Bug 436671

Summary: AVCs prevent "printing to CUPS-Pdf"
Product: [Fedora] Fedora Reporter: Tom London <selinux>
Component: cups-pdfAssignee: Remi Collet <fedora>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: dwalsh, twaugh
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-03-17 13:34:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Cups_pdf.fc
none
Cups interface file
none
Cups pdf te file none

Description Tom London 2008-03-09 01:37:09 UTC 
Description of problem:
Trying to print to pdf from, say, firefox, produce the AVCs below.  Looks like
cups wants


#============= cupsd_t ==============
allow cupsd_t user_home_dir_t:dir { write add_name };
allow cupsd_t user_home_dir_t:file { read write create getattr setattr };


type=AVC msg=audit(1205026368.739:33): avc:  denied  { write } for  pid=4706
comm="gs" name="tbl" dev=dm-0 ino=131077
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1205026368.739:33): avc:  denied  { add_name } for  pid=4706
comm="gs" name="Sustaining_a_trend_--_chicagotribune.pdf"
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir
type=AVC msg=audit(1205026368.739:33): avc:  denied  { create } for  pid=4706
comm="gs" name="Sustaining_a_trend_--_chicagotribune.pdf"
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file
type=AVC msg=audit(1205026368.739:33): avc:  denied  { read write } for 
pid=4706 comm="gs" name="Sustaining_a_trend_--_chicagotribune.pdf" dev=dm-0
ino=131250 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file
type=SYSCALL msg=audit(1205026368.739:33): arch=40000003 syscall=5 success=yes
exit=10 a0=a05f5e0 a1=242 a2=1b6 a3=240 items=0 ppid=4705 pid=4706
auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500
fsgid=500 tty=(none) ses=4294967295 comm="gs" exe="/usr/bin/gs"
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1205026369.236:34): avc:  denied  { getattr } for  pid=4706
comm="gs" path="/home/tbl/Sustaining_a_trend_--_chicagotribune.pdf" dev=dm-0
ino=131250 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file
type=SYSCALL msg=audit(1205026369.236:34): arch=40000003 syscall=197 success=yes
exit=0 a0=a a1=bff59d08 a2=ad8ff4 a3=a16a938 items=0 ppid=4705 pid=4706
auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500
fsgid=500 tty=(none) ses=4294967295 comm="gs" exe="/usr/bin/gs"
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1205026369.433:35): avc:  denied  { setattr } for  pid=4705
comm="cups-pdf" name="Sustaining_a_trend_--_chicagotribune.pdf" dev=dm-0
ino=131250 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:user_home_dir_t:s0 tclass=file
type=SYSCALL msg=audit(1205026369.433:35): arch=40000003 syscall=15 success=yes
exit=0 a0=9b98308 a1=180 a2=0 a3=9b98308 items=0 ppid=4704 pid=4705
auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500
fsgid=500 tty=(none) ses=4294967295 comm="cups-pdf"
exe="/usr/lib/cups/backend/cups-pdf"
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)


Version-Release number of selected component (if applicable):
cups-1.3.6-5.fc9.i386

How reproducible:
every time

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Tim Waugh 2008-03-09 12:00:55 UTC 
I'm not very happy about giving cupsd_t access to write to home directories. 
Couldn't cups-pdf have its own security context for that sort of thing?
Comment 2 Remi Collet 2008-03-09 16:21:34 UTC 
@Tom London : which version of cups-pdf ? 

@Tim Waugh : you're right. I'm not a SElinux expert but i will look for a better
solution ASAP.
Comment 3 Tom London 2008-03-09 17:03:37 UTC 
Running cups-pdf-2.4.6-6.fc9.2.i386;  should be rawhide....

Suppose one "approach" would be to define a directory in ~, say, ~/cups-pdf, and
give that some label, say cups_pdf_t, and give cupsd_t (reasonably) general
access to that type.
Comment 4 Remi Collet 2008-03-09 17:25:32 UTC 
The default target directory is "~/Desktop" (user-friendly), but this is
"localized" (~/.config/user-dirs.dirs)...

So i don't find another solution than to apply a global access to the home dir.

I still searching...
Comment 5 Daniel Walsh 2008-03-10 14:15:18 UTC 
Please explain what cups-pdf is doing?
Comment 6 Tom London 2008-03-10 14:45:06 UTC 
cups-pdf allows you to "print to a pdf file" as an option from the usual "print
menu" from apps.  

I'm guessing it is really just a specialized "printer" that tells cupsd to just
"route" the pdf to a file instead of a printer.

How about something like giving ~/Desktop its own type, say user_desktop_t, and
 giving cupsd access to that?  Could enable/disable with a boolean?
Comment 7 Daniel Walsh 2008-03-10 15:23:22 UTC 
cups-pdf looks like it is shipping with its own policy.

/usr/share/doc/cups-pdf-2.4.6/contrib/SELinux-HOWTO/cups_pdf.te

I would prefer not to allow the access they are giving.  It would be better to
only allow cups_pdf access to the homedir, not all of cups.
Comment 8 Remi Collet 2008-03-10 17:35:11 UTC 
Cups-pdf is a cups backend which convert the PostScript output to PDF using
ghostscript and move the result to the desktop folder (path detected at run-time
for localized name).


@Tom London : as i said in #4 ~/Desktop is localized : for me ~/Bureau.
So i cannot apply Selinux context on all possible "desktop" name.

@dwalsh : Yes. As i said in #2 i will work on a better solution. But help on
this will be welcome (i'm not a real SELinux expert).

Remi.
Comment 9 Daniel Walsh 2008-03-10 19:15:57 UTC 
Created attachment 297492 [details]
Cups_pdf.fc
Comment 10 Daniel Walsh 2008-03-10 19:16:29 UTC 
Created attachment 297493 [details]
Cups interface file
Comment 11 Daniel Walsh 2008-03-10 19:17:06 UTC 
Created attachment 297494 [details]
Cups pdf te file
Comment 12 Daniel Walsh 2008-03-10 19:18:57 UTC 
I have added a new interface to cups call cups_backend.  Using this interface we
can create new backends which can be confined differently.  I can suck these
files into the mainline policy or you can ship them with your package.  They
seem to work well on my machine.

You will need selinux-policy-3.3.1-13.fc9 to be able to compile these.
Comment 13 Remi Collet 2008-03-13 20:09:38 UTC 
@Daniel : Great thanks for this.

I've just try it (my rawhide was broken until today).
All seems OK for users

Yes I think it's a good idea to have it shipped with the main policy (I don't
feel capable enough to maintain it in the package).

But of course I'm still OK to work on it.

I give you the final decision, just tell me.

Regards
Comment 14 Daniel Walsh 2008-03-13 21:50:17 UTC 
Added in selinux-policy-3.3.1-18.fc9

YOu should remove the policy files from your documentation.
Comment 15 Remi Collet 2008-03-14 19:05:15 UTC 
@Daniel.

Can you add (probably in policy/modules/services/cups.fc)

/var/spool/cups-pdf(/.*)?  gen_context(system_u:object_r:print_spool_t,s0)



Various directories are used for output :
/var/spool/cups-pdf/SPOOL : temporary gs files
/var/spool/cups-pdf/ANONYMOUS : unkown users output (lpr, smb)
/var/spool/cups-pdf/<username> : default "not-user-friendly" cups-pdf output

I apologize, I forget to mention after my first tests.

I've just add it to a test build from selinux-policy-3.3.1-19.fc9.
All work well with it.

Thanks.
Comment 16 Daniel Walsh 2008-03-17 13:34:38 UTC 
Fixed in selinux-policy-3.3.21.fc9