Bug 205934 - "SELinux" avc denied problem w/ "CUPS"
Summary: "SELinux" avc denied problem w/ "CUPS"
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
(Show other bugs)
Version: 5.0
Hardware: noarch Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-09-10 14:55 UTC by Joachim Frieben
Modified: 2007-11-30 22:07 UTC (History)
2 users (show)

Fixed In Version: 5.0.0
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-11-28 21:08:19 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Current "audit.log" file with "avc: denied" entries (144.68 KB, text/plain)
2006-09-10 14:56 UTC, Joachim Frieben
no flags Details

Description Joachim Frieben 2006-09-10 14:55:33 UTC
Description of problem:
During the creation of a new printer an "avc: denied" message is
spawned to "audit.log". When I first tried, the "SELinux Alert"
applet popped up but I unintenionally closed it immediately without
taking a screenshot. Upon a 2nd trial, there is another message of
this type in "audit.log", but the applet does not show up anymore.
The 2nd (identical) entry reads:

  type=AVC msg=audit(1157897864.063:325): avc:  denied  { ioctl } for
  pid=24886 comm="serial" name="ttyS0" dev=tmpfs ino=781
  scontext=system_u:system_r:cupsd_t:s0-s0:c0.c255
  tcontext=system_u:object_r:tty_device_t:s0 tclass=chr_file

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.3.3-22

How reproducible:
Always

Steps to Reproduce:
1. Create a new printer.
2. Check "audit.log"
  
Actual results:
New "avc: denied" entry in "audit.log".

Expected results:
No "avc: denied" entry in "audit.log".

Additional info:
The full "audit.log" file is attached below. Beware, a couple of
other "avc: denied" entries are lurking there ..

Comment 1 Joachim Frieben 2006-09-10 14:56:36 UTC
Created attachment 135930 [details]
Current "audit.log" file with "avc: denied" entries

Comment 2 Daniel Walsh 2006-09-11 14:57:02 UTC
Does cups seem to be working correctly?   Looks like the policy should currently
dontaudit this.  But I am not sure how cupsd handles serial printers.

The other AVC messages seem to involve xdm/XServer leaking some file descriptors,
setroubleshoot is fixed in Rawhide.



Comment 3 Joachim Frieben 2006-09-12 06:39:10 UTC
Printing works for me, probably because "SELinux" is running in "permissive"
mode here. I haven't checked for "enforcing" mode yet. Btw, I do not have any
serial printer attached. It's an "HP LaserJet 4100" network printer which is 
controlled through the "JetDirect" interface.

Comment 4 Tim Waugh 2006-09-12 09:06:55 UTC
For serial printers CUPS runs the 'serial' backend
(/usr/lib/cups/backend/serial).  The general process seems to be:

open(resource, O_RDWR | O_NOCTTY | O_EXCL | O_NDELAY)
tcgetattr(device_fd, &origopts);
tcgetattr(device_fd, &opts);
...
cfsetispeed(&opts, atoi(value));
cfsetospeed(&opts, atoi(value));
tcsetattr(device_fd, TCSANOW, &opts);
fcntl(device_fd, F_SETFL, 0);
if (FD_ISSET(device_fd, &input))
{
  if ((bc_bytes = read(device_fd, bc_buffer, sizeof(bc_buffer))) > 0)
    ...
}
ioctl(device_fd, TIOCMGET, &status); /* until DSR set */
write(device_fd, print_ptr, print_bytes);
tcsetattr(device_fd, TCSADRAIN, &origopts);
close(device_fd);

Full source in cups-1.2.3/backend/serial.c.

Comment 5 Daniel Walsh 2006-09-18 16:22:13 UTC
Fixed in selinux-policy-2.3.14-3

Comment 7 Steve Grubb 2006-10-18 21:56:59 UTC
Adding to beta blocker since meets criteria and is already fixed.

Comment 8 RHEL Product and Program Management 2006-10-18 22:05:12 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux release.  Product Management has requested further review
of this request by Red Hat Engineering.  This request is not yet committed for
inclusion in release.


Note You need to log in before you can comment on or make changes to this bug.