cups-lpd: Unable to reserve port: Permission denied

Fri Apr 6 12:26:54 UTC 2007

Garry T. Williams wrote:
> On Thursday 05 April 2007 19:01:19 Matt Anderson wrote:
>   
>> Garry T. Williams wrote:
>>     
>>> I think the new policy is wrong.  Regardless, why don't I see avc log
>>> messages on this?
>>>       
>> It seems to me that the AVCs are lost because they are don't audited.
>> If you put in place the enableaudit.pp policy file then you'd probably
>> see them.
>>     
>
> Thanks for the pointer.  This will save debug time.  :-)
>
>   
>> cupsd should only be able to bind to port 631, but your client's should
>> be able to use high ports to connect to the remote server.  From what
>> you've said it sounds like the printer you are lpr'ing to is a locally
>> defined print spool that cupsd is supposed to then queue up and send to
>> remote printers.  If that is the case then why not configure the queue
>> so that lpr sends jobs directly to the remote queue?  Or am I missing
>> something.
>>     
>
> I simply defined a remote lpd printer to cups and then printed to it
> from an application like a2ps or firefox.  This causes my local cupsd
> process to fork a client to connect to the remote lpd.  In general,
> TCP clients don't need to bind to a specific port.  In general, TCP
> clients don't even call bind().  But...
>
> Because of historical conventions (as I understand it), some lpd
> *servers* refuse to allow connections from clients coming from source
> ports above 1024.  Yes, it's silly, but the cups folks claim that
> there are such servers that cups needs to support.  Because of this,
> the default behavior for cups-lpd running in *client* mode is to bind
> to a low-numbered port before connecting to the server.  The new
> selinux policy forbids this.  As a matter of fact, the cups-lpd
> running as a client *can't* bind to the permitted port 631, if the
> cups server has already done so.
>
> (I don't run cupsd on anything but localhost on this machine, so the
> bind eventually succeeded when cups-lpd finally counted down to 631
> retrying bind() along the way.)
>
> If you accept that it is legitimate for cups-lpd to insist on a
> low-numbered port that is not 631, then the current policy is flawed.
> The client mode will never call listen(), so it doesn't become a
> server.  It just wants a low source port when it connects to another
> server.
>
>   
I have added the ability for cups to bind to any port 600-1023.

selinux-policy-2.5.11-5.fc7