[Boomaga backend] ERROR: Can\'t change mode on directory /var/cache/boomaga: Permission denied
entodoays opened this issue · comments
On Fedora Workstation 36, the Boomaga virtual printer doesn't work. From the logs I see the error in the title when I try to print something from Libreoffice writer.
Cups version: 2.4.1
Kernel version: 5.17.6-300.fc36.x86_64
Gnome 42 Wayland
I can open Boomaga and print pdfs, but cannot print from an app.
Boomaga version boomaga-3.3.0-12.git255b54c.fc36.x86_64
I don't know if this is related, but it seems that Fedora enabled SElinux by default:
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
I tried disabling selinux with sudo setenforce 0 and this makes Boomaga work properly. Is this a Boomaga bug or should I post a bug report somewhere else?
Unfortunately I don't have enough time to support this project.
Excuse me!
The SELinux Alert shown is this
SELinux is preventing boomaga from setattr access on the directory /var/cache/boomaga/user.
***** Plugin catchall_labels (83.8 confidence) suggests *******************
If you want to allow boomaga to have setattr access on the user directory
Then you need to change the label on /var/cache/boomaga/user
Do
# semanage fcontext -a -t FILE_TYPE '/var/cache/boomaga/user'
where FILE_TYPE is one of the following: cupsd_etc_t, cupsd_log_t, cupsd_rw_etc_t, cupsd_tmp_t, cupsd_var_run_t, fonts_cache_t, print_spool_t.
Then execute:
restorecon -v '/var/cache/boomaga/user'
***** Plugin catchall (17.1 confidence) suggests **************************
If you believe that boomaga should be allowed setattr access on the user directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'boomaga' --raw | audit2allow -M my-boomaga
# semodule -X 300 -i my-boomaga.pp
Additional Information:
Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context system_u:object_r:var_t:s0
Target Objects /var/cache/boomaga/user [ dir ]
Source boomaga
Source Path boomaga
Port <Unknown>
Host fedora
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-36.8-2.fc36.noarch
Local Policy RPM selinux-policy-targeted-36.8-2.fc36.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name fedora
Platform Linux fedora 5.17.7-300.fc36.x86_64 #1 SMP PREEMPT
Thu May 12 14:56:44 UTC 2022 x86_64 x86_64
Alert Count 1
First Seen 2022-05-18 09:25:42 CEST
Last Seen 2022-05-18 09:25:42 CEST
Local ID fcf9d05e-bd5b-4ef6-8a1f-a9a1f94705ff
Raw Audit Messages
type=AVC msg=audit(1652858742.233:473): avc: denied { setattr } for pid=16952 comm="boomaga" name="user" dev="nvme0n1p7" ino=2129750 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0
Hash: boomaga,cupsd_t,var_t,dir,setattr
@entodays I am not familiar with boomaga, but I suppose its cache directory should have a cups private type. As a workaround, you can follow the setroubleshoot recommendation and run
semanage fcontext -a -t cupsd_rw_etc_t /var/cache/boomaga
restorecon -Rv /var/cache/boomaga
I ran these commands and I still get the following errors:
***** Plugin catchall (100. confidence) suggests **************************
If you believe that boomaga should be allowed sys_ptrace access on cap_userns labeled cupsd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'boomaga' --raw | audit2allow -M my-boomaga
# semodule -X 300 -i my-boomaga.pp
Additional Information:
Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Objects Unknown [ cap_userns ]
Source boomaga
Source Path boomaga
Port <Unknown>
Host user-inspiron
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-36.8-2.fc36.noarch
Local Policy RPM selinux-policy-targeted-36.8-2.fc36.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name user-inspiron
Platform Linux user-inspiron 5.17.7-300.fc36.x86_64 #1 SMP
PREEMPT Thu May 12 14:56:44 UTC 2022 x86_64 x86_64
Alert Count 22
First Seen 2022-05-20 14:03:13 CEST
Last Seen 2022-05-20 14:03:13 CEST
Local ID ......
