"Can't change GID to 1000" and "Can't create cache" Fedora 24 & 25
cjustin88 opened this issue · comments
Hi,
I am encountering two errors with the Boomaga virtual printer.
- The printer state "Stopped - [Boomaga root] Can't change GID to 1000: Operation not permitted" when I try to print to the Boomaga virtual printer.
I am using Fedora 25 (also tried on Fedora 24) with Boomaga installed via RPM from the official repo:
Name : boomaga
Arch : x86_64
Epoch : 0
Version : 0.8.0
Release : 1.git157fd2e.fc25
Size : 1.0 M
Repo : @System
From repo : fedora
I have SELinux in enforcing mode but no SELinux alert from Boomaga registers.
Manually "re-installing" the PPD with boomaga.ppd does not result in any change of behavior. I am able to open up the Boomaga GUI without any problems. Restarting CUPS also does not result in any change of behavior (systemctl restart cups.service). Both logs in /var/log/cups (access_log and page_log) both seem to be empty.
Reproduction steps:
i) sudo dnf install boomaga
ii) Print to virtual printer (tried Firefox and Chrome)
iii) Nothing seems to happen, system-config-printer GUI gives printer state error.
- In trying to debug this, I uninstalled Boomaga from RPM (dnf remove boomaga) and building and installing from source (install pre-reqs, cmake, make, make install) and installing the printer manually (sudo ./installPrinter.sh).
Now with it installed from source, when I try to print, I get the printer state: "Stopped - [Boomaga] Can't create chache directory /home/justin/.cache". The GID error does not appear. Interestingly, the Make and Model given is "@CUPS_BACKEND_MODEL@". Re-installing the PPD changes the printer model to "Boomaga printer" but does not produce any change in behavior. I am able to open the Boomaga GUI without any problems. Restarting CUPS also does not result in any change of behavior( systemctl restart cups.service). Both logs in /var/log/cups (access_log and page_log) both seem to be empty.
Reproduction steps:
i) install from source (boomaga -V: boomaga 0.8.0)
ii) ./installPrinter.sh (has to be done with root permissions or else no printer is installed)
iii) Nothing seems to happen, system-config-printer GUI gives printer state error.
I am able to print to other (physical) CUPS printers without any issues.
Thanks,
Justin
Thank for best report.
I installed Fedora 25 in the VirtualBox. I was able to reproduce both problems.
It looks like Fedora has tightened restrictions for CUPS backedns. I'll think how to workaround this restriction, perhaps make sence to use systemd for it.
About "can't change GID to 1000".
There are 2 problems:
- Error in the RPM package. The file /usr/lib/cups/backend/boomaga should have 700(rwx------) permissions.
Permissions
Backends without world read and execute permissions are run as the root user. Otherwise, the backend is run using an unprivileged user account, typically "lp".
https://www.cups.org/doc/man-backend.html
- The /usr/lib64/boomaga/boomagabackend requires SELinux policy. It requires
- Write to ~/.cache directory
- Send DBus messages
I was trying to write policy, but failed. Can you help me?
Reproduction steps:
[root@localhost ~]# chmod 700 /usr/lib/cups/backend/boomaga
[root@localhost ~]# setenforce 0
[root@localhost ~]# cupsenable boomaga
[sokoloff@localhost]$ lpr /usr/share/doc/boomaga/README.md
I followed your reproduction steps exactly and am able to get Boomaga working properly (I can successfully print to the virtual printer and Boomaga opens automatically). If I setenforce 1, Boomaga does not work.
However, I do have the following custom SELinux policy in conjunction with setenforce 0:
SELinux is preventing boomagabackend from write access on the sock_file bus.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that boomagabackend should be allowed write access on the bus sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
ausearch -c 'boomagabackend' --raw | audit2allow -M my-boomagabackend
semodule -X 300 -i my-boomagabackend.pp
Can you try adding that and seeing if it works? I am not familiar with SELinux unfortunately...
I opened bug on RedHat bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=1409115
@cjustin88
could you please test the new package on https://martinkg.fedorapeople.org/Review/test/boomaga/
that includes a selinux subpackage. Please give feedback.
