whitehack_brother_printer_with_selinux

This whitehack includes/improves Brother own recommended way of integrating with selinux:

Brother Title: "I want to print using CUPS while keeping SELinux enabled."

• http://welcome.solutions.brother.com/bsc/public_s/id/linux/en/faq_prn.html#30

Symptom:

• When a job is queued to the printer /var/log/audit.log contains errors:
  execute_no_trans for brlpdwrappermfc filtermfcj6910dw brprintconf_mfc
• script psconvertij2 calls /usr/bin/gs -r -g2332x5400 -q -dNOPROMPT -dNOPAUSE -dSAFER -sDEVICE=ppmraw -sOutputFile=- - -c quit
• Note: -r needs an argument: vis-à-vis error message: "-r must be followed by <res> or <xres>x<yres>
• /etc/opt/brother/Printers/mfcj6910dw/inf/brmfcj6910dwrc is empty

NOTE:

• this whitehack_brother_printer_with_selinux is released as 0.3 beta.
• supersedes whitehack_brother_printer_audit2allow
• It might work for you, it works for me, but I only have 1 printer
• whitehack_brother_printer_with_selinux-enable should work with more then one concurrent type of printer
• I am releasing is as a "works for me" hoping some others will give it a go and feedback. (read: beta tester required)
• If all goes well I will tidy it up and release it as a 1.0

To install use:

yum install ~/rpmbuild/RPMS/noarch/whitehack_brother_printer_with_selinux-enabled-0.3-12m.noarch.rpm

This creates: /usr/bin/whitehack_brother_printer_with_selinux

Once installed it can be temporarily disabled with this command:
/usr/bin/whitehack_brother_printer_with_selinux disable

Once installed it's status can queried with this command:
/usr/bin/whitehack_brother_printer_with_selinux status

To remove again use yum:
yum remove whitehack_brother_printer_with_selinux-enabled

You can also install without enabling with this command:
yum install ~/rpmbuild/RPMS/noarch/whitehack_brother_printer_with_selinux-0.3-12m.noarch.rpm

This alternate install gives you the chance to visually inspect the code in
/usr/bin/whitehack_brother_printer_with_selinux before you run it.

To Build:

To build the .spec file simply run ../whitehack_bin/mkwhitehack in this src directory

This will create 3 files:

Wrote: ~/rpmbuild/SRPMS/whitehack_brother_printer_with_selinux-0.3-12m.src.rpm
Wrote: ~/rpmbuild/RPMS/noarch/whitehack_brother_printer_with_selinux-0.3-12m.noarch.rpm
Wrote: ~/rpmbuild/RPMS/noarch/whitehack_brother_printer_with_selinux-enabled-0.3-12m.noarch.rpm

Download:

Download from: https://sourceforge.net/projects/whitehack/files

Example of audit.log error messages:

audit/audit.log: type=AVC msg=audit(1332817474.398:174): avc:  denied  { execute } for  pid=9242 comm="brlpdwrappermfc" name="filtermfcj6910dw" dev=dm-0 ino=1212446 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=file

audit/audit.log: type=SYSCALL msg=audit(1332817474.398:174): arch=40000003 syscall=33 success=no exit=-13 a0=93812d8 a1=1 a2=11 a3=93812d8 items=0 ppid=9226 pid=9242 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="brlpdwrappermfc" exe="/bin/bash" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)

But: cups/error_log: I [27/Mar/2012:13:04:34 +1000] [Job 569] Completed successfully.

Example of whitehack_brother_printer_with_selinux-enabled installation:

# rpm -ivh whitehack_brother_printer_with_selinux-enabled-0.3-12m.noarch.rpm

Preparing... ########################################### [100%]
1:whitehack_brother_print########################################### [100%]
+ semanage fcontext -a -f -- -s system_u -t bin_t -r s0 /opt/brother/Printers/mfcj6910dw/lpd/.
+ restorecon . brmfcj6910dwfilter filtermfcj6910dw psconvertij2
+ semanage fcontext -a -f -- -s system_u -t bin_t -r s0 /opt/brother/Printers/mfcj6910dw/cupswrapper/.
+ restorecon . brcupsconfpt1 cupswrappermfcj6910dw mfcj6910dw.ppd
+ semanage fcontext -f -- -a -s system_u -t cupsd_rw_etc_t -r s0 /etc/opt/brother/Printers/mfcj6910dw/inf/.*
+ semanage fcontext -f -d -a -s system_u -t cupsd_rw_etc_t -r s0 /etc/opt/brother/Printers/mfcj6910dw/inf
+ restorecon . brmfcj6910dwfunc brmfcj6910dwrc ImagingArea lut paperinfij2 setupPrintcapij
+ restorecon brlpdwrappermfcj6910dw
+ restorecon brprintconf_mfcj6910dw brushtopbm

• semodule -i whitehackXbrotherXprinterXwithXselinux.pp

NOTE: semodule -i "whitehackXbrotherXprinterXwithXselinux.pp" has now been applied!