Bug 444306 - AVC prevents cups-pdf from working
AVC prevents cups-pdf from working
Status: CLOSED DUPLICATE of bug 448652
Product: Fedora
Classification: Fedora
Component: cups-pdf (Show other bugs)
9
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: Remi Collet
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-26 18:01 EDT by John Poelstra
Modified: 2008-06-08 13:44 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-06-08 13:44:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description John Poelstra 2008-04-26 18:01:18 EDT
Description of problem:


Version-Release number of selected component (if applicable):
# rpm -qa | egrep 'cups|selinux' | sort
bluez-utils-cups-3.30-2.fc9.x86_64
cups-1.3.7-1.fc9.x86_64
cups-libs-1.3.7-1.fc9.i386
cups-libs-1.3.7-1.fc9.x86_64
cups-pdf-2.4.7-1.fc9.x86_64
hal-cups-utils-0.6.16-3.fc9.x86_64
libgnomecups-0.2.3-3.fc9.x86_64
libselinux-2.0.61-1.fc9.i386
libselinux-2.0.61-1.fc9.x86_64
libselinux-python-2.0.61-1.fc9.x86_64
selinux-policy-3.3.1-35.fc9.noarch
selinux-policy-targeted-3.3.1-35.fc9.noarch

How reproducible:
100%

Steps to Reproduce:
1. easiest way to reproduce error is to run test page in cups setup gui
2.
3.
 
Additional info:


Summary:

SELinux is preventing cups-pdf (cups_pdf_t) "write" to ./cups (cupsd_log_t).

Detailed Description:

SELinux denied access requested by cups-pdf. It is not expected that this access
is required by cups-pdf and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./cups,

restorecon -v './cups'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:cups_pdf_t:s0-s0:c0.c1023
Target Context                system_u:object_r:cupsd_log_t:s0
Target Objects                ./cups [ dir ]
Source                        cups-pdf
Source Path                   /usr/lib/cups/backend/cups-pdf
Port                          <Unknown>
Host                          yardsale
Source RPM Packages           cups-pdf-2.4.7-1.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-35.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     yardsale
Platform                      Linux yardsale 2.6.25-1.fc9.x86_64 #1 SMP Thu Apr
                              17 01:11:31 EDT 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Sat 26 Apr 2008 02:34:32 PM PDT
Last Seen                     Sat 26 Apr 2008 02:34:32 PM PDT
Local ID                      b6843245-6f6e-464f-88f7-c40969330d2e
Line Numbers                  

Raw Audit Messages            

host=yardsale type=AVC msg=audit(1209245672.63:44): avc:  denied  { write } for
 pid=8224 comm="cups-pdf" name="cups" dev=dm-0 ino=28442
scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023
tcontext=system_u:object_r:cupsd_log_t:s0 tclass=dir

host=yardsale type=SYSCALL msg=audit(1209245672.63:44): arch=c000003e syscall=2
success=no exit=-13 a0=7fffff84d1d0 a1=441 a2=1b6 a3=7ff0f78376f0 items=0
ppid=2523 pid=8224 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7
sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="cups-pdf"
exe="/usr/lib/cups/backend/cups-pdf"
subj=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 key=(null)


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Summary:

SELinux is preventing the cups-pdf from using potentially mislabeled files
(./user-dirs.dirs).

Detailed Description:

SELinux has denied cups-pdf access to potentially mislabeled file(s)
(./user-dirs.dirs). This means that SELinux will not allow cups-pdf to use these
files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.

Allowing Access:

If you want cups-pdf to access this files, you need to relabel them using
restorecon -v './user-dirs.dirs'. You might want to relabel the entire directory
using restorecon -R -v '.'.

Additional Information:

Source Context                system_u:system_r:cups_pdf_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:admin_home_t:s0
Target Objects                ./user-dirs.dirs [ file ]
Source                        cups-pdf
Source Path                   /usr/lib/cups/backend/cups-pdf
Port                          <Unknown>
Host                          yardsale
Source RPM Packages           cups-pdf-2.4.7-1.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-35.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     yardsale
Platform                      Linux yardsale 2.6.25-1.fc9.x86_64 #1 SMP Thu Apr
                              17 01:11:31 EDT 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Sat 26 Apr 2008 02:34:32 PM PDT
Last Seen                     Sat 26 Apr 2008 02:34:32 PM PDT
Local ID                      5f8a986d-6fd2-4500-9ca7-a5dbe455af7c
Line Numbers                  

Raw Audit Messages            

host=yardsale type=AVC msg=audit(1209245672.63:45): avc:  denied  { read } for 
pid=8224 comm="cups-pdf" name="user-dirs.dirs" dev=dm-0 ino=148413
scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

host=yardsale type=SYSCALL msg=audit(1209245672.63:45): arch=c000003e syscall=2
success=no exit=-13 a0=7fffff84a1d0 a1=0 a2=1b6 a3=7ff0f78376f0 items=0
ppid=2523 pid=8224 auid=4294967295 uid=0 gid=7 euid=0 suid=0 fsuid=0 egid=7
sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="cups-pdf"
exe="/usr/lib/cups/backend/cups-pdf"
subj=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2008-04-28 09:01:10 EDT
The first avc is fixed in -42 policy package.  The second one is cups_pdf_t
trying to read a file in the /root directory.

