213475 – Add an additional MLS constraint to allow writing over the range of a file

Bug 213475 - Add an additional MLS constraint to allow writing over the range of a file

Summary: Add an additional MLS constraint to allow writing over the range of a file

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	5.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-11-01 16:56 UTC by Matt Anderson
Modified:	2007-11-30 22:07 UTC (History)
CC List:	3 users (show)
Fixed In Version:	5.0.0
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-11-28 21:08:21 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
The original patch posted to the SELinux mailing list (1.90 KB, patch) 2006-11-01 16:56 UTC, Matt Anderson	no flags	Details \| Diff
View All

Description Matt Anderson 2006-11-01 16:56:49 UTC

Description of problem:
Ranged printers are currently not supported by the selinux-policy

Version-Release number of selected component (if applicable):


How reproducible:
everytime

Steps to Reproduce:
1. use chcon -l SystemLow-Secret /dev/lp0
2. newrole -l Unclassified
3. attempt to print lpr /etc/passwd
  
Actual results:
SELinux will deny access to the printer

Expected results:
Since the printer device is ranged write access should be allowed over the range

Additional info:
The following patch has been accepted upstream in the reference policy, with the
change of the line:
mls_file_write_within_range(printer_device_t)
was moved to the policy/modules/kernel/devices.te file instead of
policy/modules/services/cups.te

Comment 1 Matt Anderson 2006-11-01 16:56:49 UTC

Created attachment 140004 [details]
The original patch posted to the SELinux mailing list

Comment 2 Daniel Walsh 2006-11-06 18:43:06 UTC

Fixed in selinux-policy-2.4.3-1

Comment 4 RHEL Program Management 2006-11-06 23:06:44 UTC

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux release.  Product Management has requested further review
of this request by Red Hat Engineering.  This request is not yet committed for
inclusion in release.

Comment 5 Jay Turner 2006-11-07 18:35:00 UTC

QE ack for RHEL5B2.

Note You need to log in before you can comment on or make changes to this bug.