Bug 205934 - "SELinux" avc denied problem w/ "CUPS"
"SELinux" avc denied problem w/ "CUPS"
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
5.0
noarch Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-09-10 10:55 EDT by Joachim Frieben
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version: 5.0.0
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-11-28 16:08:19 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Current "audit.log" file with "avc: denied" entries (144.68 KB, text/plain)
2006-09-10 10:56 EDT, Joachim Frieben
no flags Details

  None (edit)
Description Joachim Frieben 2006-09-10 10:55:33 EDT
Description of problem:
During the creation of a new printer an "avc: denied" message is
spawned to "audit.log". When I first tried, the "SELinux Alert"
applet popped up but I unintenionally closed it immediately without
taking a screenshot. Upon a 2nd trial, there is another message of
this type in "audit.log", but the applet does not show up anymore.
The 2nd (identical) entry reads:

  type=AVC msg=audit(1157897864.063:325): avc:  denied  { ioctl } for
  pid=24886 comm="serial" name="ttyS0" dev=tmpfs ino=781
  scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255
  tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.3.3-22

How reproducible:
Always

Steps to Reproduce:
1. Create a new printer.
2. Check "audit.log"
  
Actual results:
New "avc: denied" entry in "audit.log".

Expected results:
No "avc: denied" entry in "audit.log".

Additional info:
The full "audit.log" file is attached below. Beware, a couple of
other "avc: denied" entries are lurking there ..
Comment 1 Joachim Frieben 2006-09-10 10:56:36 EDT
Created attachment 135930 [details]
Current "audit.log" file with "avc: denied" entries
Comment 2 Daniel Walsh 2006-09-11 10:57:02 EDT
Does cups seem to be working correctly?   Looks like the policy should currently
dontaudit this.  But I am not sure how cupsd handles serial printers.

The other AVC messages seem to involve xdm/XServer leaking some file descriptors,
setroubleshoot is fixed in Rawhide.

Comment 3 Joachim Frieben 2006-09-12 02:39:10 EDT
Printing works for me, probably because "SELinux" is running in "permissive"
mode here. I haven't checked for "enforcing" mode yet. Btw, I do not have any
serial printer attached. It's an "HP LaserJet 4100" network printer which is 
controlled through the "JetDirect" interface.
Comment 4 Tim Waugh 2006-09-12 05:06:55 EDT
For serial printers CUPS runs the 'serial' backend
(/usr/lib/cups/backend/serial).  The general process seems to be:

open(resource, O_RDWR | O_NOCTTY | O_EXCL | O_NDELAY)
tcgetattr(device_fd, &origopts);
tcgetattr(device_fd, &opts);
...
cfsetispeed(&opts, atoi(value));
cfsetospeed(&opts, atoi(value));
tcsetattr(device_fd, TCSANOW, &opts);
fcntl(device_fd, F_SETFL, 0);
if (FD_ISSET(device_fd, &input))
{
  if ((bc_bytes = read(device_fd, bc_buffer, sizeof(bc_buffer))) > 0)
    ...
}
ioctl(device_fd, TIOCMGET, &status); /* until DSR set */
write(device_fd, print_ptr, print_bytes);
tcsetattr(device_fd, TCSADRAIN, &origopts);
close(device_fd);

Full source in cups-1.2.3/backend/serial.c.
Comment 5 Daniel Walsh 2006-09-18 12:22:13 EDT
Fixed in selinux-policy-2.3.14-3
Comment 7 Steve Grubb 2006-10-18 17:56:59 EDT
Adding to beta blocker since meets criteria and is already fixed.
Comment 8 RHEL Product and Program Management 2006-10-18 18:05:12 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux release.  Product Management has requested further review
of this request by Red Hat Engineering.  This request is not yet committed for
inclusion in release.

Note You need to log in before you can comment on or make changes to this bug.