182956 – CUPS daemon wants to create and use UNIX socket

Bug 182956 - CUPS daemon wants to create and use UNIX socket

Summary: CUPS daemon wants to create and use UNIX socket

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	FC5Blocker
TreeView+	depends on / blocked

Reported:	2006-02-24 18:25 UTC by Tim Waugh
Modified:	2007-11-30 22:11 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2006-03-09 05:00:31 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Tim Waugh 2006-02-24 18:25:15 UTC

Description of problem:
CUPS 1.2.x (which I'd like to be able to ship as an update to FC5) would like to
be able to create a UNIX socket /var/run/cups/cups.sock, and to use it.  CUPS
utilities such as 'lp' will connect to it and read and write, and the CUPS
daemon 'cupsd' will listen, accept, read and write.

It falls back to the current method (localhost port 631) if that fails.

Version-Release number of selected component (if applicable):
1.2 (not shipped yet)

How reproducible:
100%

Steps to Reproduce:
1. Start CUPS.
  
Actual results:
E [24/Feb/2006:18:14:03 +0000] Unable to bind socket for address
/var/run/cups/cups.sock:0 - Permission denied.

Additional info:
With permissive mode, I get this:

type=AVC msg=audit(1140804910.089:334): avc:  denied  { setattr } for  pid=6456
comm="cupsd" name="certs" dev=hda2 ino=9076922
scontext=root:system_r:cupsd_t:s0-s0:c0.c255
tcontext=system_u:object_r:var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1140804910.089:334): arch=40000003 syscall=212
success=yes exit=0 a0=bfa0f828 a1=4 a2=7 a3=4 items=1 pid=6456 auid=0 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cupsd" exe="/usr/sbin/cupsd"
type=CWD msg=audit(1140804910.089:334):  cwd="/"
type=PATH msg=audit(1140804910.089:334): item=0 name="/var/run/cups/certs"
flags=1  inode=9076922 dev=03:02 mode=040711 ouid=0 ogid=3 rdev=00:00
type=AVC msg=audit(1140804910.105:335): avc:  denied  { create } for  pid=6456
comm="cupsd" name="cups.sock" scontext=root:system_r:cupsd_t:s0-s0:c0.c255
tcontext=root:object_r:var_run_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1140804910.105:335): arch=40000003 syscall=102
success=yes exit=0 a0=2 a1=bfa10450 a2=93a56c a3=bfa10484 items=1 pid=6456
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cupsd"
exe="/usr/sbin/cupsd"
type=SOCKADDR msg=audit(1140804910.105:335):
saddr=01002F7661722F72756E2F637570732F637570732E736F636B00
type=SOCKETCALL msg=audit(1140804910.105:335): nargs=3 a0=3 a1=9df435c a2=1a
type=PATH msg=audit(1140804910.105:335): item=0 flags=10  inode=9076921
dev=03:02 mode=040755 ouid=0 ogid=99 rdev=00:00
type=AVC msg=audit(1140804910.105:336): avc:  denied  { listen } for  pid=6456
comm="cupsd" name="cups.sock" scontext=root:system_r:cupsd_t:s0-s0:c0.c255
tcontext=root:system_r:cupsd_t:s0-s0:c0.c255 tclass=unix_stream_socket
type=SYSCALL msg=audit(1140804910.105:336): arch=40000003 syscall=102
success=yes exit=0 a0=4 a1=bfa10450 a2=93a56c a3=0 items=0 pid=6456 auid=0 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cupsd" exe="/usr/sbin/cupsd"
type=AVC_PATH msg=audit(1140804910.105:336):  path="/var/run/cups/cups.sock"
type=SOCKETCALL msg=audit(1140804910.105:336): nargs=2 a0=3 a1=80
type=AVC msg=audit(1140804910.109:337): avc:  denied  { setattr } for  pid=6456
comm="cupsd" name="cups.sock" dev=hda2 ino=9076764
scontext=root:system_r:cupsd_t:s0-s0:c0.c255 tcontext=root:object_r:var_run_t:s0
tclass=sock_file
type=SYSCALL msg=audit(1140804910.109:337): arch=40000003 syscall=15 success=yes
exit=0 a0=bfa10488 a1=c1ff a2=93a56c a3=0 items=1 pid=6456 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cupsd" exe="/usr/sbin/cupsd"
type=CWD msg=audit(1140804910.109:337):  cwd="/"
type=PATH msg=audit(1140804910.109:337): item=0 name="/var/run/cups/cups.sock"
flags=1  inode=9076764 dev=03:02 mode=0140777 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1140804911.133:338): avc:  denied  { read } for  pid=6456
comm="cupsd" name="net" dev=proc ino=-268435433
scontext=root:system_r:cupsd_t:s0-s0:c0.c255
tcontext=system_u:object_r:proc_net_t:s0 tclass=dir
type=SYSCALL msg=audit(1140804911.133:338): arch=40000003 syscall=33 success=yes
exit=0 a0=3b22f3 a1=4 a2=3bfff4 a3=2 items=1 pid=6456 auid=0 uid=0 gid=0 euid=0
suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cupsd" exe="/usr/sbin/cupsd"
type=CWD msg=audit(1140804911.133:338):  cwd="/"
type=PATH msg=audit(1140804911.133:338): item=0 name="/proc/net" flags=401 
inode=4026531863 dev=00:03 mode=040555 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1140804911.133:339): avc:  denied  { read } for  pid=6456
comm="cupsd" name="unix" dev=proc ino=-268434958
scontext=root:system_r:cupsd_t:s0-s0:c0.c255
tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=SYSCALL msg=audit(1140804911.133:339): arch=40000003 syscall=33 success=yes
exit=0 a0=bfa0bd13 a1=4 a2=3bfff4 a3=3aed00 items=1 pid=6456 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cupsd" exe="/usr/sbin/cupsd"
type=CWD msg=audit(1140804911.133:339):  cwd="/"
type=PATH msg=audit(1140804911.133:339): item=0 name="/proc/net/unix" flags=401
 inode=4026532338 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00
type=AVC msg=audit(1140805722.274:340): avc:  denied  { accept } for  pid=6456
comm="cupsd" name="cups.sock" scontext=root:system_r:cupsd_t:s0-s0:c0.c255
tcontext=root:system_r:cupsd_t:s0-s0:c0.c255 tclass=unix_stream_socket
type=SYSCALL msg=audit(1140805722.274:340): arch=40000003 syscall=102
success=yes exit=7 a0=5 a1=bfa10480 a2=93a56c a3=9df4358 items=0 pid=6456 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="cupsd"
exe="/usr/sbin/cupsd"
type=AVC_PATH msg=audit(1140805722.274:340):  path="/var/run/cups/cups.sock"
type=SOCKETCALL msg=audit(1140805722.274:340): nargs=3 a0=3 a1=9e22cc0 a2=bfa104b0

