Created attachment 143937 [details]
Proposed fix

This appears to be a side effect of adding the job->scon check to the if
statement in question.

- if (selinuxcheck && (strncmp(job->scon, UNKNOWN_SL, strlen(UNKNOWN_SL)) !=
0))
+ if ((selinuxcheck == 1) && (strncmp(job->scon, UNKNOWN_SL,
strlen(UNKNOWN_SL)) != 0))

We don't understand what this patch provides. The above 1 line change has no
effect on the program.

Sorry about that bogus patch, there was some confusion in various test
environments which seemed to make a previously solved problem reappear.

In the version of cups provided with RHEL5rcs3 cups-1.2.4-11.4.el5 there is not
a problem with lpq, or cups.

There is an selinux-policy issue that needs to be addressed still:
allow sysadm_lpr_t print_spool_t:file read;

Which will allow the sysadm role the ability to see other's jobs and therefore
manage the queue.

My reading of current policy would allow this.

allow sysadm_lpr_t print_spool_t:file read;

Which version of policy and could you attach the AVC's.

I'm looking at the system where mra was doing his testing.
He was running selinux-policy-mls-2.4.6-12.el5.
He had a little policy module with the above in it and the functionality
was working but when I unloaded the module and tried an lpq from sysadm_r,
I get this in the /var/log/cups/errors_log file.  Cups logs its own AVCs 
so they don't end up in the audit log.

cups:  denied  { read } for 
scontext=staff_u:sysadm_r:sysadm_lpr_t:s0-s15:c0.c1023
tcontext=system_u:object_r:print_spool_t:s15:c0.c1023 tclass=file

As a staff_u/staff_r user I can see more jobs than I can as sysadm_r
after a newrole.

Cups is not allowed to do this. It must log to the audit system.

Fixed in selinux-policy-2.4.6-16

A package has been built which should help the problem described in 
this bug report. This report is therefore being closed with a resolution 
of CURRENTRELEASE. You may reopen this bug report if the solution does 
not work for you.