Description of problem: /usr/lib/cups/driver and /usr/lib/cups/drivers/* need to have context system_u:object_r:bin_t. [root@cyberelk ~]# matchpathcon /usr/lib/cups/driver/drv /usr/lib/cups/driver/drv system_u:object_r:lib_t:s0 [root@cyberelk ~]# matchpathcon /usr/lib/cups/driver /usr/lib/cups/driver system_u:object_r:lib_t:s0 This works correctly for the filter and backend directories: [root@cyberelk ~]# matchpathcon /usr/lib/cups/backend /usr/lib/cups/backend system_u:object_r:bin_t:s0 [root@cyberelk ~]# matchpathcon /usr/lib/cups/filter /usr/lib/cups/filter system_u:object_r:bin_t:s0 Version-Release number of selected component (if applicable): selinux-policy-3.0.8-81.fc8 How reproducible: 100% Steps to Reproduce: 1.Install cupsddk-drivers. 2.Run 'lpinfo -m'. Actual results: avc: denied { execute_no_trans } for comm=sh dev=md1 egid=7 euid=4 exe=/bin/bash exit=-13 fsgid=7 fsuid=4 gid=7 items=0 path=/usr/lib/cups/driver/drv pid=27671 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid=7 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=4 tclass=file tcontext=system_u:object_r:lib_t:s0 tty=(none) uid=4 Expected results: No AVC message.
Is there anything in this directory that is not bin_t? Fixed in selinux-policy-3.0.8-84.fc8
No. Some entries may be symbolic links to files in /usr/bin -- which already have appropriate file contexts.
Which would also be fine. But there is no files/sym_links going into this directory that you would not want to allow execution?
No, none. I have tested selinux-policy-3.0.8-84.fc8 and it is not fixed. I have found that this is because I gave you the wrong path name in comment #0 (sorry!). The correct path is: /usr/lib/cups/driver ("driver" not "drivers") -/usr/lib(64)?/cups/drivers(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib(64)?/cups/driver(/.*)? gen_context(system_u:object_r:bin_t,s0)
Ok I am changing it to /usr/lib(64)?/cups(/.*)? gen_context(system_u:object_r:bin_t,s0) Fixed in selinux-policy-3.0.8-85.fc8
Oh, weren't we talking about the /usr/lib/cups/driver/ directory? Anyway, your more general change is correct and fixes some other problems I hadn't noticed until just now (e.g. /usr/lib/cups/notifier/* binaries had the same problem as I originally reported), but there are two exceptions: /usr/lib/cups/backend/hp-* is hplip_exec_t /usr/lib/cups/backend/cups-lpd is cupsd_lpd_exec_t I think these are mentioned already in cups.fc so I think it should work correctly(?).
Good catch, the fix should actually be in 85.
Fix confirmed with 3.0.8-87.fc8.