Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Boomaga backend] ERROR: Can\'t change mode on directory /var/cache/boomaga: Permission denied #115

Open
entodoays opened this issue May 13, 2022 · 14 comments
Open

[Boomaga backend] ERROR: Can\'t change mode on directory /var/cache/boomaga: Permission denied #115

entodoays opened this issue May 13, 2022 · 14 comments

Comments

@entodoays
Copy link

On Fedora Workstation 36, the Boomaga virtual printer doesn't work. From the logs I see the error in the title when I try to print something from Libreoffice writer.

Cups version: 2.4.1
Kernel version: 5.17.6-300.fc36.x86_64
Gnome 42 Wayland
@entodoays
Copy link
Author

I can open Boomaga and print pdfs, but cannot print from an app.

Boomaga version boomaga-3.3.0-12.git255b54c.fc36.x86_64

@entodoays
Copy link
Author

I don't know if this is related, but it seems that Fedora enabled SElinux by default:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

@entodoays
Copy link
Author

I tried disabling selinux with sudo setenforce 0 and this makes Boomaga work properly. Is this a Boomaga bug or should I post a bug report somewhere else?

@SokoloffA
Copy link
Member

Unfortunately I don't have enough time to support this project.
Excuse me!

@entodoays
Copy link
Author

The SELinux Alert shown is this

SELinux is preventing boomaga from setattr access on the directory /var/cache/boomaga/user.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow boomaga to have setattr access on the user directory
Then you need to change the label on /var/cache/boomaga/user
Do
# semanage fcontext -a -t FILE_TYPE '/var/cache/boomaga/user'
where FILE_TYPE is one of the following: cupsd_etc_t, cupsd_log_t, cupsd_rw_etc_t, cupsd_tmp_t, cupsd_var_run_t, fonts_cache_t, print_spool_t.
Then execute:
restorecon -v '/var/cache/boomaga/user'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that boomaga should be allowed setattr access on the user directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'boomaga' --raw | audit2allow -M my-boomaga
# semodule -X 300 -i my-boomaga.pp

Additional Information:
Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_t:s0
Target Objects                /var/cache/boomaga/user [ dir ]
Source                        boomaga
Source Path                   boomaga
Port                          <Unknown>
Host                          fedora
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-36.8-2.fc36.noarch
Local Policy RPM              selinux-policy-targeted-36.8-2.fc36.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora
Platform                      Linux fedora 5.17.7-300.fc36.x86_64 #1 SMP PREEMPT
                              Thu May 12 14:56:44 UTC 2022 x86_64 x86_64
Alert Count                   1
First Seen                    2022-05-18 09:25:42 CEST
Last Seen                     2022-05-18 09:25:42 CEST
Local ID                      fcf9d05e-bd5b-4ef6-8a1f-a9a1f94705ff

Raw Audit Messages
type=AVC msg=audit(1652858742.233:473): avc:  denied  { setattr } for  pid=16952 comm="boomaga" name="user" dev="nvme0n1p7" ino=2129750 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0


Hash: boomaga,cupsd_t,var_t,dir,setattr

@zpytela
Copy link

zpytela commented May 23, 2022

@entodays I am not familiar with boomaga, but I suppose its cache directory should have a cups private type. As a workaround, you can follow the setroubleshoot recommendation and run

semanage fcontext -a -t cupsd_rw_etc_t /var/cache/boomaga
restorecon -Rv /var/cache/boomaga

@entodoays
Copy link
Author

entodoays commented May 23, 2022
edited

I ran these commands and I still get the following errors:

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that boomaga should be allowed sys_ptrace access on cap_userns labeled cupsd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'boomaga' --raw | audit2allow -M my-boomaga
# semodule -X 300 -i my-boomaga.pp

Additional Information:
Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Objects                Unknown [ cap_userns ]
Source                        boomaga
Source Path                   boomaga
Port                          <Unknown>
Host                          user-inspiron
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-36.8-2.fc36.noarch
Local Policy RPM              selinux-policy-targeted-36.8-2.fc36.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     user-inspiron
Platform                      Linux user-inspiron 5.17.7-300.fc36.x86_64 #1 SMP
                              PREEMPT Thu May 12 14:56:44 UTC 2022 x86_64 x86_64
Alert Count                   22
First Seen                    2022-05-20 14:03:13 CEST
Last Seen                     2022-05-20 14:03:13 CEST
Local ID                      ......

