Bug 428011 - new AVC messages with test update
Summary: new AVC messages with test update
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 8
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: F8Target
TreeView+ depends on / blocked
 
Reported: 2008-01-08 17:43 UTC by Tim Waugh
Modified: 2008-03-05 22:17 UTC (History)
0 users

Fixed In Version: Current
Clone Of:
Environment:
Last Closed: 2008-03-05 22:17:17 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
policy-dnssd.patch (789 bytes, patch)
2008-01-09 13:25 UTC, Tim Waugh 		no flags Details | Diff
View All

Description Tim Waugh 2008-01-08 17:43:46 UTC 
Description of problem:
New AVC messages when adding a new printer using cups-1.3.5-1.fc8.

Version-Release number of selected component (if applicable):
cups-1.3.5-1.fc8

How reproducible:
100%

Steps to Reproduce:
1.lpinfo -v
  
Actual results:
type=AVC msg=audit(1199814046.192:237): avc:  denied  { getattr } for  pid=26313
comm="sh" path="/usr/bin/lpstat.cups" dev=md1 ino=4405587
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lpr_exec_t:s0 tclass=file
type=AVC msg=audit(1199814046.192:238): avc:  denied  { getattr } for  pid=26313
comm="sh" path="/usr/bin/lpstat.cups" dev=md1 ino=4405587
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lpr_exec_t:s0 tclass=file
type=AVC msg=audit(1199814046.195:239): avc:  denied  { execute } for  pid=26314
comm="sh" name="ifconfig" dev=md1 ino=7365762
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1199814046.195:240): avc:  denied  { getattr } for  pid=26314
comm="sh" path="/sbin/ifconfig" dev=md1 ino=7365762
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1199814046.195:241): avc:  denied  { getattr } for  pid=26314
comm="sh" path="/sbin/ifconfig" dev=md1 ino=7365762
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file

Expected results:
No AVC messages.

Additional info:
Comes from the dnssd backend.
Comment 1 Tim Waugh 2008-01-09 13:25:04 UTC 
Created attachment 291140 [details]
policy-dnssd.patch

This selinux-policy patch fixes it.  Dan, I'm a little hesitant about this
patch because it allows cupsd_t to execute /sbin/ifconfig.  I only want CUPS
backends to be able to determine the IP addresses of the local interfaces, and
do not want to permit any changes.

Currently there is a backend (dnssd) which is a perl script that contains:

my @localips = ();
if (open IFCONFIG, "LC_ALL=C /sbin/ifconfig |") {
    while (my $line = <IFCONFIG>) {
	chomp $line;
	if ($line =~ /^\s*inet\s+addr:\s*(\S+)/i) {
	    push (@localips, $1);
	}
    }
    close IFCONFIG;
}

Is there a way to let this script find out the local IP addresses without being
able to make any changes to the interfaces?
Comment 2 Tim Waugh 2008-01-09 13:26:02 UTC 
Oops, forgot to change component first.  Dan, please see above comment.
Comment 3 Daniel Walsh 2008-01-10 21:13:01 UTC 
This would not allow it to change ther interface.

Is this needed for RHEL5?
Comment 4 Daniel Walsh 2008-01-10 21:22:40 UTC 
Fixed in selinux-policy-3.0.8-75
Comment 5 Tim Waugh 2008-01-11 12:19:56 UTC 
No, it is not needed for RHEL-5, at least not presently.  The 'dnssd' backend is
not shipped there.

Thanks.
Comment 6 Daniel Walsh 2008-03-05 22:17:17 UTC 
Bugs have been in modified for over one month.  Closing as fixed in current
release please reopen if the problem still persists.
Note You need to log in before you can comment on or make changes to this bug.