Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 230723 - [LSPP] cups is overriding mls when querying jobs with lpq -al
Summary: [LSPP] cups is overriding mls when querying jobs with lpq -al
Alias: None
Product: Fedora
Classification: Fedora
Component: cups
Version: 6
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Tim Waugh
QA Contact:
Depends On:
Blocks: FC6Update
TreeView+ depends on / blocked
Reported: 2007-03-02 14:54 UTC by Tim Waugh
Modified: 2007-11-30 22:11 UTC (History)
4 users (show)

Fixed In Version: 1.2.10-3.fc6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-04-10 11:54:08 UTC
Type: ---

Attachments (Terms of Use)

Description Tim Waugh 2007-03-02 14:54:50 UTC
+++ This bug was initially created as a clone of Bug #229673 +++

Description of problem:
lpq -al <job-id> can be used to check file names/job information from jobs
scheduled by a user in a higher mls level (read-up)

Version-Release number of selected component (if applicable):
-bash-3.1$ rpm -qa | grep cups

How reproducible:

Steps to Reproduce:
Have a system with a printer installed

 # Log in as user in s5-s5 level: 
ssh user//s5-s5@host
 # Print some file
lpr -P <printer-instance> <filename>
 # Check job id with
lpstat -W all <printer-instance>
 # Log out
 # Log in as user in s0-s0 level:
ssh user//s0-s0@host
 # check lpq specifying job id:
lpq -al <job-id>

 # You can also check all jobs with something similar to:
for ((i=0; i<100; i++)); do lpq -al $i; done;

Actual results:
User in s0-s0 level can check the s5-s5 job name and attributes

Expected results:
User in s0-s0 level can't see s5-s5 jobs

Additional info:
This is required for lspp evaluation

-- Additional comment from klausk@br.ibm.com on 2007-02-22 14:54 EST --
changing summary to a more precise one

-- Additional comment from mra@hp.com on 2007-02-26 18:49 EST --
Created an attachment (id=148840)
Proposed patch to fix access check

The following patch adds a function check_context() which has the code which
used to be in get_jobs() but is now also called from get_job_attrs() and

The code also distinguishes better in the cups log file if the action was
allowed because the system is in permissive mode which was not clear before.
I [26/Feb/2007:14:53:10 -0500] check_context: allowing operation due to
permissive mode

If a user uses the `lpq -al <job-id>` command to query a file that is outside
their level the system returns "lpq: Job #<job-id> does not exist!" and the
following is left in the cups log:
D [26/Feb/2007:14:54:22 -0500] Get-Job-Attributes ipp://localhost/jobs/42
D [26/Feb/2007:14:54:22 -0500] check_context: client context
user_u:user_r:user_lpr_t:SystemLow job context
I [26/Feb/2007:14:54:22 -0500] check_context: SELinux denied access based on
the client context
I [26/Feb/2007:14:54:22 -0500] check_context: SELinux denied access to the
spool file
D [26/Feb/2007:14:54:22 -0500] Get-Job-Attributes client-error-not-found: Job
#42 does not exist!

Comment 1 Tim Waugh 2007-03-02 15:34:08 UTC
Fixed in 1.2.8-3.fc6.

Note You need to log in before you can comment on or make changes to this bug.