I have no idea what that file is and why it would need access.  It is probably
just looking for it in the the homedir.

What is the command to run the cups setup gui?

Comment 2 Daniel Walsh 2008-04-28 09:06:32 EDT
I will dontaudit in  selinux-policy-3.3.1-43.fc9.noarch
Comment 3 John Poelstra 2008-04-28 09:11:19 EDT
system-config-printer
Comment 4 Daniel Walsh 2008-04-28 15:00:20 EDT
I am not sure if this is a cups-pdf bug or a system-config-printer.

Even if we allow for SELinux to make this happen, system-config-printer ends up
printing a file (or at least trying to print) in the /root directory.  The user
would not have access to this file.  system-config-printer should print to the
users homedir, if consolehelper/userhelper has maintained this information.
Comment 5 Tim Waugh 2008-05-02 11:06:10 EDT
Yes, indeed, system-config-printer ought to submit test pages as the invoking
user, not root.  This is fixed upstream in 0.9.90 using an authentication
wrapper around the CUPS API so that it is a lot easier to run
system-config-printer as a non-root user.  I can look at back-porting that to
Fedora 9.
Comment 6 Tim Waugh 2008-05-02 11:07:53 EDT
...of course, the fact remains that root will not be able to successfully submit
print jobs to a cups-pdf queue -- is that something we want to fix?
Comment 7 Tim Waugh 2008-05-02 12:09:06 EDT
Please try with system-config-printer-0.7.82.2-3.fc9.
Comment 8 John Poelstra 2008-05-06 19:31:32 EDT
I installed 0.7.82.2-4.fc9 and still get AVC trying to print test page.
Comment 9 Tim Waugh 2008-05-07 04:11:58 EDT
Please detail the steps you are using to print the test page, starting from the
GDM login screen.
Comment 10 John Poelstra 2008-05-07 19:33:59 EDT
0) login from GDM
1) run gnome-terminal
2) from terminal window as regular user
$ system-config-printer

3) enter root password
4) select Cups-Pdf
5) Click print test page

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$ rpm -qa | egrep 'selinux|system-config-printer|cups' | sort
bluez-utils-cups-3.30-2.fc9.x86_64
cups-1.3.7-1.fc9.x86_64
cups-libs-1.3.7-1.fc9.i386
cups-libs-1.3.7-1.fc9.x86_64
cups-pdf-2.4.7-1.fc9.x86_64
hal-cups-utils-0.6.16-3.fc9.x86_64
libgnomecups-0.2.3-3.fc9.x86_64
libselinux-2.0.61-1.fc9.i386
libselinux-2.0.61-1.fc9.x86_64
libselinux-python-2.0.61-1.fc9.x86_64
selinux-policy-3.3.1-42.fc9.noarch
selinux-policy-targeted-3.3.1-42.fc9.noarch
system-config-printer-0.7.82.2-4.fc9.x86_64
system-config-printer-libs-0.7.82.2-4.fc9.x86_64

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I didn't realize that the AVCs had changed.  Here they are:


Summary:

SELinux is preventing gs (cups_pdf_t) "getattr" to
/usr/share/fonts/default/Type1/n019004l.pfb (fonts_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by gs. It is not expected that this access is
required by gs and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for /usr/share/fonts/default/Type1/n019004l.pfb,

restorecon -v '/usr/share/fonts/default/Type1/n019004l.pfb'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:cups_pdf_t:s0-s0:c0.c1023
Target Context                system_u:object_r:fonts_t:s0
Target Objects                /usr/share/fonts/default/Type1/n019004l.pfb [ file
                              ]
Source                        gs
Source Path                   /usr/bin/gs
Port                          <Unknown>
Host                          yardsale
Source RPM Packages           ghostscript-8.62-3.fc9
Target RPM Packages           urw-fonts-2.4-5.fc9
Policy RPM                    selinux-policy-3.3.1-42.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     yardsale
Platform                      Linux yardsale 2.6.25-14.fc9.x86_64 #1 SMP Thu May
                              1 06:06:21 EDT 2008 x86_64 x86_64
Alert Count                   3
First Seen                    Tue 06 May 2008 04:28:07 PM PDT
Last Seen                     Wed 07 May 2008 04:26:10 PM PDT
Local ID                      30e1e36e-0f7c-48cd-82e6-912cef7cdb25
Line Numbers                  

