Bug 432375 - File contexts for /usr/lib/cups/driver/*
Summary: File contexts for /usr/lib/cups/driver/*
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 8
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 437266
TreeView+ depends on / blocked
 
Reported: 2008-02-11 17:40 UTC by Tim Waugh
Modified: 2008-03-13 10:09 UTC (History)
0 users

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-02-26 15:19:40 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Tim Waugh 2008-02-11 17:40:42 UTC 
Description of problem:
/usr/lib/cups/driver and /usr/lib/cups/drivers/* need to have context
system_u:object_r:bin_t.

[root@cyberelk ~]# matchpathcon /usr/lib/cups/driver/drv
/usr/lib/cups/driver/drv        system_u:object_r:lib_t:s0
[root@cyberelk ~]# matchpathcon /usr/lib/cups/driver
/usr/lib/cups/driver    system_u:object_r:lib_t:s0

This works correctly for the filter and backend directories:

[root@cyberelk ~]# matchpathcon /usr/lib/cups/backend
/usr/lib/cups/backend   system_u:object_r:bin_t:s0
[root@cyberelk ~]# matchpathcon /usr/lib/cups/filter
/usr/lib/cups/filter    system_u:object_r:bin_t:s0

Version-Release number of selected component (if applicable):
selinux-policy-3.0.8-81.fc8

How reproducible:
100%

Steps to Reproduce:
1.Install cupsddk-drivers.
2.Run 'lpinfo -m'.
  
Actual results:
avc: denied { execute_no_trans } for comm=sh dev=md1 egid=7 euid=4 exe=/bin/bash
exit=-13 fsgid=7 fsuid=4 gid=7 items=0 path=/usr/lib/cups/driver/drv pid=27671
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=7
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=4 tclass=file
tcontext=system_u:object_r:lib_t:s0 tty=(none) uid=4 

Expected results:
No AVC message.
Comment 1 Daniel Walsh 2008-02-11 19:28:56 UTC 
Is there anything in this directory that is not bin_t?

Fixed in selinux-policy-3.0.8-84.fc8
Comment 2 Tim Waugh 2008-02-12 09:53:38 UTC 
No.  Some entries may be symbolic links to files in /usr/bin -- which already
have appropriate file contexts.
Comment 3 Daniel Walsh 2008-02-12 15:14:44 UTC 
Which would also be fine.  

But there is no files/sym_links going into this directory that you would not
want to allow execution?
Comment 4 Tim Waugh 2008-02-12 15:53:43 UTC 
No, none.

I have tested selinux-policy-3.0.8-84.fc8 and it is not fixed.  I have found
that this is because I gave you the wrong path name in comment #0 (sorry!).

The correct path is: /usr/lib/cups/driver
("driver" not "drivers")

-/usr/lib(64)?/cups/drivers(/.*)?     gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/cups/driver(/.*)?      gen_context(system_u:object_r:bin_t,s0)
Comment 5 Daniel Walsh 2008-02-12 18:07:11 UTC 
Ok I am changing it to
/usr/lib(64)?/cups(/.*)?      gen_context(system_u:object_r:bin_t,s0)

Fixed in selinux-policy-3.0.8-85.fc8
Comment 6 Tim Waugh 2008-02-12 18:32:43 UTC 
Oh, weren't we talking about the /usr/lib/cups/driver/ directory?  Anyway, your
more general change is correct and fixes some other problems I hadn't noticed
until just now (e.g. /usr/lib/cups/notifier/* binaries had the same problem as I
originally reported), but there are two exceptions:

/usr/lib/cups/backend/hp-* is hplip_exec_t
/usr/lib/cups/backend/cups-lpd is cupsd_lpd_exec_t

I think these are mentioned already in cups.fc so I think it should work
correctly(?).
Comment 7 Daniel Walsh 2008-02-12 18:43:06 UTC 
Good catch, the fix should actually be in 85.
Comment 8 Tim Waugh 2008-02-25 15:41:39 UTC 
Fix confirmed with 3.0.8-87.fc8.
Note You need to log in before you can comment on or make changes to this bug.