Bug 182956

Summary: CUPS daemon wants to create and use UNIX socket
Product: [Fedora] Fedora Reporter: Tim Waugh <twaugh>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-03-09 05:00:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 150222    

Description Tim Waugh 2006-02-24 18:25:15 UTC 
Description of problem:
CUPS 1.2.x (which I'd like to be able to ship as an update to FC5) would like to
be able to create a UNIX socket /var/run/cups/cups.sock, and to use it.  CUPS
utilities such as 'lp' will connect to it and read and write, and the CUPS
daemon 'cupsd' will listen, accept, read and write.

It falls back to the current method (localhost port 631) if that fails.

Version-Release number of selected component (if applicable):
1.2 (not shipped yet)

How reproducible:
100%

Steps to Reproduce:
1. Start CUPS.
  
Actual results:
E [24/Feb/2006:18:14:03 +0000] Unable to bind socket for address
/var/run/cups/cups.sock:0 - Permission denied.

Additional info:
With permissive mode, I get this:

type=AVC msg=audit(1140804910.089:334): avc:  denied  { setattr } for  pid=6456
comm="cupsd" name="certs" dev=hda2 ino=9076922
scontext=root:system_r:cupsd_t:s0-s0:c0.c255
tcontext=system_u:object_r:var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1140804910.089:334): arch=40000003 syscall=212
success=yes exit=0 a0=bfa0f828 a1=4 a2=7 a3=4 items=1 pid=6456 auid=0 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cupsd" exe="/usr/sbin/cupsd"
type=CWD msg=audit(1140804910.089:334):  cwd="/"
type=PATH msg=audit(1140804910.089:334): item=0 name="/var/run/cups/certs"
flags=1  inode=9076922 dev=03:02 mode=040711 ouid=0 ogid=3 rdev=00:00
type=AVC msg=audit(1140804910.105:335): avc:  denied  { create } for  pid=6456
comm="cupsd" name="cups.sock" scontext=root:system_r:cupsd_t:s0-s0:c0.c255
tcontext=root:object_r:var_run_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1140804910.105:335): arch=40000003 syscall=102
success=yes exit=0 a0=2 a1=bfa10450 a2=93a56c a3=bfa10484 items=1 pid=6456
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cupsd"
exe="/usr/sbin/cupsd"
type=SOCKADDR msg=audit(1140804910.105:335):
saddr=01002F7661722F72756E2F637570732F637570732E736F636B00
type=SOCKETCALL msg=audit(1140804910.105:335): nargs=3 a0=3 a1=9df435c a2=1a
type=PATH msg=audit(1140804910.105:335): item=0 flags=10  inode=9076921
dev=03:02 mode=040755 ouid=0 ogid=99 rdev=00:00
type=AVC msg=audit(1140804910.105:336): avc:  denied  { listen } for  pid=6456
comm="cupsd" name="cups.sock" scontext=root:system_r:cupsd_t:s0-s0:c0.c255
tcontext=root:system_r:cupsd_t:s0-s0:c0.c255 tclass=unix_stream_socket
type=SYSCALL msg=audit(1140804910.105:336): arch=40000003 syscall=102
success=yes exit=0 a0=4 a1=bfa10450 a2=93a56c a3=0 items=0 pid=6456 auid=0 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cupsd" exe="/usr/sbin/cupsd"
type=AVC_PATH msg=audit(1140804910.105:336):  path="/var/run/cups/cups.sock"
type=SOCKETCALL msg=audit(1140804910.105:336): nargs=2 a0=3 a1=80
type=AVC msg=audit(1140804910.109:337): avc:  denied  { setattr } for  pid=6456
comm="cupsd" name="cups.sock" dev=hda2 ino=9076764
scontext=root:system_r:cupsd_t:s0-s0:c0.c255 tcontext=root:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1140804910.109:337): arch=40000003 syscall=15 success=yes
exit=0 a0=bfa10488 a1=c1ff a2=93a56c a3=0 items=1 pid=6456 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cupsd" exe="/usr/sbin/cupsd"
type=CWD msg=audit(1140804910.109:337):  cwd="/"
type=PATH msg=audit(1140804910.109:337): item=0 name="/var/run/cups/cups.sock"
flags=1  inode=9076764 dev=03:02 mode=0140777 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1140804911.133:338): avc:  denied  { read } for  pid=6456
comm="cupsd" name="net" dev=proc ino=-268435433
scontext=root:system_r:cupsd_t:s0-s0:c0.c255
tcontext=system_u:object_r:proc_net_t:s0 tclass=dir
type=SYSCALL msg=audit(1140804911.133:338): arch=40000003 syscall=33 success=yes
exit=0 a0=3b22f3 a1=4 a2=3bfff4 a3=2 items=1 pid=6456 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cupsd" exe="/usr/sbin/cupsd"
type=CWD msg=audit(1140804911.133:338):  cwd="/"
type=PATH msg=audit(1140804911.133:338): item=0 name="/proc/net" flags=401 
inode=4026531863 dev=00:03 mode=040555 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1140804911.133:339): avc:  denied  { read } for  pid=6456
comm="cupsd" name="unix" dev=proc ino=-268434958
scontext=root:system_r:cupsd_t:s0-s0:c0.c255
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=SYSCALL msg=audit(1140804911.133:339): arch=40000003 syscall=33 success=yes
exit=0 a0=bfa0bd13 a1=4 a2=3bfff4 a3=3aed00 items=1 pid=6456 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cupsd" exe="/usr/sbin/cupsd"
type=CWD msg=audit(1140804911.133:339):  cwd="/"
type=PATH msg=audit(1140804911.133:339): item=0 name="/proc/net/unix" flags=401
 inode=4026532338 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1140805722.274:340): avc:  denied  { accept } for  pid=6456
comm="cupsd" name="cups.sock" scontext=root:system_r:cupsd_t:s0-s0:c0.c255
tcontext=root:system_r:cupsd_t:s0-s0:c0.c255 tclass=unix_stream_socket
type=SYSCALL msg=audit(1140805722.274:340): arch=40000003 syscall=102
success=yes exit=7 a0=5 a1=bfa10480 a2=93a56c a3=9df4358 items=0 pid=6456 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cupsd"
exe="/usr/sbin/cupsd"
type=AVC_PATH msg=audit(1140805722.274:340):  path="/var/run/cups/cups.sock"
type=SOCKETCALL msg=audit(1140805722.274:340): nargs=3 a0=3 a1=9e22cc0 a2=bfa104b0