Raw Audit Messages
type=AVC msg=audit(1653048193.669:389): avc: denied { sys_ptrace } for pid=10040 comm="boomaga" capability=19 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tclass=cap_userns permissive=0
Hash: boomaga,cupsd_t,cupsd_t,cap_userns,sys_ptrace
Do you happen to know which particular action triggers this denial? Please file a bz on selinux-policy with all details. This local module can be used to work around:
cat local_cups_userns.cil
(allow cupsd_t cupsd_t (cap_userns (sys_ptrace)))
semodule -i local_cups_userns.cil
I'm new to selinux. Where should I find local_cups_userns.cil? If it is a file that I am to create the cat command doesn't do that AFAIK.
Should I create a file called local_cups_userns.cil that contains (allow cupsd_t cupsd_t (cap_userns (sys_ptrace))) and then run semodule -i local_cups_userns.cil?
I'm new to selinux. Where should I find
local_cups_userns.cil? If it is a file that I am to create thecatcommand doesn't do that AFAIK. Should I create a file calledlocal_cups_userns.cilthat contains(allow cupsd_t cupsd_t (cap_userns (sys_ptrace)))and then runsemodule -i local_cups_userns.cil?
Right, create a new file and run semodule -i as superuser to install a local module.
This didn't solve the problem. I think it made it worse. Before I would get a print job for Boomaga but the Boomage gui would never appear. Now no print job appears under the printer's spooler. I didn't get any SE alert though.
I tried removing the custom policy with semodule -i local_cups_userns.cil and got:
libsemanage.semanage_direct_remove_key: Unable to remove module local_cups_userns.cil at priority 400. (No such file or directory).
semodule: Failed!
IMHO a local policy like this, addressing reported AVCs, can hardly make things worse. Anyway, it can be removed with
semodule -d local_cups_userns
So, I tried disabling selinux enforcing with sudo setenforce 0 and tried printing. Boomaga worked as designed but got the following SE alert:
SELinux is preventing QDBusConnection from connectto access on the unix_stream_socket /run/user/1000/bus.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that QDBusConnection should be allowed connectto access on the bus unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'QDBusConnection' --raw | audit2allow -M my-QDBusConnection
# semodule -X 300 -i my-QDBusConnection.pp
Additional Information:
Source Context system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context unconfined_u:unconfined_r:unconfined_dbusd_t:s0-
s0:c0.c1023
Target Objects /run/user/1000/bus [ unix_stream_socket ]
Source QDBusConnection
Source Path QDBusConnection
Port <Unknown>
Host fedora
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-36.8-2.fc36.noarch
Local Policy RPM selinux-policy-targeted-36.8-2.fc36.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name fedora
Platform Linux fedora 5.17.8-300.fc36.x86_64 #1 SMP PREEMPT
Mon May 16 01:00:37 UTC 2022 x86_64 x86_64
Alert Count 1
First Seen 2022-05-23 16:45:20 CEST
Last Seen 2022-05-23 16:45:20 CEST
Local ID 6aabb628-1161-48ee-953f-e254a3829edc
Raw Audit Messages
type=AVC msg=audit(1653317120.132:692): avc: denied { connectto } for pid=27704 comm="QDBusConnection" path="/run/user/1000/bus" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
Hash: QDBusConnection,cupsd_t,unconfined_dbusd_t,unix_stream_socket,connectto
Hope this helps to understand what the issue is.
@entodoays as a workaround you can add
(allow cupsd_t unconfined_dbusd_t (unix_stream_socket (connectto)))
to local_cups_userns.cil and reinstall it.
But before that please report a bugzilla ticket on selinux-policy with all details. To collect all the relevant AVCs remove the temporary policy module,
sudo semodule -r local_cups_userns
set SELinux to permissive mode, rerun the use case and collect all generated AVCs
sudo ausearch -m AVC,USER_AVC,SELINUX_ERR -ts recent (note that -ts recent limits the search to last 10 minutes).