Red Hat Bugzilla – Bug 234889
[LSPP] querying cups jobs with sysadm_r does not override mls restrictions
Last modified: 2010-10-22 10:09:13 EDT
Description of problem: When querying jobs with sysadm_r role using lpq or lpstat, cups is not overriding mls (sysadm_t has mlsfileread attribute) Version-Release number of selected component (if applicable): cups-1.2.4-11.8.el5 How reproducible: every time Steps to Reproduce: 1. Log-in as any SystemHigh-SystemHigh user 2. Print/enqueue a job 3. Log in as sysadm_r/SystemLow(-SystemHigh) user 4. query jobs using lpq -al $job# or lpstat -W all $InstanceName Actual results: even root/sysadm_r/sysadm_t can't see jobs above it's clearance Expected results: sysadm_r should be able to see jobs above it's clearance, because of mlsfileread policy attribute Additional info: Is this actually stricter than LSPP? I'm ok with it given that LSPP/RBAC also are. Either way this needs to be fixed or documented.
fixes in selinux-policy-2.4.6-50
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
verified fix against selinux-policy-mls-2.4.6-67.el5 and cups-1.2.4-11.8.el5 please close the bug
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0544.html