Bug 229673

Summary: [LSPP] cups is overriding mls when querying jobs with lpq -al
Product: Red Hat Enterprise Linux 5 Reporter: Klaus Kiwi (Old account no longer used) <klaus>
Component: cupsAssignee: Tim Waugh <twaugh>
Status: CLOSED ERRATA QA Contact: David Lawrence <dkl>
Severity: urgent Docs Contact:
Priority: medium    
Version: 5.0CC: iboverma, linda.knippers, mra, sgrubb
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHSA-2007-1020 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-10-31 13:48:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 224041, 234654    
Attachments:
Description Flags
Proposed patch to fix access check none

Description Klaus Kiwi (Old account no longer used) 2007-02-22 17:56:54 UTC 
Description of problem:
lpq -al <job-id> can be used to check file names/job information from jobs
scheduled by a user in a higher mls level (read-up)

Version-Release number of selected component (if applicable):
-bash-3.1$ rpm -qa | grep cups
cups-libs-1.2.4-11.5.el5
cups-libs-1.2.4-11.5.el5
cups-1.2.4-11.5.el5


How reproducible:
always

Steps to Reproduce:
Have a system with a printer installed

 # Log in as user in s5-s5 level: 
ssh user//s5-s5@host
 # Print some file
lpr -P <printer-instance> <filename>
 # Check job id with
lpstat -W all <printer-instance>
 # Log out
exit
 # Log in as user in s0-s0 level:
ssh user//s0-s0@host
 # check lpq specifying job id:
lpq -al <job-id>

 # You can also check all jobs with something similar to:
for ((i=0; i<100; i++)); do lpq -al $i; done;

  
Actual results:
User in s0-s0 level can check the s5-s5 job name and attributes

Expected results:
User in s0-s0 level can't see s5-s5 jobs



Additional info:
This is required for lspp evaluation
Comment 1 Klaus Kiwi (Old account no longer used) 2007-02-22 19:54:39 UTC 
changing summary to a more precise one
Comment 2 Matt Anderson 2007-02-26 23:49:23 UTC 
Created attachment 148840 [details]
Proposed patch to fix access check

The following patch adds a function check_context() which has the code which
used to be in get_jobs() but is now also called from get_job_attrs() and
validate_user()

The code also distinguishes better in the cups log file if the action was
allowed because the system is in permissive mode which was not clear before.
e.g. 
I [26/Feb/2007:14:53:10 -0500] check_context: allowing operation due to
permissive mode

If a user uses the `lpq -al <job-id>` command to query a file that is outside
their level the system returns "lpq: Job #<job-id> does not exist!" and the
following is left in the cups log:
D [26/Feb/2007:14:54:22 -0500] Get-Job-Attributes ipp://localhost/jobs/42
D [26/Feb/2007:14:54:22 -0500] check_context: client context
user_u:user_r:user_lpr_t:SystemLow job context
root:sysadm_r:sysadm_lpr_t:s6-SystemHigh
I [26/Feb/2007:14:54:22 -0500] check_context: SELinux denied access based on
the client context
I [26/Feb/2007:14:54:22 -0500] check_context: SELinux denied access to the
spool file
D [26/Feb/2007:14:54:22 -0500] Get-Job-Attributes client-error-not-found: Job
#42 does not exist!
Comment 6 Klaus Kiwi (Old account no longer used) 2007-03-24 00:14:51 UTC 
verified fix on cups-1.2.4-11.6.el5

You may close the bug - Thank you
Comment 11 errata-xmlrpc 2007-10-31 13:48:45 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-1020.html