Bug 220080
Summary: | lpq is not honoring MLS restrictions | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Matt Anderson <mra> | ||||
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 5.0 | CC: | dwalsh, efleury, iboverma, krisw, linda.knippers, sgrubb | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | RC | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2007-02-08 01:52:42 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Matt Anderson
2006-12-18 19:48:49 UTC
Created attachment 143937 [details]
Proposed fix
This appears to be a side effect of adding the job->scon check to the if
statement in question.
- if (selinuxcheck && (strncmp(job->scon, UNKNOWN_SL, strlen(UNKNOWN_SL)) !=
0))
+ if ((selinuxcheck == 1) && (strncmp(job->scon, UNKNOWN_SL,
strlen(UNKNOWN_SL)) != 0))
We don't understand what this patch provides. The above 1 line change has no effect on the program. Sorry about that bogus patch, there was some confusion in various test environments which seemed to make a previously solved problem reappear. In the version of cups provided with RHEL5rcs3 cups-1.2.4-11.4.el5 there is not a problem with lpq, or cups. There is an selinux-policy issue that needs to be addressed still: allow sysadm_lpr_t print_spool_t:file read; Which will allow the sysadm role the ability to see other's jobs and therefore manage the queue. My reading of current policy would allow this. allow sysadm_lpr_t print_spool_t:file read; Which version of policy and could you attach the AVC's. I'm looking at the system where mra was doing his testing. He was running selinux-policy-mls-2.4.6-12.el5. He had a little policy module with the above in it and the functionality was working but when I unloaded the module and tried an lpq from sysadm_r, I get this in the /var/log/cups/errors_log file. Cups logs its own AVCs so they don't end up in the audit log. cups: denied { read } for scontext=staff_u:sysadm_r:sysadm_lpr_t:s0-s15:c0.c1023 tcontext=system_u:object_r:print_spool_t:s15:c0.c1023 tclass=file As a staff_u/staff_r user I can see more jobs than I can as sysadm_r after a newrole. Cups is not allowed to do this. It must log to the audit system. Fixed in selinux-policy-2.4.6-16 A package has been built which should help the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you. |