Bug 229673 - [LSPP] cups is overriding mls when querying jobs with lpq -al
[LSPP] cups is overriding mls when querying jobs with lpq -al
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: cups (Show other bugs)
All Linux
medium Severity urgent
: ---
: ---
Assigned To: Tim Waugh
David Lawrence
Depends On:
Blocks: 234654 RHEL5LSPPCertTracker
  Show dependency treegraph
Reported: 2007-02-22 12:56 EST by Klaus Heinrich Kiwi
Modified: 2010-10-22 09:15 EDT (History)
4 users (show)

See Also:
Fixed In Version: RHSA-2007-1020
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-10-31 09:48:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Proposed patch to fix access check (73.17 KB, patch)
2007-02-26 18:49 EST, Matt Anderson
no flags Details | Diff

  None (edit)
Description Klaus Heinrich Kiwi 2007-02-22 12:56:54 EST
Description of problem:
lpq -al <job-id> can be used to check file names/job information from jobs
scheduled by a user in a higher mls level (read-up)

Version-Release number of selected component (if applicable):
-bash-3.1$ rpm -qa | grep cups

How reproducible:

Steps to Reproduce:
Have a system with a printer installed

 # Log in as user in s5-s5 level: 
ssh user//s5-s5@host
 # Print some file
lpr -P <printer-instance> <filename>
 # Check job id with
lpstat -W all <printer-instance>
 # Log out
 # Log in as user in s0-s0 level:
ssh user//s0-s0@host
 # check lpq specifying job id:
lpq -al <job-id>

 # You can also check all jobs with something similar to:
for ((i=0; i<100; i++)); do lpq -al $i; done;

Actual results:
User in s0-s0 level can check the s5-s5 job name and attributes

Expected results:
User in s0-s0 level can't see s5-s5 jobs

Additional info:
This is required for lspp evaluation
Comment 1 Klaus Heinrich Kiwi 2007-02-22 14:54:39 EST
changing summary to a more precise one
Comment 2 Matt Anderson 2007-02-26 18:49:23 EST
Created attachment 148840 [details]
Proposed patch to fix access check

The following patch adds a function check_context() which has the code which
used to be in get_jobs() but is now also called from get_job_attrs() and

The code also distinguishes better in the cups log file if the action was
allowed because the system is in permissive mode which was not clear before.
I [26/Feb/2007:14:53:10 -0500] check_context: allowing operation due to
permissive mode

If a user uses the `lpq -al <job-id>` command to query a file that is outside
their level the system returns "lpq: Job #<job-id> does not exist!" and the
following is left in the cups log:
D [26/Feb/2007:14:54:22 -0500] Get-Job-Attributes ipp://localhost/jobs/42
D [26/Feb/2007:14:54:22 -0500] check_context: client context
user_u:user_r:user_lpr_t:SystemLow job context
I [26/Feb/2007:14:54:22 -0500] check_context: SELinux denied access based on
the client context
I [26/Feb/2007:14:54:22 -0500] check_context: SELinux denied access to the
spool file
D [26/Feb/2007:14:54:22 -0500] Get-Job-Attributes client-error-not-found: Job
#42 does not exist!
Comment 6 Klaus Heinrich Kiwi 2007-03-23 20:14:51 EDT
verified fix on cups-1.2.4-11.6.el5

You may close the bug - Thank you
Comment 11 errata-xmlrpc 2007-10-31 09:48:45 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.