Bug 138777 - SELinux blocks lpq/lpr access to printer
SELinux blocks lpq/lpr access to printer
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-11-10 21:51 EST by W. Michael Petullo
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version: selinux-policy-strict-1.19.1-11
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-11-17 22:08:52 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description W. Michael Petullo 2004-11-10 21:51:55 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; en-US; rv:1.7.3)
Gecko/20041020 Epiphany/1.4.4

Description of problem:
Fedora's strict SELinux policy does not seem to give lpr and lpq
access to the system printer queue.  I have a USB printer that was
configured automatically by hal-cups-utils and friends.  Everything
works fine when SELinux is not enforcing its policy.  However, when I
tell SELinux to start enforcing the strict policy, printing breaks.

lpq causes:

Nov 10 20:51:00 imp kernel: audit(1100141460.498:0): avc:  denied  {
read } for  pid=6432 exe=/usr/bin/lpq.cups path=pipe:[22289]
dev=pipefs ino=22289 scontext=root:sysadm_r:sysadm_lpr_t
tcontext=user_u:user_r:user_su_t tclass=fifo_file
Nov 10 20:51:00 imp kernel: audit(1100141460.731:0): avc:  denied  {
connect } for  pid=6432 exe=/usr/bin/lpq.cups
scontext=root:sysadm_r:sysadm_lpr_t
tcontext=root:sysadm_r:sysadm_lpr_t tclass=tcp_socket

lpr causes:
Nov 10 20:52:48 imp kernel: audit(1100141568.526:0): avc:  denied  {
read } for  pid=6452 exe=/usr/bin/lpr.cups path=pipe:[22289]
dev=pipefs ino=22289 scontext=root:sysadm_r:sysadm_lpr_t
tcontext=user_u:user_r:user_su_t tclass=fifo_file
Nov 10 20:52:48 imp kernel: audit(1100141568.589:0): avc:  denied  {
connect } for  pid=6452 exe=/usr/bin/lpr.cups
scontext=root:sysadm_r:sysadm_lpr_t
tcontext=root:sysadm_r:sysadm_lpr_t tclass=tcp_socket


Version-Release number of selected component (if applicable):
selinux-policy-strict-1.18.2-2

How reproducible:
Always

Steps to Reproduce:
1.  Try to print using lpr with SELinux enforcing Fedora's strict policy
2.  Turn off SELinux and print using lpr.
    

Actual Results:  1.  Fails
2.  Works

Additional info:
Comment 1 Daniel Walsh 2004-11-11 07:48:59 EST
Added the connect permission to selinux-policy-targeted-1.19.1-4

Not sure why it wants to talk to the su, what command were you
executing?  Did you do something with the su command?
Comment 2 W. Michael Petullo 2004-11-13 16:34:43 EST
I did nothing special with the su command.  All I did was type "lpq"
and "lpr <file>" at my bash prompt as a non-root user.  My assumption
is that cups creates a fifo for communication with clients and that
this fifo has the context of user_u:user_r:user_su_t.  I wonder if
this is intentional.
Comment 3 Daniel Walsh 2004-11-15 10:39:24 EST
Can you run a 
ps -eZ | grep user_su_t and see if cups is running in this context?

Dan
Comment 4 W. Michael Petullo 2004-11-15 10:56:20 EST
Sorry, I had already done that but didn't mention it here.  Cupsd is
running with system_u:system_r:cupsd_t.

Also of possible interest is cups-config-daemon
(system_u:system_r:cupsd_config_t) and eggcups (user_u:user_r:user_t).

"ps auxZ | grep su_t" displays nothing, so it does not appear to be a
daemon that has this context.
Comment 5 Daniel Walsh 2004-11-17 15:20:01 EST
I have tried this with policy-1.19.1-10 and have not been able to
reproduce it.  Are you still seeing it with the latest policy files?

Dan
Comment 6 W. Michael Petullo 2004-11-17 22:08:52 EST
I don't see this issue any longer in selinux-policy-strict-1.19.1-11.

Note You need to log in before you can comment on or make changes to this bug.