Bug 470857 - SELinux policy prevents hplip_t type from reading cupsd_tmp_t files
SELinux policy prevents hplip_t type from reading cupsd_tmp_t files
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.2
ia64 Linux
medium Severity medium
: rc
: ---
Assigned To: Daniel Walsh
BaseOS QE
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-10 11:58 EST by keith.d.schincke
Modified: 2012-10-16 04:44 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-20 16:31:27 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description keith.d.schincke 2008-11-10 11:58:19 EST
Description of problem:
The SELinux policy prevents hplip_t type from reading cupsd_tmp_t files. 

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-137.1.el5_2
cups-1.2.4-11.18.el5_2.1
hplip-1.6.7-4.1.el5_2.4


How reproducible:
Very reproducible

Steps to Reproduce:
1. Ensure SELinux is enforcing
2. Configure a printer to use HP printer
3. Print
  
Actual results:
AVC deny messages:
audit.log.1:type=AVC msg=audit(1226095777.571:76702): avc:  denied  { read write } for  pid=13628 comm="hpijs" path="/tmp/gs_dhFKnK" dev=dm-3 ino=98418 scontext=user_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=user_u:object_r:cupsd_tmp_t:s0 tclass=file
audit.log.1:type=AVC msg=audit(1226095777.571:76702): avc:  denied  { read write } for  pid=13628 comm="hpijs" path="/tmp/gs_FVET5E" dev=dm-3 ino=98426 scontext=user_u:system_r:hplip_t:s0-s0:c0.c1023 tcontext=user_u:object_r:cupsd_tmp_t:s0 tclass=file


Expected results:
Successful printing

Additional info:
Here is a custom .te file I created to allow the needed access

policy_module(hplp_allow, 1.0.0 )

require {
	type hplip_t ;
	type cupsd_tmp_t ;

}

allow hplip_t cupsd_tmp_t:file { read write } ;
Comment 1 Daniel Walsh 2008-11-10 14:06:31 EST
Did the print job fail to print originally?  Or was there just avc's generated?

If it
Comment 2 keith.d.schincke 2008-11-10 15:11:30 EST
The print jobs were failing. 

However, the admin of the host has changed the queue configuration from Friday to today. It is now printing via lpd with out an issue. I am going to tape to see if I can obtain a copy of the non-working configuration.

Keith
Comment 3 Daniel Walsh 2008-11-10 15:14:29 EST
Fixed in selinux-policy-2.4.6-183.el5
Comment 4 Tim Waugh 2008-11-11 04:39:14 EST
(In reply to comment #2)
> I am going to tape to
> see if I can obtain a copy of the non-working configuration.

Yes please.
Comment 12 Daniel Walsh 2008-12-16 08:10:27 EST
Did the print job succeed?


If yes then this is probably a leaked file descriptor in cups.
Comment 13 Milos Malik 2008-12-16 08:26:55 EST
The print job succeeded.

<snip>

:: grep VirtPrinter5062 /var/log/cups/page_log ::
VirtPrinter5062 root 1 [15/Dec/2008:03:24:00 -0500] 1 1 - localhost
        * the page was printed <-- correct

</snip>

Thanks for explaining those magic AVCs to me. It means that I can change the bug to verified.
Comment 15 errata-xmlrpc 2009-01-20 16:31:27 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0163.html

Note You need to log in before you can comment on or make changes to this bug.