On 08/11/2016 06:05 PM, Antoine Martin wrote:
> On 11/08/16 22:10, Miroslav Grepl wrote:
>> On 08/11/2016 10:18 AM, antoine@xxxxxxxxxxxxx wrote:
>>> xpra printer forwarding works by adding a PDF or PS virtual printer via a cups backend.
>>> This cups backend then connects to the local xpra server via a unix domain socket and the server then forwards the PDF or PS file to the xpra client for printing.
>>>
>>> The problem is connecting to the xpra server socket, which is currently forbidden by the core policy.
>>>
>>> Here's what we have to add to make it work at the moment with the server socket in "~/.xpra/":
>>> userdom_manage_user_home_content_files(cupsd_t)
>>> userdom_manage_user_home_content_symlinks(cupsd_t)
>>> userdom_manage_user_home_content_pipes(cupsd_t)
>>> userdom_manage_user_home_content_sockets(cupsd_t)
>>>
>>> Alternatively, if that helps, we can also place the server socket in /run/user/$UID/xpra, but then we still get:
>>> type=AVC msg=audit(1470902846.451:911): avc: denied { write } for pid=9644 comm="xpra" name="desktop-100" dev="tmpfs" ino=74293 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=1
>>> type=AVC msg=audit(1470902846.451:912): avc: denied { connectto } for pid=9644 comm="xpra" path="/run/user/1000/xpra/desktop-100" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
>>>
>>> What is the preferred way forward to allow users to have both selinux in enforcing mode and printing to work with xpra by default?
>>> --
>>> selinux mailing list
>>> selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>> https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>
>>
>> We could try to label xpra by a label to get it running in a different
>> CUPS domain.
>>
>> What is a path to xpra?
> The main script is:
> $ ls -aZl /usr/bin/xpra
> -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 186 Aug 9 23:44
> /usr/bin/xpra
> The cups backend is:
> $ ls -aZl /usr/lib/cups/backend/xpraforwarder
> -rwx------. 1 root root system_u:object_r:bin_t:s0 5146 Aug 11 14:57
> /usr/lib/cups/backend/xpraforwarder
>
>> What does
>>
>> chcon -t cups_pdf_exec_t PATHTO/xpra
> Xpra does a lot more than just printer forwarding, it acts as a
> compositing window manager, talks to X11, etc.. Printer forwarding is
> only a secondary feature, so unless I misunderstand what this change is
> meant to do, I don't think we want to go down that route?
>
> Eventually I would like to have a policy for the whole of xpra:
> http://xpra.org/trac/ticket/815
> But for now, getting printing to work without having to tell users to
> "disable SELinux" would be a good start.
>
> So maybe do something similar to cups_pdf_exec_t for xpraforwarder, with
> the extra privileges needed for accessing the socket?
Yes, I was looking for the backend. Could you try to label the backend
by cups_pdf_exec_t to see how it works?
Thank you.
>
> Thanks
> Antoine
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
>
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
