Bug 227889

Summary: [LSPP] CUPS is printing with Audit daemon stopped
Product: Red Hat Enterprise Linux 5 Reporter: Eduardo M. Fleury <efleury>
Component: cupsAssignee: Tim Waugh <twaugh>
Status: CLOSED NOTABUG QA Contact: David Lawrence <dkl>
Severity: high Docs Contact:
Priority: medium    
Version: 5.0CC: iboverma, klaus, linda.knippers, mra, sgrubb
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-02-13 21:30:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eduardo M. Fleury 2007-02-08 19:48:20 UTC 
Description of problem:
In a certification environment CUPS is expected to print only if the log
subsystem (Audit) is running. This is not happening as of RHEL5 RC 2006-01-26,
installed with LSPP KS v18-1

Version-Release number of selected component (if applicable):
cups-1.2.4-11.5.el5
cups-libs-1.2.4-11.5.el5

How reproducible:
Very

Steps to Reproduce:
1) Make sure you have an USB printer configured and printing properly, if you don't:
lpadmin -p MyPrinter -E -v usb:/dev/usb/lp0 -m postscript.ppd.gz
lpadmin -d MyPrinter

2) Shut down Audit
run_init /etc/init.d/auditd stop

3) Print something
lpr MyPage.ps

Actual results:
Page is printed and log messages are not kept.

Expected results:
CUPS should detect Audit status and refuse from printing.

Additional info:
This is required for the LSPP certification.
Comment 2 RHEL Program Management 2007-02-09 11:40:33 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for
inclusion.
Comment 3 Linda Knippers 2007-02-09 15:37:47 UTC 
Cups can be configured to not start if it can't open open the audit netlink
socket.  Check out /etc/libaudit.conf.  Cups will do whatever action 
is specified there (default is ignore) if the open fails.  However,
it doesn't check that if issuing a specific audit record fails.

We had this discussion a long time ago in the lspp conference calls.
Many trusted programs only issue an audit record after the completion
of an operation so that they can include the results (fail/succeed).
useradd is an example.  If it can't issue an audit record, you get
a syslog record but the operation still completed.

While auditing data exporting is a new requirement for LSPP, the
general behavior of audit and trusted programs isn't new.  If all
trusted programs have to fail to execute if the results can't be
audited then we're got more than just cups to deal with and we'll
have to figure out how to undo operations (if that's possible) that
we couldn't audit.
Comment 5 Klaus Kiwi (Old account no longer used) 2007-02-13 17:24:42 UTC 
Linda/Matt/Steve,
 will this get marked as NOTABUG? Matt, is this related to the changes you'll
submit to cups?
Comment 6 Matt Anderson 2007-02-13 18:04:16 UTC 
Yes I think it should be marked as NOTABUG.

I don't have a patch for this and haven't been convinced that we need one.