This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 550015 - CUPS policy update for System V style interface scripts
CUPS policy update for System V style interface scripts
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.4
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
:
: 556856 (view as bug list)
Depends On: 464570
Blocks:
  Show dependency treegraph
 
Reported: 2009-12-23 04:56 EST by Tim Waugh
Modified: 2010-03-30 03:49 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 464570
Environment:
Last Closed: 2010-03-30 03:49:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Patch to add interface to RHEL5 (1.56 KB, application/octet-stream)
2010-01-14 09:46 EST, Daniel Walsh
no flags Details

  None (edit)
Description Tim Waugh 2009-12-23 04:56:58 EST
The cupsd_interface_t type is missing in Red Hat Enterprise Linux 5. (Original report on cups.general, 22/12/09.)

+++ This bug was initially created as a clone of Bug #464570 +++

Description of problem:
When using the lpadmin '-i' option to set an interface script for a printer, SELinux audit messages are seen because the script is not executable.

cupsd creates the file as /etc/cups/interfaces/$NAME, and needs to be able to modify/remove that filename.  It also needs to be able to execute it, in the same way that filters are executed.

I think what's required is:

1. a new type, cups_interface_t, which is like cups_etc_rw_t but which also allows execution.
2. files in /etc/cups/interfaces to be labelled cups_interface_t

Version-Release number of selected component (if applicable):
selinux-policy-3.3.1-91.fc9

How reproducible:
100%

Steps to Reproduce:

cat <<EOF >my-interface-script
#!/bin/sh
touch /tmp/test
EOF

lpadmin -p x -i my-interface-script
cupsenable x
accept x

echo . | lp -dx

ls -l /tmp/test
# File should exist
  
Actual results:
/tmp/test does not exist.

Expected results:
/tmp/test exists.

Additional info:
Here are the audit messages:

type=AVC msg=audit(1222701812.402:592): avc:  denied  { execute } for  pid=3556 
comm="cupsd" name="x" dev=md2 ino=1157032 scontext=system_u:system_r:cupsd_t:s0-
s0:c0.c1023 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1222701812.402:592): arch=c000003e syscall=21 success=yes
 exit=0 a0=7fff09a44f60 a1=1 a2=16 a3=0 items=0 ppid=1 pid=3556 auid=4294967295 
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=429496729
5 comm="cupsd" exe="/usr/sbin/cupsd" subj=system_u:system_r:cupsd_t:s0-s0:c0.c10
23 key=(null)
type=AVC msg=audit(1222701839.391:593): avc:  denied  { execute_no_trans } for  pid=20638 comm="cupsd" path="/etc/cups/interfaces/x" dev=md2 ino=1157032 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1222701839.391:593): arch=c000003e syscall=59 success=yes exit=0 a0=7fff09a46e30 a1=7fdc029bc420 a2=7fff09a45530 a3=7fff09a45100 items=0 ppid=3556 pid=20638 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="x" exe="/bin/bash" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)

--- Additional comment from dwalsh@redhat.com on 2008-09-29 15:09:35 EDT ---

Fixed in selinux-policy-3.3.1-97.fc9.noarch

--- Additional comment from twaugh@redhat.com on 2008-10-09 10:07:50 EDT ---

selinux-policy-3.3.1-99.fc9 fixes it for me.  Thanks!

--- Additional comment from dwalsh@redhat.com on 2008-11-17 17:05:51 EDT ---

Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.
Comment 1 Daniel Walsh 2010-01-14 09:46:13 EST
Created attachment 383685 [details]
Patch to add interface to RHEL5

Miroslav please add this patch.
Comment 2 Tim Waugh 2010-01-19 11:21:55 EST
*** Bug 556856 has been marked as a duplicate of this bug. ***
Comment 3 Miroslav Grepl 2010-01-28 11:12:52 EST
Fixed in selinux-policy-2.4.6-271.el5
Comment 8 errata-xmlrpc 2010-03-30 03:49:53 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0182.html

Note You need to log in before you can comment on or make changes to this bug.