audit2allow says:

allow cupsd_t self:unix_stream_socket accept;
allow cupsd_t proc_net_t:dir read;
allow cupsd_t proc_net_t:file read;
allow cupsd_t var_run_t:dir setattr;
allow cupsd_t var_run_t:sock_file setattr;
Comment 1 Daniel Walsh 2006-02-24 18:48:11 UTC 
I update selinux-policy-2.2.21-7 to handle this.
Although not tested.
Comment 2 Tim Waugh 2006-02-27 16:53:26 UTC 
Thanks.  Now it needs:

allow cupsd_t cupsd_var_run_t:sock_file { create setattr unlink };
allow cupsd_t proc_net_t:dir read;
allow cupsd_t proc_net_t:file read;

(I've tested with this change and it works.)
Comment 3 Daniel Walsh 2006-02-27 22:57:45 UTC 
Added in 2.2.22-1
Comment 4 Tim Waugh 2006-03-04 10:31:48 UTC 
Great.  The daemon now starts up fine, just like I tested.

Now I've tried to use the web interface, and found some more things it needs
(sorry).  I think this is the last of them now: connectto on the stream socket,
and read and write on the sock_file.

allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow cupsd_t cupsd_var_run_t:sock_file { create setattr unlink read write };
Comment 5 Daniel Walsh 2006-03-04 15:48:15 UTC 
Added in 2.2.23-2