cups-lpd: Unable to reserve port: Permission denied
Daniel J Walsh
dwalsh at redhat.com
Fri Apr 6 12:26:54 UTC 2007
Garry T. Williams wrote:
> On Thursday 05 April 2007 19:01:19 Matt Anderson wrote:
>
>> Garry T. Williams wrote:
>>
>>> I think the new policy is wrong. Regardless, why don't I see avc log
>>> messages on this?
>>>
>> It seems to me that the AVCs are lost because they are don't audited.
>> If you put in place the enableaudit.pp policy file then you'd probably
>> see them.
>>
>
> Thanks for the pointer. This will save debug time. :-)
>
>
>> cupsd should only be able to bind to port 631, but your client's should
>> be able to use high ports to connect to the remote server. From what
>> you've said it sounds like the printer you are lpr'ing to is a locally
>> defined print spool that cupsd is supposed to then queue up and send to
>> remote printers. If that is the case then why not configure the queue
>> so that lpr sends jobs directly to the remote queue? Or am I missing
>> something.
>>
>
> I simply defined a remote lpd printer to cups and then printed to it
> from an application like a2ps or firefox. This causes my local cupsd
> process to fork a client to connect to the remote lpd. In general,
> TCP clients don't need to bind to a specific port. In general, TCP
> clients don't even call bind(). But...
>
> Because of historical conventions (as I understand it), some lpd
> *servers* refuse to allow connections from clients coming from source
> ports above 1024. Yes, it's silly, but the cups folks claim that
> there are such servers that cups needs to support. Because of this,
> the default behavior for cups-lpd running in *client* mode is to bind
> to a low-numbered port before connecting to the server. The new
> selinux policy forbids this. As a matter of fact, the cups-lpd
> running as a client *can't* bind to the permitted port 631, if the
> cups server has already done so.
>
> (I don't run cupsd on anything but localhost on this machine, so the
> bind eventually succeeded when cups-lpd finally counted down to 631
> retrying bind() along the way.)
>
> If you accept that it is legitimate for cups-lpd to insist on a
> low-numbered port that is not 631, then the current policy is flawed.
> The client mode will never call listen(), so it doesn't become a
> server. It just wants a low source port when it connects to another
> server.
>
>
I have added the ability for cups to bind to any port 600-1023.
selinux-policy-2.5.11-5.fc7
More information about the fedora-selinux-list
mailing list