The cupsd_interface_t type is missing in Red Hat Enterprise Linux 5. (Original report on cups.general, 22/12/09.) +++ This bug was initially created as a clone of Bug #464570 +++ Description of problem: When using the lpadmin '-i' option to set an interface script for a printer, SELinux audit messages are seen because the script is not executable. cupsd creates the file as /etc/cups/interfaces/$NAME, and needs to be able to modify/remove that filename. It also needs to be able to execute it, in the same way that filters are executed. I think what's required is: 1. a new type, cups_interface_t, which is like cups_etc_rw_t but which also allows execution. 2. files in /etc/cups/interfaces to be labelled cups_interface_t Version-Release number of selected component (if applicable): selinux-policy-3.3.1-91.fc9 How reproducible: 100% Steps to Reproduce: cat <<EOF >my-interface-script #!/bin/sh touch /tmp/test EOF lpadmin -p x -i my-interface-script cupsenable x accept x echo . | lp -dx ls -l /tmp/test # File should exist Actual results: /tmp/test does not exist. Expected results: /tmp/test exists. Additional info: Here are the audit messages: type=AVC msg=audit(1222701812.402:592): avc: denied { execute } for pid=3556 comm="cupsd" name="x" dev=md2 ino=1157032 scontext=system_u:system_r:cupsd_t:s0- s0:c0.c1023 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file type=SYSCALL msg=audit(1222701812.402:592): arch=c000003e syscall=21 success=yes exit=0 a0=7fff09a44f60 a1=1 a2=16 a3=0 items=0 ppid=1 pid=3556 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=429496729 5 comm="cupsd" exe="/usr/sbin/cupsd" subj=system_u:system_r:cupsd_t:s0-s0:c0.c10 23 key=(null) type=AVC msg=audit(1222701839.391:593): avc: denied { execute_no_trans } for pid=20638 comm="cupsd" path="/etc/cups/interfaces/x" dev=md2 ino=1157032 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file type=SYSCALL msg=audit(1222701839.391:593): arch=c000003e syscall=59 success=yes exit=0 a0=7fff09a46e30 a1=7fdc029bc420 a2=7fff09a45530 a3=7fff09a45100 items=0 ppid=3556 pid=20638 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="x" exe="/bin/bash" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) --- Additional comment from dwalsh on 2008-09-29 15:09:35 EDT --- Fixed in selinux-policy-3.3.1-97.fc9.noarch --- Additional comment from twaugh on 2008-10-09 10:07:50 EDT --- selinux-policy-3.3.1-99.fc9 fixes it for me. Thanks! --- Additional comment from dwalsh on 2008-11-17 17:05:51 EDT --- Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed.
Created attachment 383685 [details] Patch to add interface to RHEL5 Miroslav please add this patch.
*** Bug 556856 has been marked as a duplicate of this bug. ***
Fixed in selinux-policy-2.4.6-271.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0182.html