logo       
<prev   next>

Choosing A Webhost:
A web hosting service is a type of Internet hosting service that allows individuals and organizations to provide their own website accessible via the World Wide Web. Web hosts are companies that provide space on a server they own for use by their clients as well as providing Internet connectivity, typically in a data center. Web hosts can also provide data center space and connectivity to the Internet for servers they do not own to be located in their data center, called colocation. more...

Re: hpoj?: msg#00129

Subject: Re: hpoj? 
I 'fiddled' a bit more with this.  The following
additions to cups.te seem to make it work:

allow ptal_t { etc_t etc_runtime_t }:file { getattr read };
ifdef(`usbmodules.te', `
r_dir_file(ptal_t, usbdevfs_t)
')

file_type_auto_trans(ptal_t, var_run_t, ptal_var_run_t)

The 'allow' you provided lets ptal read
/etc/ptal, etc.

The 'ifdef' mimics the entries for cups.
I'm guessing that ptal needs to
'discover' the USB devices it is to
control.

The 'file_type_auto_trans' causes the files
created in /var/run/ptal* have the correct
context. 
tom


Tom London wrote:


From what I understand, ptal implements the mechanism
to connect to bidirectional printers/scanners/....
In my case, I have a USB connected HP office
jet (an HP PSC-950). I'm guessing it scans
through /proc/bus/usb to discover appropriate
devices.

I made the change you suggested (adding 'allow' for etc_t
and etc_runtime_t), and did a 'make install'.
'run_init /etc/rc.d/init.d/hpoj start'  now gets
a quick 'denied' when attemping to create the socket
('usb:PSC_900_Series'):
Jul 20 07:17:56 fedora kernel: audit(1090333076.788:0): avc: denied { create } for pid=3684 exe=/usr/sbin/ptal-mlcd name=usb:PSC_900_Series scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:var_run_t tclass=sock_file Jul 20 07:17:56 fedora ptal-mlcd: FATAL ERROR at ExMgr.cpp:1250, dev=<mlc:usb:PSC_900_Series>, pid=3684, e=13, t=1090333076 bind(/var/run/ptal-mlcd/usb:PSC_900_Series) failed! Ensure /var/run/ptal-mlcd/ exists.
The above shows ptal failing to create sock-file '/var/run/ptal-mcld/usb:....'). 
(Shouldn't the tcontext be 'ptal_var_run_t'????)
Jul 20 07:17:56 fedora kernel: audit(1090333076.799:0): avc: denied { search } for pid=3685 exe=/usr/sbin/ptal-printd name=root dev=hda2 ino=1196033 scontext=system_u:system_r:ptal_t tcontext=root:object_r:staff_home_dir_t tclass=dir 

I don't know why ptal is trying to seach '/root'.
Jul 20 07:17:56 fedora kernel: audit(1090333076.800:0): avc: denied { read } for pid=3685 exe=/usr/sbin/ptal-printd name=mlc:usb:PSC_900_Series dev=hda2 ino=738368 scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:etc_t tclass=file 

'find / -inum 738368' -> /etc/ptal/mlc:usb:PSC_900_Series
-rw-rw---- root lp system_u:object_r:etc_runtime_t ptal-printd-like
Jul 20 07:17:56 fedora kernel: audit(1090333076.800:0): avc: denied { getattr } for pid=3685 exe=/usr/sbin/ptal-printd path=/etc/ptal/ptal-printd-like dev=hda2 ino=737289 scontext=system_u:system_r:ptal_t tcontext=system_u:object_r:etc_runtime_t tclass=file Jul 20 07:17:56 fedora ptal-printd: ptal-printd(mlc:usb:PSC_900_Series): Unable to read file permissions from "/etc/ptal/ptal-printd-like"! Jul 20 07:17:58 fedora ptal-photod: ptal-photod(mlc:usb:PSC_900_Series) successfully initialized, listening on port 5703. 
One of the 'ptal' daemons has started, but others have not.


tom


Russell Coker wrote:


On Tue, 20 Jul 2004 03:15, Tom London <selinux@xxxxxxxxxxx> wrote:

Audit2allow on permissive avc's yield:
allow ptal_t etc_runtime_t:file { getattr };
allow ptal_t etc_t:file { read };
For file access whenever read access is requested you should allow getattr. For a file type such etc_runtime_t which contains nothing secret if you allow getattr you should allow read. So I added the following to my tree: 

allow ptal_t { etc_t etc_runtime_t }:file { getattr read };


allow ptal_t staff_home_dir_t:dir { search };



What does ptal do?  Why does it need such access?


allow ptal_t usbdevfs_t:dir { getattr read };
Again, what is it trying to do here? I've never used ptal so I don't know what we should be permitting it to do. 


allow ptal_t var_run_t:fifo_file { create read setattr };
allow ptal_t var_run_t:sock_file { create setattr };
For the sock_file and the fifo_file in question you didn't provide enough information to determine which directory they are in. Please repeat the tests and use "find /var/run -inum ..." to find the full path.
If they are under /var/run/ptal-printd or /var/run/ptal-mlcd then they should have the correct type and there should not be any problem (in which case there is some strange mis-labelling issue). If they are not under those directories then I will need to know the directories that they are in to write the correct policy.
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: .udev.tdb ?, Tom London
Next by Date:  Re: /etc/exports, /usr/sbin/exportfs ..., Tom London
Previous by Thread:  Re: hpoj?, Tom London
Next by Thread:  Re: hpoj?, Russell Coker
Indexes:  [Date] [Thread] [Top] [All Lists]

Google Custom Search
Recently Viewed:
qnx.openqnx.dev...    gcc.libstdc++.c...    solaris.opensol...    information-ret...    misc.misterhous...    web.catalyst.ge...    apache.webservi...    redhat.release....    hardware.lirc/2...    kernel.autofs/2...    technology.sust...    linux.vdr/2003-...    editors.lyx.gen...    org.user-groups...    netbsd.devel.pk...    xdg.devel/2004-...    version-control...    jakarta.slide.d...    debian.packages...    creativecommons...    ports.ppc.embed...    bug-tracking.bu...   
Home | blog view | USPTO Patent Archive | advertise | OSDir is an inevitable website. super tiny logo

Free Magazines

Cisco News
Receive a free quarterly e-newsletter with exclusive articles on how Cisco IT uses its own products and solutions to enable the business.
subscribe

Systems Management News, the newspaper for IT systems administration and data center managers! Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field.
subscribe

The Enterprise Newsweekly eWeek is the essential technology information source for builders of e-business.
subscribe

Oracle Magazine Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company.
subscribe

Total Telecom Total Telecom is "The Economist of the communications industry".
subscribe

Navigation