinux policy to #1283.

[totaam]

2016-08-15 11:14:53: antoine changed status from assigned to new

[totaam]

2016-08-15 11:14:53: antoine changed owner from antoine to smo

[totaam]

2016-08-15 11:14:53: antoine commented

---

God some feedback, made some improvements in r13358.
(r13367 includes a patch for the policy so that it can be used on systems that do not support XDG_RUNTIME_DIR, see #1129#comment:23 for details).

Ready for testing.

[totaam]

2016-09-27 10:16:38: antoine changed priority from major to critical

[totaam]

2016-11-22 19:39:16: smo changed status from new to closed

[totaam]

2016-11-22 19:39:16: smo set resolution to fixed

[totaam]

2016-11-22 19:39:16: smo commented

---

I haven't found any issues with this on fedora 23 and 24. I've done some rough testing with a non attached printer but not much with a real printer.

If we run into errors we'll open a new ticket.

[totaam]

2016-11-24 11:40:55: antoine changed title from SELinux policy to SELinux policy for printing

[totaam]

2019-09-02 16:38:15: antoine commented

---

See also #1283, #2265