1265132 – SELinux prevents cupsd from creating /etc/printcap

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1265132 - SELinux prevents cupsd from creating /etc/printcap

Summary: SELinux prevents cupsd from creating /etc/printcap

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.8
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-09-22 08:06 UTC by Milos Malik
Modified:	2018-07-16 17:10 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	1265102
Environment:
Last Closed:	2015-10-05 06:51:29 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Milos Malik 2015-09-22 08:06:19 UTC

Description of problem:

Version-Release number of selected component (if applicable):
cups-1.4.2-72.el6.x86_64
cups-libs-1.4.2-72.el6.x86_64
cups-lpd-1.4.2-72.el6.x86_64
selinux-policy-3.7.19-279.el6_7.6.noarch
selinux-policy-doc-3.7.19-279.el6_7.6.noarch
selinux-policy-minimum-3.7.19-279.el6_7.6.noarch
selinux-policy-mls-3.7.19-279.el6_7.6.noarch
selinux-policy-targeted-3.7.19-279.el6_7.6.noarch

How reproducible:
always

Steps to Reproduce:
# rm -f /etc/printcap 
# service cups start
Starting cups:                                             [  OK  ]
# service cups status
cupsd (pid  5059) is running...
# ls -Z /etc/printcap
ls: cannot access /etc/printcap: No such file or directory
# 

Actual results (enforcing mode):
----
type=PATH msg=audit(09/22/2015 09:58:52.159:137) : item=1 name=/etc/printcap nametype=CREATE 
type=PATH msg=audit(09/22/2015 09:58:52.159:137) : item=0 name=/etc/ inode=131075 dev=fc:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT 
type=CWD msg=audit(09/22/2015 09:58:52.159:137) :  cwd=/ 
type=SYSCALL msg=audit(09/22/2015 09:58:52.159:137) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7fb94c482b04 a1=O_WRONLY|O_CREAT|O_EXCL a2=0666 a3=0x7ffd41bccb70 items=2 ppid=5058 pid=5059 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=3 comm=cupsd exe=/usr/sbin/cupsd subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(09/22/2015 09:58:52.159:137) : avc:  denied  { write } for  pid=5059 comm=cupsd name=etc dev=vda3 ino=131075 scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir 
----

Actual results (permissive mode):
----
type=PATH msg=audit(09/22/2015 10:03:32.138:214) : item=1 name=/etc/printcap inode=131110 dev=fc:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 nametype=CREATE 
type=PATH msg=audit(09/22/2015 10:03:32.138:214) : item=0 name=/etc/ inode=131075 dev=fc:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT 
type=CWD msg=audit(09/22/2015 10:03:32.138:214) :  cwd=/ 
type=SYSCALL msg=audit(09/22/2015 10:03:32.138:214) : arch=x86_64 syscall=open success=yes exit=7 a0=0x7f2252fd3b04 a1=O_WRONLY|O_CREAT|O_EXCL a2=0666 a3=0x7ffe3fee11f0 items=2 ppid=5322 pid=5323 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=3 comm=cupsd exe=/usr/sbin/cupsd subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(09/22/2015 10:03:32.138:214) : avc:  denied  { create } for  pid=5323 comm=cupsd name=printcap scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file 
type=AVC msg=audit(09/22/2015 10:03:32.138:214) : avc:  denied  { add_name } for  pid=5323 comm=cupsd name=printcap scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir 
type=AVC msg=audit(09/22/2015 10:03:32.138:214) : avc:  denied  { write } for  pid=5323 comm=cupsd name=etc dev=vda3 ino=131075 scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir 
----

Unfortunately, the file gets an incorrect context in permissive mode:

# ls -Z /etc/printcap 
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0   /etc/printcap
# restorecon -Rv /etc/printcap 
restorecon reset /etc/printcap context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:cupsd_rw_etc_t:s0
#

Comment 1 Miroslav Grepl 2015-09-22 15:20:39 UTC

Ok so we need to find out where the dir is created and run restorecon on it.

rpm -qf /etc/printcap 

rpm -qa --scripts |grep printcap

Comment 2 Milos Malik 2015-09-23 07:05:03 UTC

# rpm -qf /etc/printcap 
setup-2.8.14-20.el6_4.1.noarch
# rpm -qa --scripts | grep printcap
#

Comment 4 Miroslav Grepl 2015-10-05 06:36:01 UTC

So this bug is about removing a dir which is owned by rpm. Not sure if it is a correct test scenario. We don't have filetrans rules for dir.

filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, dir)

does it work with this rule?

Comment 5 Milos Malik 2015-10-05 06:43:56 UTC

/etc/printcap is a regular file.

# rpm -qf /etc/printcap 
setup-2.8.71-6.el7.noarch
# cat /etc/printcap 
# This file was automatically generated by cupsd(8) from the
# /etc/cups/printers.conf file.  All changes to this file
# will be lost.

Comment 6 Miroslav Grepl 2015-10-05 06:51:29 UTC

Ok. The problem is we are not able to get it working correctly in 6.8 withou filenametrans rules. And if it is owned by the setup package I believe we can close this bug.

Note You need to log in before you can comment on or make changes to this bug.