I installed both packages and still cannot print successfully to Boomaga (still getting the Stopped - [Boomaga] Can't create chache directory /home/justin/.cache error):
➜ Downloads sudo rpm -ivh boomaga-0.8.0-5.git074682a.fc25.x86_64.rpm
Preparing... ################################# [100%]
Updating / installing...
1:boomaga-0.8.0-5.git074682a.fc25 ################################# [100%]
Printer Boomaga has been installed successfully.
➜ Downloads sudo rpm -ivh boomaga-selinux-0.8.0-5.git074682a.fc25.x86_64.rpm
Preparing... ################################# [100%]
Updating / installing...
1:boomaga-selinux-0.8.0-5.git074682################################# [100%]
(also did the following with no effect):
➜ Downloads sudo chmod 700 /usr/lib/cups/backend/boomaga
➜ Downloads sudo cupsenable boomaga
@cjustin88
could you please test the new packages
boomaga-0.8.0-6.git8a97dc7.fc25
boomaga-selinux-0.8.0-6.git8a97dc7.fc25
from https://martinkg.fedorapeople.org/Review/test/boomaga/
Please give me feedback.
Sorry for the late response.
I am still getting print status Stopped - [Boomaga] Can't create chache directory /home/justin/.cache.
Is there any debug info I can give you or SElinux policy I should try?
Thanks.
➜ Downloads sudo rpm -e boomaga-selinux-0.8.0-5.git074682a.fc25.x86_64
➜ Downloads sudo rpm -e boomaga-0.8.0-5.git074682a.fc25.x86_64
➜ Downloads sudo rpm -ivh boomaga-0.8.0-6.git8a97dc7.fc25.x86_64.rpm
Preparing... ################################# [100%]
Updating / installing...
1:boomaga-0.8.0-6.git8a97dc7.fc25 ################################# [100%]
Printer Boomaga has been installed successfully.
➜ Downloads sudo rpm -ivh boomaga-selinux-0.8.0-6.git8a97dc7.fc25.x86_64.rpm
Preparing... ################################# [100%]
Updating / installing...
1:boomaga-selinux-0.8.0-6.git8a97dc################################# [100%]
I am not familiar with SELinux, so I asked in the SElinux forum , but we did not get any further here.
@martinkg
Maybe following information will help for you. Package cups-pdf has similar requirements and has correct SELinux policy. The difference is that cups-pdf writes files to the user desktop instead of ~/.cache.
@cjustin88 & @SokoloffA
please test the package from https://martinkg.fedorapeople.org/Review/test/boomaga/ again and give me feedback.
@martinkg, @SokoloffA
I tried the new packages and I no longer get the error "can't create cache directory" but I get instead the errors:
Processing - [Boomaga] home: /home/justin
Stopped - [Boomaga] org.freedesktop.DBus.Error.Spawn.ExecFailed : Failed to execute program org.boomaga: No such file or directory
could you please change the permissions with:
sudo chmod 4754 /usr/libexec/dbus-1/dbus-daemon-launch-helper
this will change the permissions from
-rwsr-x---. 1 root dbus 57888 29. Nov 15:17 /usr/libexec/dbus-1/dbus-daemon-launch-helper
to
-rwsr-xr--. 1 root dbus 57888 29. Nov 15:17 /usr/libexec/dbus-1/dbus-daemon-launch-helper
@martinkg
I installed Fedora in the VirtualBox from scrach. And last variant of the packages works fine.
@cjustin88
I think you have 2 dbus service file, one from RPM package and other from your custom build.
- Remove (if exists) /usr/local/share/dbus-1/services/org.boomaga.service file.
- Check /usr/share/dbus-1/services/org.boomaga.service that it contains correct path to boomaga executable file.
should the problem really happens again
The rules only help if there are AVC messages to analyze.
After the error happend, please run: aureport --avc --start recent and if they are bommaga_cups_t also run: ausearch --context bommaga_cups_t -i --start recent and upload it the URL.
The Fedora guys have closed the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1409115