Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1756489

Summary: SELinux is preventing /usr/sbin/cups-browsed from create access on the lnk_file /tmp/5d8d011ec6286
Product: Red Hat Enterprise Linux 7 Reporter: Paul Stauffer <paulds>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.7CC: lvrabec, mmalik, plautrba, ssekidde, vmojzis, zpytela
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-10-02 08:45:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paul Stauffer 2019-09-27 18:33:36 UTC 
Starting with selinux-policy-3.13.1-252.el7.1 we're seeing hundreds of messages with the following three variants:

SELinux is preventing /usr/sbin/cups-browsed from create access on the lnk_file /tmp/5d8d011ec6286
SELinux is preventing /usr/sbin/cups-browsed from create access on the lnk_file 5d8d011ed8a30
SELinux is preventing /usr/sbin/cups-browsed from create access on the lnk_file /etc/cups/ppd/myprinter.ppd

All of them indicate the same alert ID on a given system.  Here is an example:

$ sealert -l 6ade7ae9-9d26-44fc-b600-bc614d5be1e0
SELinux is preventing /usr/sbin/cups-browsed from create access on the lnk_file /tmp/5d8e40cc6824c.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/tmp/5d8e40cc6824c default label should be default_t.
Then you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.
Do
# /sbin/restorecon -v /tmp/5d8e40cc6824c

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that cups-browsed should be allowed create access on the 5d8e40cc6824c lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'cups-browsed' --raw | audit2allow -M my-cupsbrowsed
# semodule -i my-cupsbrowsed.pp


Additional Information:
Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:tmp_t:s0
Target Objects                /tmp/5d8e40cc6824c [ lnk_file ]
Source                        cups-browsed
Source Path                   /usr/sbin/cups-browsed
Port                          <Unknown>
Host                          [REDACTED]
Source RPM Packages           cups-filters-1.0.35-26.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-252.el7.1.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     [REDACTED]
Platform                      Linux [REDACTED] 3.10.0-1062.1.1.el7.x86_64 #1
                              SMP Fri Sep 13 22:55:44 UTC 2019 x86_64 x86_64
Alert Count                   631
First Seen                    2019-09-20 15:37:23 EDT
Last Seen                     2019-09-27 13:03:08 EDT
Local ID                      6ade7ae9-9d26-44fc-b600-bc614d5be1e0

Raw Audit Messages
type=AVC msg=audit(1569603788.425:206862): avc:  denied  { create } for  pid=2114 comm="cups-browsed" name="5d8e40cc6824c" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=lnk_file permissive=0


type=SYSCALL msg=audit(1569603788.425:206862): arch=x86_64 syscall=symlink success=no exit=EACCES a0=7fff093f1d00 a1=55744cc57718 a2=55744cc5772a a3=5d8e40cc items=3 ppid=1 pid=2114 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=cups-browsed exe=/usr/sbin/cups-browsed subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)

type=CWD msg=audit(1569603788.425:206862): cwd=/

type=PATH msg=audit(1569603788.425:206862): item=0 name=/etc/cups/ppd/myprinter.ppd objtype=UNKNOWN cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

type=PATH msg=audit(1569603788.425:206862): item=1 name=/tmp/ inode=132 dev=fd:02 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

type=PATH msg=audit(1569603788.425:206862): item=2 name=/tmp/5d8e40cc6824c objtype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

Hash: cups-browsed,cupsd_t,tmp_t,lnk_file,create


The filenames consisting of hex strings do not appear to exist (I guess because the create failed?), so we can't verify if they're symlinks or not or what their context is.  The PPD files do exist; for example:

$ ls -lZ /etc/cups/ppd/myprinter.ppd
-rw-r--r--. root root system_u:object_r:cupsd_rw_etc_t:s0 /etc/cups/ppd/myprinter.ppd

It is not however a symlink, which I assume is what "lnk_file" is supposed to indicate.

Running "ausearch -c 'cups-browsed' --raw | audit2allow -M my-cupsbrowsed" produces a .te file containing the following warning:
#!!!! WARNING 'cupsd_t' is not allowed to write or create to tmp_t.  Change the label to cupsd_tmp_t.
allow cupsd_t tmp_t:lnk_file create;

Note that Bz 1401634 appears to be the same selinux-policy issue in Fedora 26, which was apparently fixed in selinux-policy-3.13.1-251.fc26.  Unclear if that patch was included in selinux-policy-3.13.1-252.el7.1 or not.
Comment 2 Lukas Vrabec 2019-10-02 08:45:29 UTC 

*** This bug has been marked as a duplicate of bug 1719754 ***