Bug 1265102

Summary:	SELinux prevents cupsd from creating /etc/printcap
Product:	Red Hat Enterprise Linux 7	Reporter:	Milos Malik <mmalik>
Component:	selinux-policy	Assignee:	Lukas Vrabec <lvrabec>
Status:	CLOSED ERRATA	QA Contact:	Milos Malik <mmalik>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	7.2	CC:	lvrabec, mgrepl, mmalik, plautrba, psklenar, pvrabec, ssekidde
Target Milestone:	rc
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-3.13.1-66.el7	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:
Clones:	1265132 (view as bug list)		Environment:
Last Closed:	2016-11-04 02:22:38 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Milos Malik 2015-09-22 06:48:39 UTC

Description of problem:

Version-Release number of selected component (if applicable):
cups-1.6.3-22.el7.x86_64
cups-client-1.6.3-22.el7.x86_64
cups-filesystem-1.6.3-22.el7.noarch
cups-filters-1.0.35-21.el7.x86_64
cups-filters-libs-1.0.35-21.el7.x86_64
cups-libs-1.6.3-22.el7.x86_64
cups-lpd-1.6.3-22.el7.x86_64
cups-pk-helper-0.2.4-5.el7.x86_64
selinux-policy-3.13.1-52.el7.noarch
selinux-policy-devel-3.13.1-52.el7.noarch
selinux-policy-doc-3.13.1-52.el7.noarch
selinux-policy-minimum-3.13.1-52.el7.noarch
selinux-policy-mls-3.13.1-52.el7.noarch
selinux-policy-sandbox-3.13.1-52.el7.noarch
selinux-policy-targeted-3.13.1-52.el7.noarch

How reproducible:
always

Steps to Reproduce:
# cat /etc/printcap | tr -d '#'
 /etc/printcap

 Please don't edit this file directly unless you know what you are doing!
 This file will be automatically generated by cupsd(8) from the
 /etc/cups/printers.conf file.  All changes to this file
 will be lost.

# rm -f /etc/printcap 
# service cups status
Redirecting to /bin/systemctl status  cups.service
● cups.service - CUPS Printing Service
   Loaded: loaded (/usr/lib/systemd/system/cups.service; enabled; vendor preset: enabled)
   Active: inactive (dead)
# service cups start
Redirecting to /bin/systemctl start  cups.service
# ls -Z /etc/printcap
ls: cannot access /etc/printcap: No such file or directory
# ausearch -m avc -m user_avc -m selinux_err -i -ts recent

Actual results (enforcing mode):
----
type=PATH msg=audit(09/22/2015 08:43:49.751:128) : item=1 name=/etc/printcap objtype=CREATE 
type=PATH msg=audit(09/22/2015 08:43:49.751:128) : item=0 name=/etc/ inode=16777345 dev=fd:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT 
type=CWD msg=audit(09/22/2015 08:43:49.751:128) :  cwd=/ 
type=SYSCALL msg=audit(09/22/2015 08:43:49.751:128) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7f05a96acb34 a1=O_WRONLY|O_CREAT|O_EXCL a2=0666 a3=0x7ffe772909f0 items=2 ppid=1 pid=2662 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cupsd exe=/usr/sbin/cupsd subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(09/22/2015 08:43:49.751:128) : avc:  denied  { create } for  pid=2662 comm=cupsd name=printcap scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file 
----

Expected results:
 * no AVCs, the file gets created

Comment 1 Milos Malik 2015-09-22 06:51:56 UTC

Actual results (permissive mode):
----
type=PATH msg=audit(09/22/2015 08:49:32.117:144) : item=1 name=/etc/printcap inode=18268862 dev=fd:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=CREATE 
type=PATH msg=audit(09/22/2015 08:49:32.117:144) : item=0 name=/etc/ inode=16777345 dev=fd:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT 
type=CWD msg=audit(09/22/2015 08:49:32.117:144) :  cwd=/ 
type=SYSCALL msg=audit(09/22/2015 08:49:32.117:144) : arch=x86_64 syscall=open success=yes exit=11 a0=0x7f7b3b37db34 a1=O_WRONLY|O_CREAT|O_EXCL a2=0666 a3=0x7fffe8912740 items=2 ppid=1 pid=3071 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=cupsd exe=/usr/sbin/cupsd subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(09/22/2015 08:49:32.117:144) : avc:  denied  { create } for  pid=3071 comm=cupsd name=printcap scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file 
----

Unfortunately, the file gets an incorrect context in permissive mode:

# ls -Z /etc/printcap
-rw-r--r--. root root system_u:object_r:etc_t:s0       /etc/printcap
# restorecon -v /etc/printcap
restorecon reset /etc/printcap context system_u:object_r:etc_t:s0->system_u:object_r:cupsd_rw_etc_t:s0
#

Comment 2 Milos Malik 2015-09-23 07:05:56 UTC

# rpm -qf /etc/printcap 
setup-2.8.71-6.el7.noarch
# rpm -qa --scripts | grep printcap
#

Comment 4 Miroslav Grepl 2015-12-18 11:02:56 UTC

Ok we could fix it using a new filename transition rule.

Comment 5 Mike McCune 2016-03-28 22:59:28 UTC

This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions

Comment 9 errata-xmlrpc 2016-11-04 02:22:38 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html