Bug 432375 - File contexts for /usr/lib/cups/driver/*
File contexts for /usr/lib/cups/driver/*
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 437266
  Show dependency treegraph
 
Reported: 2008-02-11 12:40 EST by Tim Waugh
Modified: 2008-03-13 06:09 EDT (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-26 10:19:40 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tim Waugh 2008-02-11 12:40:42 EST
Description of problem:
/usr/lib/cups/driver and /usr/lib/cups/drivers/* need to have context
system_u:object_r:bin_t.

[root@cyberelk ~]# matchpathcon /usr/lib/cups/driver/drv
/usr/lib/cups/driver/drv        system_u:object_r:lib_t:s0
[root@cyberelk ~]# matchpathcon /usr/lib/cups/driver
/usr/lib/cups/driver    system_u:object_r:lib_t:s0

This works correctly for the filter and backend directories:

[root@cyberelk ~]# matchpathcon /usr/lib/cups/backend
/usr/lib/cups/backend   system_u:object_r:bin_t:s0
[root@cyberelk ~]# matchpathcon /usr/lib/cups/filter
/usr/lib/cups/filter    system_u:object_r:bin_t:s0

Version-Release number of selected component (if applicable):
selinux-policy-3.0.8-81.fc8

How reproducible:
100%

Steps to Reproduce:
1.Install cupsddk-drivers.
2.Run 'lpinfo -m'.
  
Actual results:
avc: denied { execute_no_trans } for comm=sh dev=md1 egid=7 euid=4 exe=/bin/bash
exit=-13 fsgid=7 fsuid=4 gid=7 items=0 path=/usr/lib/cups/driver/drv pid=27671
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=7
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=4 tclass=file
tcontext=system_u:object_r:lib_t:s0 tty=(none) uid=4 

Expected results:
No AVC message.
Comment 1 Daniel Walsh 2008-02-11 14:28:56 EST
Is there anything in this directory that is not bin_t?

Fixed in selinux-policy-3.0.8-84.fc8
Comment 2 Tim Waugh 2008-02-12 04:53:38 EST
No.  Some entries may be symbolic links to files in /usr/bin -- which already
have appropriate file contexts.
Comment 3 Daniel Walsh 2008-02-12 10:14:44 EST
Which would also be fine.  

But there is no files/sym_links going into this directory that you would not
want to allow execution?
Comment 4 Tim Waugh 2008-02-12 10:53:43 EST
No, none.

I have tested selinux-policy-3.0.8-84.fc8 and it is not fixed.  I have found
that this is because I gave you the wrong path name in comment #0 (sorry!).

The correct path is: /usr/lib/cups/driver
("driver" not "drivers")

-/usr/lib(64)?/cups/drivers(/.*)?     gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/cups/driver(/.*)?      gen_context(system_u:object_r:bin_t,s0)
Comment 5 Daniel Walsh 2008-02-12 13:07:11 EST
Ok I am changing it to
/usr/lib(64)?/cups(/.*)?      gen_context(system_u:object_r:bin_t,s0)

Fixed in selinux-policy-3.0.8-85.fc8
Comment 6 Tim Waugh 2008-02-12 13:32:43 EST
Oh, weren't we talking about the /usr/lib/cups/driver/ directory?  Anyway, your
more general change is correct and fixes some other problems I hadn't noticed
until just now (e.g. /usr/lib/cups/notifier/* binaries had the same problem as I
originally reported), but there are two exceptions:

/usr/lib/cups/backend/hp-* is hplip_exec_t
/usr/lib/cups/backend/cups-lpd is cupsd_lpd_exec_t

I think these are mentioned already in cups.fc so I think it should work
correctly(?).
Comment 7 Daniel Walsh 2008-02-12 13:43:06 EST
Good catch, the fix should actually be in 85.
Comment 8 Tim Waugh 2008-02-25 10:41:39 EST
Fix confirmed with 3.0.8-87.fc8.

Note You need to log in before you can comment on or make changes to this bug.