Bug 646731

Summary: SELinux is preventing admin.cgi (cupsd_t) "create" to 4cc5f04ab180b (print_spool_t).
Product: Red Hat Enterprise Linux 5 Reporter: Wolfram R. Jarisch <wolfram>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: low    
Version: 5.5CC: dwalsh, ksrot, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-2.4.6-289.el5 Doc Type: Bug Fix
Doc Text:
Due to an error in an SELinux policy, the system-config-printer utility could terminate unexpectedly with the following message written to the standard error: ImportError: /usr/lib64/python2.4/site-packages/cups.so: undefined symbol: _cupsAdminGetServerSettings To resolve this issue, relevant SELinux rules have been corrected, so that the system-config-printer utility no longer crashes.
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-13 21:50:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Wolfram R. Jarisch 2010-10-26 03:55:31 UTC
Description of problem:
[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by admin.cgi. It is not expected that this
access is required by admin.cgi and this access may signal an intrusion attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.


Version-Release number of selected component (if applicable):


How reproducible: everytime in the last two weeks


Steps to Reproduce:
1.system-config-printer
2.
3.
  
Actual results:

Traceback (most recent call last):
  File "/usr/share/system-config-printer/system-config-printer.py", line 40, in ?
    import cups
ImportError: /usr/lib64/python2.4/site-packages/cups.so: undefined symbol: _cupsAdminGetServerSettings

Expected results:

configure cups for network printer

Additional info:

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                user_u:system_r:cupsd_t:SystemLow-SystemHigh
Target Context                user_u:object_r:print_spool_t
Target Objects                4cc5f04ab180b [ lnk_file ]
Source                        admin.cgi
Source Path                   /usr/lib/cups/cgi-bin/admin.cgi
Port                          <Unknown>
Host                          Sup0-64
Source RPM Packages           cups-1.3.7-18.el5_5.7
Target RPM Packages           
Policy RPM                    selinux-policy-2.4.6-279.el5_5.1
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     Sup0-64
Platform                      Linux Sup0-64 2.6.18-194.17.1.el5 #1 SMP Mon Sep
                              20 07:12:06 EDT 2010 x86_64 x86_64
Alert Count                   1
First Seen                    Mon Oct 25 17:02:02 2010
Last Seen                     Mon Oct 25 17:02:02 2010
Local ID                      166193cf-8c64-46c5-9d10-2af22cb123a4
Line Numbers                  

Raw Audit Messages            

host=Sup0-64 type=AVC msg=audit(1288040522.726:3566): avc:  denied  { create } for  pid=4413 comm="admin.cgi" name="4cc5f04ab180b" scontext=user_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:print_spool_t:s0 tclass=lnk_file

host=Sup0-64 type=SYSCALL msg=audit(1288040522.726:3566): arch=c000003e syscall=88 success=yes exit=0 a0=7fffb0e1e180 a1=2b9f8e4e2a58 a2=21 a3=0 items=0 ppid=1790 pid=4413 auid=500 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=1 comm="admin.cgi" exe="/usr/lib/cups/cgi-bin/admin.cgi" subj=user_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)

Comment 1 Daniel Walsh 2010-10-26 12:35:52 UTC
Miroslav 

RHEL6 policy 

lpd_manage_spool includes
	manage_lnk_files_pattern($1, print_spool_t, print_spool_t)

Comment 2 Daniel Walsh 2010-10-26 12:37:11 UTC
Wolfram 

You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Comment 4 Miroslav Grepl 2010-10-27 08:43:39 UTC
Fixed in selinux-policy-2.4.6-289.el5.noarch

Comment 6 Karel Srot 2010-11-10 15:42:07 UTC
Wolfram,
could you please describe the action in system-config-printer in more detail? Did you just execute s-c-m? It seems that you were trying to add a printer, could you specify the connection type, printer type, model, URI, s-c-p version. I am unable to reproduce this traceback.
Thank you in advance.

Comment 8 Jaromir Hradilek 2011-01-05 16:24:42 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Due to an error in an SELinux policy, the system-config-printer utility could terminate unexpectedly with the following message written to the standard error:

  ImportError: /usr/lib64/python2.4/site-packages/cups.so: undefined symbol: _cupsAdminGetServerSettings

To resolve this issue, relevant SELinux rules have been corrected, so that the system-config-printer utility no longer crashes.

Comment 10 errata-xmlrpc 2011-01-13 21:50:58 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html