Bug 1265132

Summary: SELinux prevents cupsd from creating /etc/printcap
Product: Red Hat Enterprise Linux 6 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.8CC: dwalsh, lvrabec, mgrepl, mmalik, plautrba, psklenar, pvrabec, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1265102 Environment:
Last Closed: 2015-10-05 06:51:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2015-09-22 08:06:19 UTC 
Description of problem:

Version-Release number of selected component (if applicable):
cups-1.4.2-72.el6.x86_64
cups-libs-1.4.2-72.el6.x86_64
cups-lpd-1.4.2-72.el6.x86_64
selinux-policy-3.7.19-279.el6_7.6.noarch
selinux-policy-doc-3.7.19-279.el6_7.6.noarch
selinux-policy-minimum-3.7.19-279.el6_7.6.noarch
selinux-policy-mls-3.7.19-279.el6_7.6.noarch
selinux-policy-targeted-3.7.19-279.el6_7.6.noarch

How reproducible:
always

Steps to Reproduce:
# rm -f /etc/printcap 
# service cups start
Starting cups:                                             [  OK  ]
# service cups status
cupsd (pid  5059) is running...
# ls -Z /etc/printcap
ls: cannot access /etc/printcap: No such file or directory
# 

Actual results (enforcing mode):
----
type=PATH msg=audit(09/22/2015 09:58:52.159:137) : item=1 name=/etc/printcap nametype=CREATE 
type=PATH msg=audit(09/22/2015 09:58:52.159:137) : item=0 name=/etc/ inode=131075 dev=fc:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT 
type=CWD msg=audit(09/22/2015 09:58:52.159:137) :  cwd=/ 
type=SYSCALL msg=audit(09/22/2015 09:58:52.159:137) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7fb94c482b04 a1=O_WRONLY|O_CREAT|O_EXCL a2=0666 a3=0x7ffd41bccb70 items=2 ppid=5058 pid=5059 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=3 comm=cupsd exe=/usr/sbin/cupsd subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(09/22/2015 09:58:52.159:137) : avc:  denied  { write } for  pid=5059 comm=cupsd name=etc dev=vda3 ino=131075 scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir 
----

Actual results (permissive mode):
----
type=PATH msg=audit(09/22/2015 10:03:32.138:214) : item=1 name=/etc/printcap inode=131110 dev=fc:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 nametype=CREATE 
type=PATH msg=audit(09/22/2015 10:03:32.138:214) : item=0 name=/etc/ inode=131075 dev=fc:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT 
type=CWD msg=audit(09/22/2015 10:03:32.138:214) :  cwd=/ 
type=SYSCALL msg=audit(09/22/2015 10:03:32.138:214) : arch=x86_64 syscall=open success=yes exit=7 a0=0x7f2252fd3b04 a1=O_WRONLY|O_CREAT|O_EXCL a2=0666 a3=0x7ffe3fee11f0 items=2 ppid=5322 pid=5323 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=3 comm=cupsd exe=/usr/sbin/cupsd subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(09/22/2015 10:03:32.138:214) : avc:  denied  { create } for  pid=5323 comm=cupsd name=printcap scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file 
type=AVC msg=audit(09/22/2015 10:03:32.138:214) : avc:  denied  { add_name } for  pid=5323 comm=cupsd name=printcap scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir 
type=AVC msg=audit(09/22/2015 10:03:32.138:214) : avc:  denied  { write } for  pid=5323 comm=cupsd name=etc dev=vda3 ino=131075 scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir 
----

Unfortunately, the file gets an incorrect context in permissive mode:

# ls -Z /etc/printcap 
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0   /etc/printcap
# restorecon -Rv /etc/printcap 
restorecon reset /etc/printcap context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:cupsd_rw_etc_t:s0
#
Comment 1 Miroslav Grepl 2015-09-22 15:20:39 UTC 
Ok so we need to find out where the dir is created and run restorecon on it.

rpm -qf /etc/printcap 

rpm -qa --scripts |grep printcap
Comment 2 Milos Malik 2015-09-23 07:05:03 UTC 
# rpm -qf /etc/printcap 
setup-2.8.14-20.el6_4.1.noarch
# rpm -qa --scripts | grep printcap
#
Comment 4 Miroslav Grepl 2015-10-05 06:36:01 UTC 
So this bug is about removing a dir which is owned by rpm. Not sure if it is a correct test scenario. We don't have filetrans rules for dir.

filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, dir)

does it work with this rule?
Comment 5 Milos Malik 2015-10-05 06:43:56 UTC 
/etc/printcap is a regular file.

# rpm -qf /etc/printcap 
setup-2.8.71-6.el7.noarch
# cat /etc/printcap 
# This file was automatically generated by cupsd(8) from the
# /etc/cups/printers.conf file.  All changes to this file
# will be lost.
Comment 6 Miroslav Grepl 2015-10-05 06:51:29 UTC 
Ok. The problem is we are not able to get it working correctly in 6.8 withou filenametrans rules. And if it is owned by the setup package I believe we can close this bug.