Raw Audit Messages
type=AVC msg=audit(1653048193.669:389): avc:  denied  { sys_ptrace } for  pid=10040 comm="boomaga" capability=19  scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0


Hash: boomaga,cupsd_t,cupsd_t,cap_userns,sys_ptrace

@zpytela
Copy link

zpytela commented May 23, 2022

Do you happen to know which particular action triggers this denial? Please file a bz on selinux-policy with all details. This local module can be used to work around:

cat local_cups_userns.cil
(allow cupsd_t cupsd_t (cap_userns (sys_ptrace)))
semodule -i local_cups_userns.cil

@entodoays
Copy link
Author

entodoays commented May 23, 2022
edited

I'm new to selinux. Where should I find local_cups_userns.cil? If it is a file that I am to create the cat command doesn't do that AFAIK.
Should I create a file called local_cups_userns.cil that contains (allow cupsd_t cupsd_t (cap_userns (sys_ptrace))) and then run semodule -i local_cups_userns.cil?

@zpytela
Copy link

zpytela commented May 23, 2022

I'm new to selinux. Where should I find local_cups_userns.cil? If it is a file that I am to create the cat command doesn't do that AFAIK. Should I create a file called local_cups_userns.cil that contains (allow cupsd_t cupsd_t (cap_userns (sys_ptrace))) and then run semodule -i local_cups_userns.cil?

Right, create a new file and run semodule -i as superuser to install a local module.

@entodoays
Copy link
Author

entodoays commented May 23, 2022
edited

This didn't solve the problem. I think it made it worse. Before I would get a print job for Boomaga but the Boomage gui would never appear. Now no print job appears under the printer's spooler. I didn't get any SE alert though.
I tried removing the custom policy with semodule -i local_cups_userns.cil and got:

libsemanage.semanage_direct_remove_key: Unable to remove module local_cups_userns.cil at priority 400. (No such file or directory).
semodule:  Failed!

@zpytela
Copy link

zpytela commented May 23, 2022

IMHO a local policy like this, addressing reported AVCs, can hardly make things worse. Anyway, it can be removed with

semodule -d local_cups_userns

@entodoays
Copy link
Author

So, I tried disabling selinux enforcing with sudo setenforce 0 and tried printing. Boomaga worked as designed but got the following SE alert:

SELinux is preventing QDBusConnection from connectto access on the unix_stream_socket /run/user/1000/bus.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that QDBusConnection should be allowed connectto access on the bus unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'QDBusConnection' --raw | audit2allow -M my-QDBusConnection
# semodule -X 300 -i my-QDBusConnection.pp

Additional Information:
Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                unconfined_u:unconfined_r:unconfined_dbusd_t:s0-
                              s0:c0.c1023
Target Objects                /run/user/1000/bus [ unix_stream_socket ]
Source                        QDBusConnection
Source Path                   QDBusConnection
Port                          <Unknown>
Host                          fedora
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-36.8-2.fc36.noarch
Local Policy RPM              selinux-policy-targeted-36.8-2.fc36.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     fedora
Platform                      Linux fedora 5.17.8-300.fc36.x86_64 #1 SMP PREEMPT
                              Mon May 16 01:00:37 UTC 2022 x86_64 x86_64
Alert Count                   1
First Seen                    2022-05-23 16:45:20 CEST
Last Seen                     2022-05-23 16:45:20 CEST
Local ID                      6aabb628-1161-48ee-953f-e254a3829edc

Raw Audit Messages
type=AVC msg=audit(1653317120.132:692): avc:  denied  { connectto } for  pid=27704 comm="QDBusConnection" path="/run/user/1000/bus" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1


Hash: QDBusConnection,cupsd_t,unconfined_dbusd_t,unix_stream_socket,connectto

Hope this helps to understand what the issue is.

@vmojzis
Copy link

vmojzis commented May 31, 2022

@entodoays as a workaround you can add
(allow cupsd_t unconfined_dbusd_t (unix_stream_socket (connectto)))
to local_cups_userns.cil and reinstall it.
But before that please report a bugzilla ticket on selinux-policy with all details. To collect all the relevant AVCs remove the temporary policy module,
sudo semodule -r local_cups_userns
set SELinux to permissive mode, rerun the use case and collect all generated AVCs
sudo ausearch -m AVC,USER_AVC,SELINUX_ERR -ts recent (note that -ts recent limits the search to last 10 minutes).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@SokoloffA @entodoays @vmojzis @zpytela