Bug 468390 - Cups is unable to manage spool file contexts in LSPP mode
Cups is unable to manage spool file contexts in LSPP mode
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-24 10:34 EDT by Matt Anderson
Modified: 2008-10-29 13:52 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-10-29 13:52:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matt Anderson 2008-10-24 10:34:19 EDT
Description of problem:
When CUPS is set to LSPP mode it need to be able to relabelfrom/relabelto files in /var/spool/cups so that the spool file is stored at the correct level.

Version-Release number of selected component (if applicable):
selinux-policy-3.3.1-91.fc9.noarch

How reproducible:
Whenever cups is set to LSPP mode.

Steps to Reproduce:
1. Edit /etc/cups/cupsd.conf to have CLASSIFICATION=selinux
2. `service cups restart`
3. lpr foo.ps
  
Actual results:
host=orb.usa.hp.com type=AVC msg=audit(1224709907.750:364): avc: denied { relabelfrom } for pid=30221 comm="cupsd" name="00000003" dev=sda3 ino=85935 scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:print_spool_t:s0 tclass=file host=orb.usa.hp.com type=AVC msg=audit(1224709907.750:364): avc: denied { relabelto } for pid=30221 comm="cupsd" name="00000003" dev=sda3 ino=85935 scontext=unconfined_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:print_spool_t:s0 tclass=file 

Expected results:
the cups server should be able to store the intermediate file at the correct level.

Additional info:
Comment 1 Daniel Walsh 2008-10-24 11:16:13 EDT
Strange that is supposed to be there.

If you run this through audit2why does it tell you a constraint problem?
Comment 2 Matt Anderson 2008-10-24 11:24:18 EDT
audit2why had this to say:

Was caused by:
 Unknown - would be allowed by active policy
 Possible mismatch between this policy and the one under which the audit message was generated.
 Possible mismatch between current in-memory boolean settings vs. permanent ones.


I was pretty sure this was already in the policy, but when I create a loadable module for it and load that the issue goes away.
Comment 3 Daniel Walsh 2008-10-24 14:48:46 EDT
You did not have your loadable module installed when you ran audit2allow did you?
Comment 4 Matt Anderson 2008-10-24 15:02:59 EDT
I used audit2allow to create the module, but I unloaded it before I ran audit2why.

Is the relabelfrom relabelto policy only in the mls version?  I was doing this under targeted.
Comment 5 Daniel Walsh 2008-10-24 15:10:04 EDT
Yes it is only under mls.  But maybe we need to allow it in targeted.
Comment 6 Matt Anderson 2008-10-24 15:38:16 EDT
It could be useful in targeted, if people were making use of compartments and wanted those to show up on their output.

Would it make sense to have a boolean for this and default to it being on for mls and off for targeted?
Comment 7 Daniel Walsh 2008-10-29 13:52:20 EDT
Fixed in selinux-policy-3.5.13-10.fc10

Note You need to log in before you can comment on or make changes to this bug.