Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1919399

Summary: SELinux is preventing /usr/lib/cups/daemon/cups-lpd from read access on the sock_file cups.sock
Product: Red Hat Enterprise Linux 8 Reporter: Bryan Mason <bmason>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.3CC: dapospis, lvrabec, mmalik, plautrba, ssekidde
Target Milestone: rcKeywords: AutoVerified, Triaged
Target Release: 8.5Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-68.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 1919401 1947397 (view as bug list) Environment:
Last Closed: 2021-11-09 19:42:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1903942, 1919401    

Description Bryan Mason 2021-01-22 19:18:01 UTC 
Description of problem:

  SELinux prevents /usr/lib/cups/daemon/cups-lpd from reading
  /var/run/cups/cups.sock.  The message is:

    type=AVC msg=audit(1611337553.457:1827): avc: denied { read } for
    pid=19870 comm="cups-lpd" name="cups.sock" dev="tmpfs" ino=41315
    scontext=system_u:system_r:cupsd_lpd_t:s0
    tcontext=system_u:object_r:cupsd_var_run_t:s0
    tclass=sock_file permissive=0

  The existing policy allows getattr, open, write, and append, but not
  read:

    # sesearch --all | grep cupsd_lpd_t | grep cupsd_var_run_t
    allow cupsd_lpd_t cupsd_var_run_t:dir { getattr search open }; 
    allow cupsd_lpd_t cupsd_var_run_t:sock_file { write getattr append open };

  This prevents cups-lpd from initiating a connection with the local
  CUPS server (cupsd) over the domain socket /var/run/cups/cups.sock.

  As it turns out, cups-lpd recovers by initiating a network connection
  through localhost:631, so functionality isn't actually lost in the
  default CUPS configuration (which is configured to accept network
  connections on localhost), but it's still wrong.

Version-Release number of selected component (if applicable):

  selinux-policy-3.14.3-54.el8.noarch

How reproducible:

  100%

Steps to Reproduce:

 1. Install cups-lpd and enable/start cups-lpd.socket

    yum -y install cups-lpd
    systemctl enable cups-lpd.socket
    systemctl start cups-lpd.socket

 2. Create a test print queue:

    lpadmin -p test -E

 3. Use the CUPS lpd backend to print a file via LPD:

    DEVICE_URI=lpd://127.0.0.1/test \
    /usr/lib/cups/backend/lpd 1 user test 1 "" /etc/fstab
    
Actual results:

  File is processed, but SELinux denial is logged (as shown above) and
  connection is made through network layer.  The journal contains a
  record of this:

    cupsd[10227]: [Client 5] Accepted from localhost:55800 (IPv4)

Expected results:

  No SELinux denial.  Connection is made through the domain socket, as
  shown in the journal:

    cupsd[10227]: [Client 6] Accepted from localhost (Domain)

Additional info:

 * Creating and adding the following module fixed this in my testing:

    module cupslpd-read-cupssocket 1.0;
    
    require {
    	type cupsd_var_run_t;
    	type cupsd_lpd_t;
    	class sock_file read;
    }
    
    #============= cupsd_lpd_t ==============
    allow cupsd_lpd_t cupsd_var_run_t:sock_file read;

  After this, read access is allowed:

    # sesearch --allow | grep cupsd_lpd_t | grep cupsd_var_run_t
    allow cupsd_lpd_t cupsd_var_run_t:dir { getattr open search };
    allow cupsd_lpd_t cupsd_var_run_t:sock_file 
      { append getattr open read write };

 * This issue also exists in RHEL 7 (this is where it was originally
   reported), and Fedora 32.  The output below is from F32:

    # sesearch --allow | grep cupsd_lpd_t | grep cupsd_var_run_t
    allow cupsd_lpd_t cupsd_var_run_t:sock_file { append getattr open write };
Comment 1 Zdenek Pytela 2021-01-22 20:02:03 UTC 
This permission is not present in rawhide either.

