Bug 550015 - CUPS policy update for System V style interface scripts
CUPS policy update for System V style interface scripts
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
: 556856 (view as bug list)
Depends On: 464570
  Show dependency treegraph
Reported: 2009-12-23 04:56 EST by Tim Waugh
Modified: 2010-03-30 03:49 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 464570
Last Closed: 2010-03-30 03:49:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch to add interface to RHEL5 (1.56 KB, application/octet-stream)
2010-01-14 09:46 EST, Daniel Walsh
no flags Details

  None (edit)
Description Tim Waugh 2009-12-23 04:56:58 EST
The cupsd_interface_t type is missing in Red Hat Enterprise Linux 5. (Original report on cups.general, 22/12/09.)

+++ This bug was initially created as a clone of Bug #464570 +++

Description of problem:
When using the lpadmin '-i' option to set an interface script for a printer, SELinux audit messages are seen because the script is not executable.

cupsd creates the file as /etc/cups/interfaces/$NAME, and needs to be able to modify/remove that filename.  It also needs to be able to execute it, in the same way that filters are executed.

I think what's required is:

1. a new type, cups_interface_t, which is like cups_etc_rw_t but which also allows execution.
2. files in /etc/cups/interfaces to be labelled cups_interface_t

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

cat <<EOF >my-interface-script
touch /tmp/test

lpadmin -p x -i my-interface-script
cupsenable x
accept x

echo . | lp -dx

ls -l /tmp/test
# File should exist
Actual results:
/tmp/test does not exist.

Expected results:
/tmp/test exists.

Additional info:
Here are the audit messages:

type=AVC msg=audit(1222701812.402:592): avc:  denied  { execute } for  pid=3556 
comm="cupsd" name="x" dev=md2 ino=1157032 scontext=system_u:system_r:cupsd_t:s0-
s0:c0.c1023 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1222701812.402:592): arch=c000003e syscall=21 success=yes
 exit=0 a0=7fff09a44f60 a1=1 a2=16 a3=0 items=0 ppid=1 pid=3556 auid=4294967295 
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=429496729
5 comm="cupsd" exe="/usr/sbin/cupsd" subj=system_u:system_r:cupsd_t:s0-s0:c0.c10
23 key=(null)
type=AVC msg=audit(1222701839.391:593): avc:  denied  { execute_no_trans } for  pid=20638 comm="cupsd" path="/etc/cups/interfaces/x" dev=md2 ino=1157032 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1222701839.391:593): arch=c000003e syscall=59 success=yes exit=0 a0=7fff09a46e30 a1=7fdc029bc420 a2=7fff09a45530 a3=7fff09a45100 items=0 ppid=3556 pid=20638 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="x" exe="/bin/bash" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)

--- Additional comment from dwalsh@redhat.com on 2008-09-29 15:09:35 EDT ---

Fixed in selinux-policy-3.3.1-97.fc9.noarch

--- Additional comment from twaugh@redhat.com on 2008-10-09 10:07:50 EDT ---

selinux-policy-3.3.1-99.fc9 fixes it for me.  Thanks!

--- Additional comment from dwalsh@redhat.com on 2008-11-17 17:05:51 EDT ---

Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.
Comment 1 Daniel Walsh 2010-01-14 09:46:13 EST
Created attachment 383685 [details]
Patch to add interface to RHEL5

Miroslav please add this patch.
Comment 2 Tim Waugh 2010-01-19 11:21:55 EST
*** Bug 556856 has been marked as a duplicate of this bug. ***
Comment 3 Miroslav Grepl 2010-01-28 11:12:52 EST
Fixed in selinux-policy-2.4.6-271.el5
Comment 8 errata-xmlrpc 2010-03-30 03:49:53 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.