Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 234621 - selinux prevents cups from printing
Summary: selinux prevents cups from printing
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 6
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2007-03-30 16:36 UTC by Craig Goodyear
Modified: 2007-11-30 22:12 UTC (History)
3 users (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-04-11 14:13:07 UTC

Attachments (Terms of Use)

Description Craig Goodyear 2007-03-30 16:36:55 UTC
Description of problem:
With selinux set to enforcing, the printer will not print.
With selinux set to permissive, the printer has no problems.

Version-Release number of selected component (if applicable):

How reproducible:
Problem occures every time selinux is set to enforcing.

Steps to Reproduce:
1. set seliux to enforcing
2. submit job to printer
Actual results:
Printer does not print.

Expected results:
Get output from printer.

Additional info:
The following error is logged to /var/log/cups/error_log ever
second until selinux is set to permissive and the job prints:

E [30/Mar/2007:10:54:54 -0500] [Job 68] Unable to reserve 
port: Permission denied

There are no selinux error messages entered in /var/logs/messages

The printer is attached to a ethernet print server and is
installed using cups with a lpd connection.

Comment 1 James Ettle 2007-03-31 10:59:34 UTC
Seen here too.

Comment 2 Daniel Walsh 2007-04-02 16:15:27 UTC
Are there AVC messages in /var/log/audit/audit.log?

Comment 3 James Ettle 2007-04-02 16:44:12 UTC
In mine: no, it's odd. I can't see any "avc: denied" messages pertaining to the
printing subsystem. Nor do I get any "SELinux problem" alerts from the
troubleshooter application (except for "SELinux is preventing the
/usr/bin/python from using potentially mislabeled files (.hplip.conf).", but I'm
not using an HP printer).

Comment 4 Craig Goodyear 2007-04-02 17:07:48 UTC
I don't have selinux set up to log errors to 
/var/log/audit/audit.log.  All avc messages go
to /var/log/messages.  No errors are entered in
this file when trying to print.

Comment 5 Daniel Walsh 2007-04-02 17:23:53 UTC
You can turn off the dontaudit rules with the following command

semodule -b /usr/share/selinux/targeted/enableaudit.pp

See if the kernel reports any avc messages now?

Any idea which port it is trying to communicate with?

Then turn them back on with this command.

semodule -b /usr/share/selinux/targeted/base.pp

Comment 6 James Ettle 2007-04-02 17:53:21 UTC
avc: denied { name_bind } for comm="lpd" egid=7 euid=0
exe="/usr/lib/cups/backend/lpd" exit=-13 fsgid=7 fsuid=0 gid=7 items=0 pid=14912
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=7 src=993
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=0 tclass=tcp_socket
tcontext=system_u:object_r:pop_port_t:s0 tty=(none) uid=0 

Comment 7 Daniel Walsh 2007-04-02 20:49:24 UTC
Tim does this make sense to you?  

Do you know if cups/lpd does a bindresvport?

Comment 8 Craig Goodyear 2007-04-02 21:04:51 UTC
This is the avc message I get after turning off dontaudit rules:

Apr  2 16:00:13 cm kernel: audit(1175547613.491:60): 
avc:  denied  { name_bind } for  pid=8204 comm="lpd" 
src=1016 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket

Comment 9 Tim Waugh 2007-04-03 13:06:40 UTC
The CUPS lpd backend (for sending a job to an LPR server) does a regular bind().
 It's actually after a priveleged port between 721 and 731 (this is from RFC 1179):

3.1 Message formats

   LPR is a a TCP-based protocol.  The port on which a line printer
   daemon listens is 515.  The source port must be in the range 721 to
   731, inclusive.

The way the CUPS lpd backend tries to do this is by trying bind() for port 731,
retrying with a lower port number until it gets to 721, then starting back at 731.

Should it be using bindresvport() instead?

Comment 10 Daniel Walsh 2007-04-03 13:38:58 UTC
The strange part above is that the avc's are reporting that cupsd tried to bind
to ports 993 and 1016.

I can give it the policy that allows cups to bind to ports between 600-1023
which is what we usually give for bindresvport.

Comment 11 Tim Waugh 2007-04-03 14:09:07 UTC
The 'strict' 721-731 requirement is an option in the lpd backend.  If it is not
set to strict RFC 1179 compliance it will try any port between 512 and 1023. 
Also when it is not running as root it will just take any port (but we run the
lpd backend as root).

So giving it policy to allow it to bind to ports between 600 and 1023 would be fine.

Comment 12 Daniel Walsh 2007-04-05 17:46:48 UTC
Fixed in selinux-policy-2.4.6-52

Comment 13 Craig Goodyear 2007-04-11 13:46:05 UTC
After updating to selinux-policy-2.4.6-54.fc6, I am
now able to print with selinux set to enforcing.

Thank you for the fix.

Note You need to log in before you can comment on or make changes to this bug.