hplip once again creates logfiles in /tmp, which allows
local users to create/overwrite arbitrary files.


Thats here in base/pkit.py

    class BackendService(PolicyKitService):
        INTERFACE_NAME = 'com.hp.hplip'
        SERVICE_NAME   = 'com.hp.hplip'
        LOGFILE_NAME   = '/tmp/hp-pkservice.log'
[...]

Best fix would be for hplip to use the standard syslog facility,
relying on syslogd, rather than creating logfiles in /tmp.