Bug 428011

Summary: new AVC messages with test update
Product: [Fedora] Fedora Reporter: Tim Waugh <twaugh>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 8   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-03-05 22:17:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 235704    
Attachments:
Description Flags
policy-dnssd.patch none

Description Tim Waugh 2008-01-08 17:43:46 UTC 
Description of problem:
New AVC messages when adding a new printer using cups-1.3.5-1.fc8.

Version-Release number of selected component (if applicable):
cups-1.3.5-1.fc8

How reproducible:
100%

Steps to Reproduce:
1.lpinfo -v
  
Actual results:
type=AVC msg=audit(1199814046.192:237): avc:  denied  { getattr } for  pid=26313
comm="sh" path="/usr/bin/lpstat.cups" dev=md1 ino=4405587
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lpr_exec_t:s0 tclass=file
type=AVC msg=audit(1199814046.192:238): avc:  denied  { getattr } for  pid=26313
comm="sh" path="/usr/bin/lpstat.cups" dev=md1 ino=4405587
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lpr_exec_t:s0 tclass=file
type=AVC msg=audit(1199814046.195:239): avc:  denied  { execute } for  pid=26314
comm="sh" name="ifconfig" dev=md1 ino=7365762
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1199814046.195:240): avc:  denied  { getattr } for  pid=26314
comm="sh" path="/sbin/ifconfig" dev=md1 ino=7365762
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1199814046.195:241): avc:  denied  { getattr } for  pid=26314
comm="sh" path="/sbin/ifconfig" dev=md1 ino=7365762
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file

Expected results:
No AVC messages.

Additional info:
Comes from the dnssd backend.
Comment 1 Tim Waugh 2008-01-09 13:25:04 UTC 
Created attachment 291140 [details]
policy-dnssd.patch

This selinux-policy patch fixes it.  Dan, I'm a little hesitant about this
patch because it allows cupsd_t to execute /sbin/ifconfig.  I only want CUPS
backends to be able to determine the IP addresses of the local interfaces, and
do not want to permit any changes.

Currently there is a backend (dnssd) which is a perl script that contains:

my @localips = ();
if (open IFCONFIG, "LC_ALL=C /sbin/ifconfig |") {
    while (my $line = <IFCONFIG>) {
	chomp $line;
	if ($line =~ /^\s*inet\s+addr:\s*(\S+)/i) {
	    push (@localips, $1);
	}
    }
    close IFCONFIG;
}

Is there a way to let this script find out the local IP addresses without being
able to make any changes to the interfaces?
Comment 2 Tim Waugh 2008-01-09 13:26:02 UTC 
Oops, forgot to change component first.  Dan, please see above comment.
Comment 3 Daniel Walsh 2008-01-10 21:13:01 UTC 
This would not allow it to change ther interface.

Is this needed for RHEL5?
Comment 4 Daniel Walsh 2008-01-10 21:22:40 UTC 
Fixed in selinux-policy-3.0.8-75
Comment 5 Tim Waugh 2008-01-11 12:19:56 UTC 
No, it is not needed for RHEL-5, at least not presently.  The 'dnssd' backend is
not shipped there.

Thanks.
Comment 6 Daniel Walsh 2008-03-05 22:17:17 UTC 
Bugs have been in modified for over one month.  Closing as fixed in current
release please reopen if the problem still persists.