Xpra: Ticket #2265: printing permission errors

With selinux in enforcing mode, we get:

cupsd[7407]: REQUEST localhost - - "POST /printers/WIN7PRO64-PCCanon-G2000-series-Printer HTTP/1.1" 200 11277 Print-Job successful-ok
xpraforwarder[12833]: '/usr/lib/cups/backend/xpraforwarder' '430' 'antoine' 'Untitled Document 1' '1' 'InputSlot=Default number-up=1 PageSize=A4 noCollate Duplex=None job-uuid=urn:uuid:0d3fcb1d-eb6f-3054-74ce-7e4665abb621 job-originating-host-name=localhost date-time-at-creation= date-time-at-processing= time-at-creation=1554743759 time-at-processing=1554743759'
xpraforwarder[12833]: version 3.0, username: antoine, title: Untitled Document 1, filename: -, job_id: 430
xpraforwarder[12833]: uid=(0, 0, 0), gid=(7, 7, 7)
xpraforwarder[12833]: DEVICE_URI=xpraforwarder:/tmp?display=%3A20&source=948bf580fddb9196be1de3228448866026eb8a9b&socket-path=%2Frun%2Fuser%2F1000%2Fxpra%2Fdesktop-20&remote-printer=%5C%5CWIN7PRO64-PC%5CCanon+G2000+series+Printer&remote-device-uri=None&mimetype=application%2Fpostscript
xpraforwarder[12833]: parsed attributes={'mimetype': ['application/postscript'], 'socket-path': ['/run/user/1000/xpra/desktop-20'], 'remote-printer': ['\\\\WIN7PRO64-PC\\Canon G2000 series Printer'], 'remote-device-uri': ['None'], 'source': ['948bf580fddb9196be1de3228448866026eb8a9b'], 'display': [':20']}
xpraforwarder[12833]: xpra display: :20, socket-path: /run/user/1000/xpra/desktop-20
xpraforwarder[12833]: running: ['xpra', 'print', 'socket:/run/user/1000/xpra/desktop-20', '-', 'application/postscript', '948bf580fddb9196be1de3228448866026eb8a9b', 'Untitled Document 1', '\\\\WIN7PRO64-PC\\Canon G2000 series Printer', '1', 'InputSlot=Default number-up=1 PageSize=A4 noCollate Duplex=None job-uuid=urn:uuid:0d3fcb1d-eb6f-3054-74ce-7e4665abb621 job-originating-host-name=localhost date-time-at-creation= date-time-at-processing= time-at-creation=1554743759 time-at-processing=1554743759']
xpraforwarder[12833]: returncode=1
xpraforwarder[12833]: stdout=
xpraforwarder[12833]: stderr=xpra initialization error:
                                               failed to connect to '/run/user/1000/xpra/desktop-20':
                                               [Errno 13] Permission denied

With selinux not in enforcing mode, it does work - here are the AVCs:

avc:  denied  { write } for  pid=13464 comm="xpra" name="desktop-20" dev="tmpfs" ino=2876468 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=1
avc:  denied  { connectto } for  pid=13464 comm="xpra" path="/run/user/1000/xpra/desktop-20" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
avc:  denied  { getattr } for  pid=13732 comm="mdadm" path="/dev/gpmctl" dev="devtmpfs" ino=33443 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:gpmctl_t:s0 tclass=sock_file permissive=1
avc:  denied  { read } for  pid=13732 comm="mdadm" name="nvme1n1p1" dev="devtmpfs" ino=15684 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=blk_file permissive=1
avc:  denied  { open } for  pid=13732 comm="mdadm" path="/dev/nvme1n1p1" dev="devtmpfs" ino=15684 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=blk_file permissive=1
avc:  denied  { ioctl } for  pid=13732 comm="mdadm" path="/dev/nvme1n1p1" dev="devtmpfs" ino=15684 ioctlcmd=0x1268 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=blk_file permissive=1
avc:  denied  { read } for  pid=13873 comm="mdadm" name="nvme1n1p1" dev="devtmpfs" ino=15684 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=blk_file permissive=1
avc:  denied  { open } for  pid=13873 comm="mdadm" path="/dev/nvme1n1p1" dev="devtmpfs" ino=15684 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=blk_file permissive=1
avc:  denied  { ioctl } for  pid=13873 comm="mdadm" path="/dev/nvme1n1p1" dev="devtmpfs" ino=15684 ioctlcmd=0x1268 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=blk_file permissive=1

The quick and dirty "fix" would be:

#============= cupsd_t ==============
allow cupsd_t unconfined_t:unix_stream_socket connectto;
allow cupsd_t user_tmp_t:sock_file write;

But this would allow cups to connect to any socket..



Mon, 02 Sep 2019 15:37:51 GMT - Antoine Martin: priority, status changed; resolution set

Some of those avcs were caused by a missing policy and are already covered in #815, fixes added in r23682.


Sat, 23 Jan 2021 05:46:35 GMT - migration script:

this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/2265