audit2allow says:

allow cupsd_t self:unix_stream_socket accept;
allow cupsd_t proc_net_t:dir read;
allow cupsd_t proc_net_t:file read;
allow cupsd_t var_run_t:dir setattr;
allow cupsd_t var_run_t:sock_file setattr;

Comment 1 Daniel Walsh 2006-02-24 18:48:11 UTC

I update selinux-policy-2.2.21-7 to handle this.
Although not tested.

Comment 2 Tim Waugh 2006-02-27 16:53:26 UTC

Thanks.  Now it needs:

allow cupsd_t cupsd_var_run_t:sock_file { create setattr unlink };
allow cupsd_t proc_net_t:dir read;
allow cupsd_t proc_net_t:file read;

(I've tested with this change and it works.)

Comment 3 Daniel Walsh 2006-02-27 22:57:45 UTC

Added in 2.2.22-1

Comment 4 Tim Waugh 2006-03-04 10:31:48 UTC

Great.  The daemon now starts up fine, just like I tested.

Now I've tried to use the web interface, and found some more things it needs
(sorry).  I think this is the last of them now: connectto on the stream socket,
and read and write on the sock_file.

allow cupsd_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow cupsd_t cupsd_var_run_t:sock_file { create setattr unlink read write };

Comment 5 Daniel Walsh 2006-03-04 15:48:15 UTC

Added in 2.2.23-2

Note You need to log in before you can comment on or make changes to this bug.