Bug 436671
Summary: | AVCs prevent "printing to CUPS-Pdf" | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Tom London <selinux> | ||||||||
Component: | cups-pdf | Assignee: | Remi Collet <fedora> | ||||||||
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
Severity: | low | Docs Contact: | |||||||||
Priority: | low | ||||||||||
Version: | rawhide | CC: | dwalsh, twaugh | ||||||||
Target Milestone: | --- | Keywords: | Reopened | ||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2008-03-17 13:34:38 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Attachments: |
|
Description
Tom London
2008-03-09 01:37:09 UTC
I'm not very happy about giving cupsd_t access to write to home directories. Couldn't cups-pdf have its own security context for that sort of thing? @Tom London : which version of cups-pdf ? @Tim Waugh : you're right. I'm not a SElinux expert but i will look for a better solution ASAP. Running cups-pdf-2.4.6-6.fc9.2.i386; should be rawhide.... Suppose one "approach" would be to define a directory in ~, say, ~/cups-pdf, and give that some label, say cups_pdf_t, and give cupsd_t (reasonably) general access to that type. The default target directory is "~/Desktop" (user-friendly), but this is "localized" (~/.config/user-dirs.dirs)... So i don't find another solution than to apply a global access to the home dir. I still searching... Please explain what cups-pdf is doing? cups-pdf allows you to "print to a pdf file" as an option from the usual "print menu" from apps. I'm guessing it is really just a specialized "printer" that tells cupsd to just "route" the pdf to a file instead of a printer. How about something like giving ~/Desktop its own type, say user_desktop_t, and giving cupsd access to that? Could enable/disable with a boolean? cups-pdf looks like it is shipping with its own policy. /usr/share/doc/cups-pdf-2.4.6/contrib/SELinux-HOWTO/cups_pdf.te I would prefer not to allow the access they are giving. It would be better to only allow cups_pdf access to the homedir, not all of cups. Cups-pdf is a cups backend which convert the PostScript output to PDF using ghostscript and move the result to the desktop folder (path detected at run-time for localized name). @Tom London : as i said in #4 ~/Desktop is localized : for me ~/Bureau. So i cannot apply Selinux context on all possible "desktop" name. @dwalsh : Yes. As i said in #2 i will work on a better solution. But help on this will be welcome (i'm not a real SELinux expert). Remi. Created attachment 297492 [details]
Cups_pdf.fc
Created attachment 297493 [details]
Cups interface file
Created attachment 297494 [details]
Cups pdf te file
I have added a new interface to cups call cups_backend. Using this interface we can create new backends which can be confined differently. I can suck these files into the mainline policy or you can ship them with your package. They seem to work well on my machine. You will need selinux-policy-3.3.1-13.fc9 to be able to compile these. @Daniel : Great thanks for this. I've just try it (my rawhide was broken until today). All seems OK for users Yes I think it's a good idea to have it shipped with the main policy (I don't feel capable enough to maintain it in the package). But of course I'm still OK to work on it. I give you the final decision, just tell me. Regards Added in selinux-policy-3.3.1-18.fc9 YOu should remove the policy files from your documentation. @Daniel. Can you add (probably in policy/modules/services/cups.fc) /var/spool/cups-pdf(/.*)? gen_context(system_u:object_r:print_spool_t,s0) Various directories are used for output : /var/spool/cups-pdf/SPOOL : temporary gs files /var/spool/cups-pdf/ANONYMOUS : unkown users output (lpr, smb) /var/spool/cups-pdf/<username> : default "not-user-friendly" cups-pdf output I apologize, I forget to mention after my first tests. I've just add it to a test build from selinux-policy-3.3.1-19.fc9. All work well with it. Thanks. Fixed in selinux-policy-3.3.21.fc9 |