Xpra: Ticket #815: SELinux policy for printing

A simple policy is better than none.

The server needs a lot of permissions... And we need the clients to be able to connect to the server using unix domain sockets (and also transition from cups backend domain to our new domain to be able to support printing #598)



Mon, 23 Feb 2015 17:36:42 GMT - Antoine Martin: attachment set

work in progress patch


Tue, 24 Feb 2015 09:28:33 GMT - Antoine Martin: attachment set

much better patch - the server starts and client can connect!


Tue, 24 Feb 2015 09:48:09 GMT - Antoine Martin: status changed

The patch above works surprisingly well! Things left TODO:


Tue, 24 Feb 2015 16:45:17 GMT - Antoine Martin: attachment set

printing works, dbus and sound still do not


Tue, 14 Apr 2015 16:21:19 GMT - Antoine Martin: milestone changed

out of time


Wed, 12 Aug 2015 05:50:44 GMT - Antoine Martin:

Note: this change might make things easier to implement if we use the sockets placed in /run instead of the home folder: #888.


Sat, 10 Oct 2015 11:21:42 GMT - Antoine Martin: attachment set

alternatively, this patch to the core policy is supposed to work


Wed, 30 Dec 2015 16:32:58 GMT - Antoine Martin:

Some minor changes in r11544 to better support new socket locations (#963). Unfortunately, even using sockets in /tmp or /run does not allow us to talk to the socket from the cups backend.

But maybe the alternative locations will be more palatable for a merge upstream?

(this one may be acceptable? still better than home dir..)

(this one would require a specific policy for the directory?)


Tue, 05 Apr 2016 07:21:46 GMT - Antoine Martin: attachment set

updated patch for Fedora 23


Tue, 05 Apr 2016 09:14:14 GMT - Antoine Martin:

TODO:


Thu, 11 Aug 2016 08:39:07 GMT - Antoine Martin:

Trying to solve the printing problem first: Fedora SELinux mailing list


Fri, 12 Aug 2016 09:13:58 GMT - Antoine Martin:

As suggested in this reply: Could you try to label the backend.., after chcon -t cups_pdf_exec_t /usr/lib/cups/backend/xpraforwarder and the socket in .xpra:

AVC avc:  denied  { search } for  pid=12058 comm="xpra" name=".xpra" dev="md122" ino=3965034 scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0
AVC avc:  denied  { create } for  pid=12057 comm="python" scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
AVC avc:  denied  { create } for  pid=12057 comm="python" scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
AVC avc:  denied  { create } for  pid=12057 comm="python" scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
PID 12057 (/usr/lib/cups/backend/xpraforwarder) stopped with status 1.

With the socket in /var/run/user/$UID/xpra:

AVC avc:  denied  { write } for  pid=12809 comm="xpra" name="desktop-100" dev="tmpfs" ino=454089 scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=0
AVC avc:  denied  { create } for  pid=12808 comm="python" scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
AVC avc:  denied  { create } for  pid=12808 comm="python" scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
AVC avc:  denied  { create } for  pid=12808 comm="python" scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
PID 12808 (/usr/lib/cups/backend/xpraforwarder) stopped with status 1.

Fri, 12 Aug 2016 11:08:42 GMT - Antoine Martin:

Continuing with the socket in /var/run/user/$UID/xpra and fixing with audit2allow every time:

AVC avc:  denied  { connectto } for  pid=16204 comm="xpra" path="/run/user/1000/xpra/desktop-100" scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0
AVC avc:  denied  { connect } for  pid=16203 comm="python" scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
AVC avc:  denied  { connect } for  pid=16203 comm="python" scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
AVC avc:  denied  { connect } for  pid=16203 comm="python" scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0

This "fixes" it:

module xpraforwarder 1.0;
require {
	type user_tmp_t;
	type cups_pdf_t;
	type unconfined_t;
	class unix_dgram_socket create;
	class unix_dgram_socket connect;
	class sock_file write;
	class unix_stream_socket connectto;
}
allow cups_pdf_t self:unix_dgram_socket { create connect };
allow cups_pdf_t user_tmp_t:sock_file write;
allow cups_pdf_t unconfined_t:unix_stream_socket connectto;

Fri, 12 Aug 2016 12:21:13 GMT - Antoine Martin:

Managed to come up with a policy that allows the backend to run without warnings or errors: r13317.

Still TODO:


Sun, 14 Aug 2016 14:31:52 GMT - Antoine Martin:

r13346 adds RPM packaging support for the "cups_xpra" selinux module.

Moving the full selinux policy to #1283.


Mon, 15 Aug 2016 10:14:53 GMT - Antoine Martin: owner, status changed

God some feedback, made some improvements in r13358. (r13367 includes a patch for the policy so that it can be used on systems that do not support XDG_RUNTIME_DIR, see ticket:1129#comment:23 for details).

Ready for testing.


Tue, 27 Sep 2016 09:16:37 GMT - Antoine Martin: priority, milestone changed


Tue, 22 Nov 2016 19:39:16 GMT - Smo: status changed; resolution set

I haven't found any issues with this on fedora 23 and 24. I've done some rough testing with a non attached printer but not much with a real printer.

If we run into errors we'll open a new ticket.


Thu, 24 Nov 2016 11:40:54 GMT - Antoine Martin: summary changed


Mon, 02 Sep 2019 15:38:14 GMT - Antoine Martin:

See also #1283, #2265


Sat, 23 Jan 2021 05:06:51 GMT - migration script:

this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/815