Bug 201169 - Cups IPP backend denied network access with IPSEC and SELinux
Cups IPP backend denied network access with IPSEC and SELinux
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
5
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-08-03 07:18 EDT by major
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-03-28 16:05:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description major 2006-08-03 07:18:09 EDT
Description of problem:
The Cups IPP backend printing service is denied access across my local network
when IPSEC and SELinux are enabled. After temporarily placing SELinux in
permissive mode, audit.log shows the following.

##########
type=AVC msg=audit(1154602245.326:2449): avc:  denied  { recvfrom } for 
pid=22932 comm="ipp" scontext=system_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=association

type=AVC msg=audit(1154602245.326:2450): avc:  denied  { sendto } for  pid=22932
comm="ipp" scontext=system_u:object_r:unlabeled_t:s0
tcontext=system_u:object_r:unlabeled_t:s0 tclass=association
########## 

Audit2allow shows that the following rule might be used: "allow unlabeled_t
self:association { recvfrom sendto };", but that seems too permissive. The
"cups" and "ipp" processes both show the domain
"system_u:system_r:cupsd_t:SystemLow-SystemHigh" in use.

The "selinux-policy-2.3.3-8.fc5" interface configuration files for Cups,
"/usr/share/selinux/strict/include/services/cups.if" and
"/usr/share/selinux/targeted/include/services/cups.if", do not show the
"corenet_non_ipsec_sendrecv(cupsd_t)" directive to allow Cups to use unlabeled
IPSEC associations. The default "unlabeled_t -> unlabeled_t" access is being
attempted instead of the required "cupsd_t -> unlabeled_t".

Version-Release number of selected component (if applicable):
I am using selinux-policy-targeted-2.3.3-8.fc5, cups-1.2.2-1.1, and
kernel-2.6.17-1.2157_FC5.
Comment 1 Daniel Walsh 2006-08-11 15:26:41 EDT
Fixed in  selinux-policy-2.3.6-3.fc5
Comment 2 Joachim Frieben 2006-09-10 10:41:19 EDT
Also observed for "selinux-policy-targeted-2.3.3-22" in "RHEL5 Beta 1"
according to "audit.log":

  type=AVC msg=audit(1157897864.063:325): avc:  denied  { ioctl } for
  pid=24886 comm="serial" name="ttyS0" dev=tmpfs ino=781
  scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255
  tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file
Comment 3 Joachim Frieben 2006-09-10 10:58:04 EDT
(In reply to comment #2)
I finally think it was not such a good idea to post this here. Issue
reported independently as bug 205934.
Comment 4 Daniel Walsh 2007-03-28 16:05:22 EDT
Closing bugs

Note You need to log in before you can comment on or make changes to this bug.