468390 – Cups is unable to manage spool file contexts in LSPP mode

Bug 468390 - Cups is unable to manage spool file contexts in LSPP mode

Summary: Cups is unable to manage spool file contexts in LSPP mode

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-10-24 14:34 UTC by Matt Anderson
Modified:	2008-10-29 17:52 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-10-29 17:52:20 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Matt Anderson 2008-10-24 14:34:19 UTC

Description of problem:
When CUPS is set to LSPP mode it need to be able to relabelfrom/relabelto files in /var/spool/cups so that the spool file is stored at the correct level.

Version-Release number of selected component (if applicable):
selinux-policy-3.3.1-91.fc9.noarch

How reproducible:
Whenever cups is set to LSPP mode.

Steps to Reproduce:
1. Edit /etc/cups/cupsd.conf to have CLASSIFICATION=selinux
2. `service cups restart`
3. lpr foo.ps
  
Actual results:
host=orb.usa.hp.com type=AVC msg=audit(1224709907.750:364): avc: denied { relabelfrom } for pid=30221 comm="cupsd" name="00000003" dev=sda3 ino=85935 scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:print_spool_t:s0 tclass=file host=orb.usa.hp.com type=AVC msg=audit(1224709907.750:364): avc: denied { relabelto } for pid=30221 comm="cupsd" name="00000003" dev=sda3 ino=85935 scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:print_spool_t:s0 tclass=file 

Expected results:
the cups server should be able to store the intermediate file at the correct level.

Additional info:

Comment 1 Daniel Walsh 2008-10-24 15:16:13 UTC

Strange that is supposed to be there.

If you run this through audit2why does it tell you a constraint problem?

Comment 2 Matt Anderson 2008-10-24 15:24:18 UTC

audit2why had this to say:

Was caused by:
 Unknown - would be allowed by active policy
 Possible mismatch between this policy and the one under which the audit message was generated.
 Possible mismatch between current in-memory boolean settings vs. permanent ones.


I was pretty sure this was already in the policy, but when I create a loadable module for it and load that the issue goes away.

Comment 3 Daniel Walsh 2008-10-24 18:48:46 UTC

You did not have your loadable module installed when you ran audit2allow did you?

Comment 4 Matt Anderson 2008-10-24 19:02:59 UTC

I used audit2allow to create the module, but I unloaded it before I ran audit2why.

Is the relabelfrom relabelto policy only in the mls version?  I was doing this under targeted.

Comment 5 Daniel Walsh 2008-10-24 19:10:04 UTC

Yes it is only under mls.  But maybe we need to allow it in targeted.

Comment 6 Matt Anderson 2008-10-24 19:38:16 UTC

It could be useful in targeted, if people were making use of compartments and wanted those to show up on their output.

Would it make sense to have a boolean for this and default to it being on for mls and off for targeted?

Comment 7 Daniel Walsh 2008-10-29 17:52:20 UTC

Fixed in selinux-policy-3.5.13-10.fc10

Note You need to log in before you can comment on or make changes to this bug.