Bug 428011 - new AVC messages with test update
new AVC messages with test update
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks: F8Target
  Show dependency treegraph
 
Reported: 2008-01-08 12:43 EST by Tim Waugh
Modified: 2008-03-05 17:17 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-03-05 17:17:17 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
policy-dnssd.patch (789 bytes, patch)
2008-01-09 08:25 EST, Tim Waugh
no flags Details | Diff

  None (edit)
Description Tim Waugh 2008-01-08 12:43:46 EST
Description of problem:
New AVC messages when adding a new printer using cups-1.3.5-1.fc8.

Version-Release number of selected component (if applicable):
cups-1.3.5-1.fc8

How reproducible:
100%

Steps to Reproduce:
1.lpinfo -v
  
Actual results:
type=AVC msg=audit(1199814046.192:237): avc:  denied  { getattr } for  pid=26313
comm="sh" path="/usr/bin/lpstat.cups" dev=md1 ino=4405587
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lpr_exec_t:s0 tclass=file
type=AVC msg=audit(1199814046.192:238): avc:  denied  { getattr } for  pid=26313
comm="sh" path="/usr/bin/lpstat.cups" dev=md1 ino=4405587
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lpr_exec_t:s0 tclass=file
type=AVC msg=audit(1199814046.195:239): avc:  denied  { execute } for  pid=26314
comm="sh" name="ifconfig" dev=md1 ino=7365762
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1199814046.195:240): avc:  denied  { getattr } for  pid=26314
comm="sh" path="/sbin/ifconfig" dev=md1 ino=7365762
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
type=AVC msg=audit(1199814046.195:241): avc:  denied  { getattr } for  pid=26314
comm="sh" path="/sbin/ifconfig" dev=md1 ino=7365762
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file

Expected results:
No AVC messages.

Additional info:
Comes from the dnssd backend.
Comment 1 Tim Waugh 2008-01-09 08:25:04 EST
Created attachment 291140 [details]
policy-dnssd.patch

This selinux-policy patch fixes it.  Dan, I'm a little hesitant about this
patch because it allows cupsd_t to execute /sbin/ifconfig.  I only want CUPS
backends to be able to determine the IP addresses of the local interfaces, and
do not want to permit any changes.

Currently there is a backend (dnssd) which is a perl script that contains:

my @localips = ();
if (open IFCONFIG, "LC_ALL=C /sbin/ifconfig |") {
    while (my $line = <IFCONFIG>) {
	chomp $line;
	if ($line =~ /^\s*inet\s+addr:\s*(\S+)/i) {
	    push (@localips, $1);
	}
    }
    close IFCONFIG;
}

Is there a way to let this script find out the local IP addresses without being
able to make any changes to the interfaces?
Comment 2 Tim Waugh 2008-01-09 08:26:02 EST
Oops, forgot to change component first.  Dan, please see above comment.
Comment 3 Daniel Walsh 2008-01-10 16:13:01 EST
This would not allow it to change ther interface.

Is this needed for RHEL5?

Comment 4 Daniel Walsh 2008-01-10 16:22:40 EST
Fixed in selinux-policy-3.0.8-75
Comment 5 Tim Waugh 2008-01-11 07:19:56 EST
No, it is not needed for RHEL-5, at least not presently.  The 'dnssd' backend is
not shipped there.

Thanks.
Comment 6 Daniel Walsh 2008-03-05 17:17:17 EST
Bugs have been in modified for over one month.  Closing as fixed in current
release please reopen if the problem still persists.

Note You need to log in before you can comment on or make changes to this bug.