+++ This bug was initially created as a clone of Bug #229673 +++ Description of problem: lpq -al <job-id> can be used to check file names/job information from jobs scheduled by a user in a higher mls level (read-up) Version-Release number of selected component (if applicable): -bash-3.1$ rpm -qa | grep cups cups-libs-1.2.4-11.5.el5 cups-libs-1.2.4-11.5.el5 cups-1.2.4-11.5.el5 How reproducible: always Steps to Reproduce: Have a system with a printer installed # Log in as user in s5-s5 level: ssh user//s5-s5@host # Print some file lpr -P <printer-instance> <filename> # Check job id with lpstat -W all <printer-instance> # Log out exit # Log in as user in s0-s0 level: ssh user//s0-s0@host # check lpq specifying job id: lpq -al <job-id> # You can also check all jobs with something similar to: for ((i=0; i<100; i++)); do lpq -al $i; done; Actual results: User in s0-s0 level can check the s5-s5 job name and attributes Expected results: User in s0-s0 level can't see s5-s5 jobs Additional info: This is required for lspp evaluation -- Additional comment from klausk.com on 2007-02-22 14:54 EST -- changing summary to a more precise one -- Additional comment from mra on 2007-02-26 18:49 EST -- Created an attachment (id=148840) Proposed patch to fix access check The following patch adds a function check_context() which has the code which used to be in get_jobs() but is now also called from get_job_attrs() and validate_user() The code also distinguishes better in the cups log file if the action was allowed because the system is in permissive mode which was not clear before. e.g. I [26/Feb/2007:14:53:10 -0500] check_context: allowing operation due to permissive mode If a user uses the `lpq -al <job-id>` command to query a file that is outside their level the system returns "lpq: Job #<job-id> does not exist!" and the following is left in the cups log: D [26/Feb/2007:14:54:22 -0500] Get-Job-Attributes ipp://localhost/jobs/42 D [26/Feb/2007:14:54:22 -0500] check_context: client context user_u:user_r:user_lpr_t:SystemLow job context root:sysadm_r:sysadm_lpr_t:s6-SystemHigh I [26/Feb/2007:14:54:22 -0500] check_context: SELinux denied access based on the client context I [26/Feb/2007:14:54:22 -0500] check_context: SELinux denied access to the spool file D [26/Feb/2007:14:54:22 -0500] Get-Job-Attributes client-error-not-found: Job #42 does not exist!
Fixed in 1.2.8-3.fc6.