Bug 1265132 - SELinux prevents cupsd from creating /etc/printcap
SELinux prevents cupsd from creating /etc/printcap
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.8
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-22 04:06 EDT by Milos Malik
Modified: 2016-06-06 09:11 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1265102
Environment:
Last Closed: 2015-10-05 02:51:29 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Milos Malik 2015-09-22 04:06:19 EDT
Description of problem:

Version-Release number of selected component (if applicable):
cups-1.4.2-72.el6.x86_64
cups-libs-1.4.2-72.el6.x86_64
cups-lpd-1.4.2-72.el6.x86_64
selinux-policy-3.7.19-279.el6_7.6.noarch
selinux-policy-doc-3.7.19-279.el6_7.6.noarch
selinux-policy-minimum-3.7.19-279.el6_7.6.noarch
selinux-policy-mls-3.7.19-279.el6_7.6.noarch
selinux-policy-targeted-3.7.19-279.el6_7.6.noarch

How reproducible:
always

Steps to Reproduce:
# rm -f /etc/printcap 
# service cups start
Starting cups:                                             [  OK  ]
# service cups status
cupsd (pid  5059) is running...
# ls -Z /etc/printcap
ls: cannot access /etc/printcap: No such file or directory
# 

Actual results (enforcing mode):
----
type=PATH msg=audit(09/22/2015 09:58:52.159:137) : item=1 name=/etc/printcap nametype=CREATE 
type=PATH msg=audit(09/22/2015 09:58:52.159:137) : item=0 name=/etc/ inode=131075 dev=fc:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT 
type=CWD msg=audit(09/22/2015 09:58:52.159:137) :  cwd=/ 
type=SYSCALL msg=audit(09/22/2015 09:58:52.159:137) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7fb94c482b04 a1=O_WRONLY|O_CREAT|O_EXCL a2=0666 a3=0x7ffd41bccb70 items=2 ppid=5058 pid=5059 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=3 comm=cupsd exe=/usr/sbin/cupsd subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(09/22/2015 09:58:52.159:137) : avc:  denied  { write } for  pid=5059 comm=cupsd name=etc dev=vda3 ino=131075 scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir 
----

Actual results (permissive mode):
----
type=PATH msg=audit(09/22/2015 10:03:32.138:214) : item=1 name=/etc/printcap inode=131110 dev=fc:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:etc_t:s0 nametype=CREATE 
type=PATH msg=audit(09/22/2015 10:03:32.138:214) : item=0 name=/etc/ inode=131075 dev=fc:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=PARENT 
type=CWD msg=audit(09/22/2015 10:03:32.138:214) :  cwd=/ 
type=SYSCALL msg=audit(09/22/2015 10:03:32.138:214) : arch=x86_64 syscall=open success=yes exit=7 a0=0x7f2252fd3b04 a1=O_WRONLY|O_CREAT|O_EXCL a2=0666 a3=0x7ffe3fee11f0 items=2 ppid=5322 pid=5323 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=3 comm=cupsd exe=/usr/sbin/cupsd subj=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(09/22/2015 10:03:32.138:214) : avc:  denied  { create } for  pid=5323 comm=cupsd name=printcap scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file 
type=AVC msg=audit(09/22/2015 10:03:32.138:214) : avc:  denied  { add_name } for  pid=5323 comm=cupsd name=printcap scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir 
type=AVC msg=audit(09/22/2015 10:03:32.138:214) : avc:  denied  { write } for  pid=5323 comm=cupsd name=etc dev=vda3 ino=131075 scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=dir 
----

Unfortunately, the file gets an incorrect context in permissive mode:

# ls -Z /etc/printcap 
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0   /etc/printcap
# restorecon -Rv /etc/printcap 
restorecon reset /etc/printcap context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:cupsd_rw_etc_t:s0
#
Comment 1 Miroslav Grepl 2015-09-22 11:20:39 EDT
Ok so we need to find out where the dir is created and run restorecon on it.

rpm -qf /etc/printcap 

rpm -qa --scripts |grep printcap
Comment 2 Milos Malik 2015-09-23 03:05:03 EDT
# rpm -qf /etc/printcap 
setup-2.8.14-20.el6_4.1.noarch
# rpm -qa --scripts | grep printcap
#
Comment 4 Miroslav Grepl 2015-10-05 02:36:01 EDT
So this bug is about removing a dir which is owned by rpm. Not sure if it is a correct test scenario. We don't have filetrans rules for dir.

filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, dir)

does it work with this rule?
Comment 5 Milos Malik 2015-10-05 02:43:56 EDT
/etc/printcap is a regular file.

# rpm -qf /etc/printcap 
setup-2.8.71-6.el7.noarch
# cat /etc/printcap 
# This file was automatically generated by cupsd(8) from the
# /etc/cups/printers.conf file.  All changes to this file
# will be lost.
Comment 6 Miroslav Grepl 2015-10-05 02:51:29 EDT
Ok. The problem is we are not able to get it working correctly in 6.8 withou filenametrans rules. And if it is owned by the setup package I believe we can close this bug.

Note You need to log in before you can comment on or make changes to this bug.