Also note - although it is not this case - grep may filter out related rules where attributes are used so it's better use switches:

# sesearch -A -s cupsd_lpd_t -t cupsd_var_run_t -c sock_file
allow cupsd_lpd_t cupsd_var_run_t:sock_file { append getattr open write };

# sesearch -A -s cupsd_lpd_t -t cupsd_var_run_t -c dir
allow cupsd_lpd_t cupsd_var_run_t:dir { getattr open search };
allow nsswitch_domain pidfile:dir { getattr open search };
allow nsswitch_domain pidfile:dir { getattr open search }; [ authlogin_nsswitch_use_ldap ]:True
allow nsswitch_domain pidfile:dir { getattr open search }; [ nis_enabled ]:True
Comment 2 Milos Malik 2021-01-26 10:37:07 UTC 
Steps to Reproduce trigger the following SELinux denial:
----
type=PROCTITLE msg=audit(01/26/2021 05:35:20.011:960) : proctitle=/usr/lib/cups/daemon/cups-lpd 
type=SYSCALL msg=audit(01/26/2021 05:35:20.011:960) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x7f58c4cfd485 a1=R_OK a2=0x4 a3=0xffffffff items=0 ppid=1 pid=7625 auid=unset uid=lp gid=lp euid=lp suid=lp fsuid=lp egid=lp sgid=lp fsgid=lp tty=(none) ses=unset comm=cups-lpd exe=/usr/lib/cups/daemon/cups-lpd subj=system_u:system_r:cupsd_lpd_t:s0 key=(null) 
type=AVC msg=audit(01/26/2021 05:35:20.011:960) : avc:  denied  { read } for  pid=7625 comm=cups-lpd name=cups.sock dev="tmpfs" ino=51644 scontext=system_u:system_r:cupsd_lpd_t:s0 tcontext=system_u:object_r:cupsd_var_run_t:s0 tclass=sock_file permissive=0 
----

# rpm -qa selinux\* cups\* | sort
cups-2.2.6-38.el8.x86_64
cups-client-2.2.6-38.el8.x86_64
cups-filesystem-2.2.6-38.el8.noarch
cups-filters-1.20.0-24.el8.x86_64
cups-filters-libs-1.20.0-24.el8.x86_64
cups-ipptool-2.2.6-38.el8.x86_64
cups-libs-2.2.6-38.el8.x86_64
cups-lpd-2.2.6-38.el8.x86_64
selinux-policy-3.14.3-60.el8.noarch
selinux-policy-targeted-3.14.3-60.el8.noarch
#
Comment 3 Milos Malik 2021-01-26 10:38:38 UTC 
The only SELinux denial which appears in permissive mode is:
----
type=PROCTITLE msg=audit(01/26/2021 05:37:42.592:965) : proctitle=/usr/lib/cups/daemon/cups-lpd 
type=SYSCALL msg=audit(01/26/2021 05:37:42.592:965) : arch=x86_64 syscall=access success=yes exit=0 a0=0x7f6f50cee485 a1=R_OK a2=0x4 a3=0xffffffff items=0 ppid=1 pid=7634 auid=unset uid=lp gid=lp euid=lp suid=lp fsuid=lp egid=lp sgid=lp fsgid=lp tty=(none) ses=unset comm=cups-lpd exe=/usr/lib/cups/daemon/cups-lpd subj=system_u:system_r:cupsd_lpd_t:s0 key=(null) 
type=AVC msg=audit(01/26/2021 05:37:42.592:965) : avc:  denied  { read } for  pid=7634 comm=cups-lpd name=cups.sock dev="tmpfs" ino=51644 scontext=system_u:system_r:cupsd_lpd_t:s0 tcontext=system_u:object_r:cupsd_var_run_t:s0 tclass=sock_file permissive=1 
----
Comment 6 Zdenek Pytela 2021-04-08 19:48:32 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/687
Comment 7 Zdenek Pytela 2021-04-09 18:45:24 UTC 
commit 82affb22d6a89d87345c0a6b8805aede11aaba2d (HEAD -> rawhide, upstream/rawhide, upstream-rw/rawhide, origin/rawhide, origin/HEAD)
Author: Zdenek Pytela <zpytela>
Date:   Thu Apr 8 21:44:11 2021 +0200

    Allow cups-lpd read its private runtime socket files

    For /usr/lib/cups/daemon/cups-lpd to be able to initiate a connection
    with the local CUPS server (cupsd) over the /var/run/cups/cups.sock
    domain socket file, the read permission is required.

    Resolves: rhbz#1919399
Comment 18 errata-xmlrpc 2021-11-09 19:42:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4420