HPLIP and Fedora9
Stephen Smalley
sds at tycho.nsa.gov
Fri Aug 7 13:00:46 UTC 2009
On Thu, 2009-08-06 at 20:45 +0100, Arthur Dent wrote:
> Hello all,
>
> I tried today to install the latest hplip package from
> http://hplipopensource.com to use the printer driver for my HP Printer
> on my Fedora 9 system (I plan to upgrade to Fedora 11 in the next few
> weeks). The install package warns you to turn off selinux so I
> setenforce 0. I assumed that I would be able to write a policy before
> resuming enforcing mode.
>
> The install went fine with no avcs. I then tried to print a test page
> and got 3 avcs (I can post in full if required).
Yes, please do. And file a bug against policycoreutils - this looks
like a bug in audit2allow/sepolgen (wrongly merging audit rules with
different keys).
>
> SELinux is preventing hp (hplip_t) "name_bind" howl_port_t.
> SELinux is preventing hp (hplip_t) "search" to ./dbus
> (system_dbusd_var_run_t).
> SELinux is preventing hpcups (cupsd_t) "name_bind" howl_port_t.
>
> From these I tried to create a policy using audit2allow. This is what it
> proposed:
>
> ##########################################
> # cat myhplip.te
> policy_module(myhplip, 9.0.1)
>
> require {
> type cupsd_t;
> type hplip_t;
> type system_dbusd_t;
> class unix_stream_socket { write connectto search };
> }
>
> #============= cupsd_t ==============
> corenet_udp_bind_howl_port(cupsd_t)
>
> #============= hplip_t ==============
> allow hplip_t system_dbusd_t:unix_stream_socket { write connectto
> search };
> corenet_udp_bind_howl_port(hplip_t)
>
> ##########################################
>
> "make -f" worked OK on this, but when I tried semodule -i I got the
> following error:
>
> [root at localhost selinux]# semodule -i myhplip.pp
> libsepol.permission_copy_callback: Module myhplip depends on permission
> search in class unix_stream_socket, not satisfied
> libsemanage.semanage_link_sandbox: Link packages failed
> semodule: Failed!
>
>
> Is there any way I can resolve this?
>
> The only existing bug I can find on hplip is 516078
> (https://bugzilla.redhat.com/show_bug.cgi?id=516078) is it related?
>
>
> Thanks in advance for any help or suggestions...
>
> Mark
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list