Raw Audit Messages            

host=yardsale type=AVC msg=audit(1210202770.958:40): avc:  denied  { getattr }
for  pid=4070 comm="gs" path="/usr/share/fonts/default/Type1/n019004l.pfb"
dev=dm-0 ino=18130 scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023
tcontext=system_u:object_r:fonts_t:s0 tclass=file

host=yardsale type=SYSCALL msg=audit(1210202770.958:40): arch=c000003e syscall=5
success=yes exit=0 a0=12 a1=7fff20402df0 a2=7fff20402df0 a3=7fc5183e27b0 items=0
ppid=4069 pid=4070 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="gs"
exe="/usr/bin/gs" subj=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 key=(null)


~~~~~~~~~~~~~~~~~~~~~


Summary:

SELinux is preventing gs (cups_pdf_t) "read" to ./n019004l.pfb (fonts_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by gs. It is not expected that this access is
required by gs and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./n019004l.pfb,

restorecon -v './n019004l.pfb'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:cups_pdf_t:s0-s0:c0.c1023
Target Context                system_u:object_r:fonts_t:s0
Target Objects                ./n019004l.pfb [ file ]
Source                        gs
Source Path                   /usr/bin/gs
Port                          <Unknown>
Host                          yardsale
Source RPM Packages           ghostscript-8.62-3.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-42.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     yardsale
Platform                      Linux yardsale 2.6.25-14.fc9.x86_64 #1 SMP Thu May
                              1 06:06:21 EDT 2008 x86_64 x86_64
Alert Count                   3
First Seen                    Tue 06 May 2008 04:28:07 PM PDT
Last Seen                     Wed 07 May 2008 04:26:10 PM PDT
Local ID                      ebbbc0b4-9dd1-4ef6-a420-dc558b9bedfc
Line Numbers                  

Raw Audit Messages            

host=yardsale type=AVC msg=audit(1210202770.958:39): avc:  denied  { read } for
 pid=4070 comm="gs" name="n019004l.pfb" dev=dm-0 ino=18130
scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023
tcontext=system_u:object_r:fonts_t:s0 tclass=file

host=yardsale type=SYSCALL msg=audit(1210202770.958:39): arch=c000003e syscall=2
success=yes exit=18 a0=215e500 a1=0 a2=1b6 a3=7fc5183e27b0 items=0 ppid=4069
pid=4070 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="gs" exe="/usr/bin/gs"
subj=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 key=(null)


Comment 11 Tim Waugh 2008-05-08 03:50:24 EDT
Changing component back to cups-pdf and reassigning.
Comment 12 Bill Nottingham 2008-05-09 13:13:09 EDT
Removing from F9 blocker, as we aren't holding the release for this.
Comment 13 Bug Zapper 2008-05-14 06:13:46 EDT
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 14 Remi Collet 2008-05-31 01:49:55 EDT
About fonts AVC. I can't reproduce. What document are you trying to print ?

No problem in "Enforcing" mode printing cups test page from s-c-p (i don't enter
the root password to be sure to run it as regular user).

Can you try with latest selinux-policy version (-55)
Comment 15 John Poelstra 2008-06-04 23:05:52 EDT
printing any document from firefox gives me this AVC


Summary:

SELinux is preventing sh (cups_pdf_t) "search" to ./nscd (nscd_var_run_t).

Detailed Description:

SELinux denied access requested by sh. It is not expected that this access is
required by sh and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./nscd,

restorecon -v './nscd'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:cups_pdf_t:s0-s0:c0.c1023
Target Context                system_u:object_r:nscd_var_run_t:s0
Target Objects                ./nscd [ dir ]
Source                        cups-pdf
Source Path                   /usr/lib/cups/backend/cups-pdf
Port                          <Unknown>
Host                          yardsale
Source RPM Packages           bash-3.2-22.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-55.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall_file
Host Name                     yardsale
Platform                      Linux yardsale 2.6.25.3-18.fc9.i686 #1 SMP Tue May
                              13 05:38:53 EDT 2008 i686 i686
Alert Count                   6
First Seen                    Wed 04 Jun 2008 07:54:14 PM PDT
Last Seen                     Wed 04 Jun 2008 07:54:15 PM PDT
Local ID                      5863be92-7343-4e89-bd49-2533610c7d7c
Line Numbers                  

Raw Audit Messages            

host=yardsale type=AVC msg=audit(1212634455.189:47): avc:  denied  { search }
for  pid=3864 comm="sh" name="nscd" dev=sda5 ino=427593
scontext=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023
tcontext=system_u:object_r:nscd_var_run_t:s0 tclass=dir

host=yardsale type=SYSCALL msg=audit(1212634455.189:47): arch=40000003
syscall=102 success=no exit=-13 a0=3 a1=bf841660 a2=7c8ff4 a3=0 items=0
ppid=3863 pid=3864 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash"
subj=system_u:system_r:cups_pdf_t:s0-s0:c0.c1023 key=(null)


Comment 16 Remi Collet 2008-06-08 13:44:53 EDT

*** This bug has been marked as a duplicate of 448652 ***

Note You need to log in before you can comment on or make changes to this bug.