HPLIP and Fedora9

Stephen Smalley sds at tycho.nsa.gov
Fri Aug 7 13:00:46 UTC 2009 

On Thu, 2009-08-06 at 20:45 +0100, Arthur Dent wrote:
> Hello all,
> 
> I tried today to install the latest hplip package from
> http://hplipopensource.com to use the printer driver for my HP Printer
> on my Fedora 9 system (I plan to upgrade to Fedora 11 in the next few
> weeks). The install package warns you to turn off selinux so I
> setenforce 0. I assumed that I would be able to write a policy before
> resuming enforcing mode.
> 
> The install went fine with no avcs. I then tried to print a test page
> and got 3 avcs (I can post in full if required). 

Yes, please do.  And file a bug against policycoreutils - this looks
like a bug in audit2allow/sepolgen (wrongly merging audit rules with
different keys).

> 
> SELinux is preventing hp (hplip_t) "name_bind" howl_port_t.
> SELinux is preventing hp (hplip_t) "search" to ./dbus
> (system_dbusd_var_run_t).
> SELinux is preventing hpcups (cupsd_t) "name_bind" howl_port_t. 
> 
> From these I tried to create a policy using audit2allow. This is what it
> proposed:
> 
> ##########################################
> # cat myhplip.te
> policy_module(myhplip, 9.0.1)
> 
> require {
> 	type cupsd_t;
> 	type hplip_t;
> 	type system_dbusd_t;
> 	class unix_stream_socket { write connectto search };
> }
> 
> #============= cupsd_t ==============
> corenet_udp_bind_howl_port(cupsd_t)
> 
> #============= hplip_t ==============
> allow hplip_t system_dbusd_t:unix_stream_socket { write connectto
> search };
> corenet_udp_bind_howl_port(hplip_t)
> 
> ##########################################
> 
> "make -f" worked OK on this, but when I tried semodule -i I got the
> following error:
> 
> [root at localhost selinux]# semodule -i myhplip.pp
> libsepol.permission_copy_callback: Module myhplip depends on permission
> search in class unix_stream_socket, not satisfied
> libsemanage.semanage_link_sandbox: Link packages failed
> semodule:  Failed!
> 
> 
> Is there any way I can resolve this?
> 
> The only existing bug I can find on hplip is 516078
> (https://bugzilla.redhat.com/show_bug.cgi?id=516078) is it related?
> 
> 
> Thanks in advance for any help or suggestions...
> 
> Mark
> 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list