Description of problem: /usr/lib/cups/notifier/mailto needs to be able to execute sendmail. Here is the AVC I get: avc: denied { execute } for comm="mailto" dev=hda1 egid=7 euid=4 exe="/usr/lib/cups/notifier/mailto" exit=-13 fsgid=7 fsuid=4 gid=7 items=0 name="sendmail.sendmail" pid=14794 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=7 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=4 tclass=file tcontext=system_u:object_r:sendmail_exec_t:s0 tty=(none) uid=4 The mailto program runs as a separate process from CUPS (it gets executed by cupsd), and perhaps needs a separate label (cups_mail_t?) such that mailto can execute sendmail, and cupsd can execute mailto, but cupsd cannot execute sendmail directly. What do you think? Version-Release number of selected component (if applicable): cups-1.2.10-3.fc6 selinux-policy-2.4.6-54.fc6 How reproducible: 100% Steps to Reproduce: 1. Stop CUPS 2. Make a file /etc/cups/subscriptions.conf: NextSubscriptionId 9 <Subscription 8> Events all Owner root Recipient mailto:root@localhost LeaseDuration 86400 Interval 0 ExpirationTime 1176383781 NextEventId 2 </Subscription> 3.Start CUPS 4.lp /etc/fstab Actual results: AVC message Expected results: Email
I don't see much value in that, versus just allowing cupsd to transition to sendmail. Added in selinux-policy-2.4.6-55.fc6
Fix confirmed in selinux-policy-2.4.6-57.fc6. Thanks.