Bug 205934

Summary: "SELinux" avc denied problem w/ "CUPS"
Product: Red Hat Enterprise Linux 5 Reporter: Joachim Frieben <jfrieben>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5.0CC: dwalsh, twaugh
Target Milestone: ---   
Target Release: ---   
Hardware: noarch   
OS: Linux   
Whiteboard:
Fixed In Version: 5.0.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-11-28 21:08:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Current "audit.log" file with "avc: denied" entries none

Description Joachim Frieben 2006-09-10 14:55:33 UTC
Description of problem:
During the creation of a new printer an "avc: denied" message is
spawned to "audit.log". When I first tried, the "SELinux Alert"
applet popped up but I unintenionally closed it immediately without
taking a screenshot. Upon a 2nd trial, there is another message of
this type in "audit.log", but the applet does not show up anymore.
The 2nd (identical) entry reads:

  type=AVC msg=audit(1157897864.063:325): avc:  denied  { ioctl } for
  pid=24886 comm="serial" name="ttyS0" dev=tmpfs ino=781
  scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255
  tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.3.3-22

How reproducible:
Always

Steps to Reproduce:
1. Create a new printer.
2. Check "audit.log"
  
Actual results:
New "avc: denied" entry in "audit.log".

Expected results:
No "avc: denied" entry in "audit.log".

Additional info:
The full "audit.log" file is attached below. Beware, a couple of
other "avc: denied" entries are lurking there ..

Comment 1 Joachim Frieben 2006-09-10 14:56:36 UTC
Created attachment 135930 [details]
Current "audit.log" file with "avc: denied" entries

Comment 2 Daniel Walsh 2006-09-11 14:57:02 UTC
Does cups seem to be working correctly?   Looks like the policy should currently
dontaudit this.  But I am not sure how cupsd handles serial printers.

The other AVC messages seem to involve xdm/XServer leaking some file descriptors,
setroubleshoot is fixed in Rawhide.



Comment 3 Joachim Frieben 2006-09-12 06:39:10 UTC
Printing works for me, probably because "SELinux" is running in "permissive"
mode here. I haven't checked for "enforcing" mode yet. Btw, I do not have any
serial printer attached. It's an "HP LaserJet 4100" network printer which is 
controlled through the "JetDirect" interface.

Comment 4 Tim Waugh 2006-09-12 09:06:55 UTC
For serial printers CUPS runs the 'serial' backend
(/usr/lib/cups/backend/serial).  The general process seems to be:

open(resource, O_RDWR | O_NOCTTY | O_EXCL | O_NDELAY)
tcgetattr(device_fd, &origopts);
tcgetattr(device_fd, &opts);
...
cfsetispeed(&opts, atoi(value));
cfsetospeed(&opts, atoi(value));
tcsetattr(device_fd, TCSANOW, &opts);
fcntl(device_fd, F_SETFL, 0);
if (FD_ISSET(device_fd, &input))
{
  if ((bc_bytes = read(device_fd, bc_buffer, sizeof(bc_buffer))) > 0)
    ...
}
ioctl(device_fd, TIOCMGET, &status); /* until DSR set */
write(device_fd, print_ptr, print_bytes);
tcsetattr(device_fd, TCSADRAIN, &origopts);
close(device_fd);

Full source in cups-1.2.3/backend/serial.c.

Comment 5 Daniel Walsh 2006-09-18 16:22:13 UTC
Fixed in selinux-policy-2.3.14-3

Comment 7 Steve Grubb 2006-10-18 21:56:59 UTC
Adding to beta blocker since meets criteria and is already fixed.

Comment 8 RHEL Program Management 2006-10-18 22:05:12 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux release.  Product Management has requested further review
of this request by Red Hat Engineering.  This request is not yet committed for
inclusion in release.