Bug 143717 - files in /etc/cups created with improper SELinux labels
Summary: files in /etc/cups created with improper SELinux labels
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: cups   
(Show other bugs)
Version: rawhide
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tim Waugh
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-12-25 02:08 UTC by Tom London
Modified: 2007-11-30 22:10 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-01-04 15:51:29 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Tom London 2004-12-25 02:08:09 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041216 Firefox/1.0 Fedora/1.0-6

Description of problem:
On a system running SELinux strict/enforcing,
latest Rawhide:

Each time I boot, some of the files in /etc/cups
are assigned the wrong SELinux label.

[root@fedora program]# restorecon -vv -R /etc/cups
restorecon reset context
/etc/cups/cupsd.conf->system_u:object_r:cupsd_rw_etc_t
restorecon reset context
/etc/cups/lpoptions->system_u:object_r:cupsd_rw_etc_t
restorecon reset context
/etc/cups/ppd/psc-900-series-2.ppd->system_u:object_r:cupsd_rw_etc_t
restorecon reset context
/etc/cups/ppd/HP950.ppd->system_u:object_r:cupsd_rw_etc_t
restorecon reset context
/etc/cups/ppd/HP5MP.ppd->system_u:object_r:cupsd_rw_etc_t
restorecon reset context
/etc/cups/ppd/psc-950-2.ppd->system_u:object_r:cupsd_rw_etc_t
restorecon reset context
/etc/cups/printers.conf->system_u:object_r:cupsd_rw_etc_t

These files are given a type of cupsd_etc_t (the type
of /etc/cups) instead of cupsd_rw_etc_t.

This causes a cascade of AVCs to be produced when printing
or when the printer changes states.


Version-Release number of selected component (if applicable):
cups-1.1.23-0.rc1.1

How reproducible:
Always

Steps to Reproduce:
1. do 'restorecon -R /etc/cups' (on system running strict/enforcing)
2. reboot
3. ls -lZ /etc/cups
    

Additional info:
Comment 1 Tom London 2004-12-26 23:43:36 UTC 
The following added to /etc/rc.d/rc.local 'works around'
this problem:

echo "restoring contexts of /etc/cups"
restorecon -vv -R /etc/cups
Comment 2 Tim Waugh 2004-12-30 12:00:11 UTC 
The root cause of this is likely to be that system-config-printer needs to
re-write these files.  However, being configuration files, they are best written
to new files and renamed over the originals.

dwalsh: I seem to remember asking how this should be dealt with ages ago, but I
don't remember if I heard an answer.  Here is where the thread ended up:

https://www.redhat.com/archives/fedora-devel-list/2004-March/msg00240.html

I don't mind if printconf-backend has to run restorecon itself; I don't mind if
it needs to open these files O_RDWR -- I just need to know the authoritative
answer to "how to adjust configuration files while keeping selinux happy".
Comment 3 Tom London 2004-12-30 16:22:29 UTC 
BTW, my 'work around' from comment #1 doesn't work.

Sorry.  rc.local must get run before /etc/cups files
get written.
Comment 4 Daniel Walsh 2005-01-03 16:59:13 UTC 
Need to add this rule 

file_type_auto_trans(cupsd_config_t, cupsd_etc_t, cupsd_rw_etc_t, file) to cups
policy.  

princonf-backend is running under cupsd_config_t and should create files with
cupsd_rw_etc_t.

I will put this rule in selinux-policy-*-1.19.15-13
Dan
Comment 5 Tom London 2005-01-03 17:42:44 UTC 
I made this change to my policy files, and
all appears to work correctly!

Thanks.  I'll await the 'release' of 1.19.15-13
and close this out.
tom
Note You need to log in before you can comment on or make changes to this bug.