143717 – files in /etc/cups created with improper SELinux labels

Bug 143717 - files in /etc/cups created with improper SELinux labels

Summary: files in /etc/cups created with improper SELinux labels

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	cups
Sub Component:
Version:	rawhide
Hardware:	i686
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Tim Waugh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-12-25 02:08 UTC by Tom London
Modified:	2007-11-30 22:10 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2005-01-04 15:51:29 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Tom London 2004-12-25 02:08:09 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041216 Firefox/1.0 Fedora/1.0-6

Description of problem:
On a system running SELinux strict/enforcing,
latest Rawhide:

Each time I boot, some of the files in /etc/cups
are assigned the wrong SELinux label.

[root@fedora program]# restorecon -vv -R /etc/cups
restorecon reset context
/etc/cups/cupsd.conf->system_u:object_r:cupsd_rw_etc_t
restorecon reset context
/etc/cups/lpoptions->system_u:object_r:cupsd_rw_etc_t
restorecon reset context
/etc/cups/ppd/psc-900-series-2.ppd->system_u:object_r:cupsd_rw_etc_t
restorecon reset context
/etc/cups/ppd/HP950.ppd->system_u:object_r:cupsd_rw_etc_t
restorecon reset context
/etc/cups/ppd/HP5MP.ppd->system_u:object_r:cupsd_rw_etc_t
restorecon reset context
/etc/cups/ppd/psc-950-2.ppd->system_u:object_r:cupsd_rw_etc_t
restorecon reset context
/etc/cups/printers.conf->system_u:object_r:cupsd_rw_etc_t

These files are given a type of cupsd_etc_t (the type
of /etc/cups) instead of cupsd_rw_etc_t.

This causes a cascade of AVCs to be produced when printing
or when the printer changes states.


Version-Release number of selected component (if applicable):
cups-1.1.23-0.rc1.1

How reproducible:
Always

Steps to Reproduce:
1. do 'restorecon -R /etc/cups' (on system running strict/enforcing)
2. reboot
3. ls -lZ /etc/cups
    

Additional info:

Comment 1 Tom London 2004-12-26 23:43:36 UTC

The following added to /etc/rc.d/rc.local 'works around'
this problem:

echo "restoring contexts of /etc/cups"
restorecon -vv -R /etc/cups

Comment 2 Tim Waugh 2004-12-30 12:00:11 UTC

The root cause of this is likely to be that system-config-printer needs to
re-write these files.  However, being configuration files, they are best written
to new files and renamed over the originals.

dwalsh: I seem to remember asking how this should be dealt with ages ago, but I
don't remember if I heard an answer.  Here is where the thread ended up:

https://www.redhat.com/archives/fedora-devel-list/2004-March/msg00240.html

I don't mind if printconf-backend has to run restorecon itself; I don't mind if
it needs to open these files O_RDWR -- I just need to know the authoritative
answer to "how to adjust configuration files while keeping selinux happy".

Comment 3 Tom London 2004-12-30 16:22:29 UTC

BTW, my 'work around' from comment #1 doesn't work.

Sorry.  rc.local must get run before /etc/cups files
get written.

Comment 4 Daniel Walsh 2005-01-03 16:59:13 UTC

Need to add this rule 

file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file) to cups
policy.  

princonf-backend is running under cupsd_config_t and should create files with
cupsd_rw_etc_t.

I will put this rule in selinux-policy-*-1.19.15-13
Dan

Comment 5 Tom London 2005-01-03 17:42:44 UTC

I made this change to my policy files, and
all appears to work correctly!

Thanks.  I'll await the 'release' of 1.19.15-13
and close this out.
tom

Note You need to log in before you can comment on or make changes to this bug.