Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 550015

Summary: CUPS policy update for System V style interface scripts
Product: Red Hat Enterprise Linux 5 Reporter: Tim Waugh <twaugh>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.4CC: dwalsh, mgrepl, mmalik, rvokal, tommi
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 464570 Environment:
Last Closed: 2010-03-30 07:49:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 464570    
Bug Blocks:    
Attachments:
Description Flags
Patch to add interface to RHEL5 none

Description Tim Waugh 2009-12-23 09:56:58 UTC 
The cupsd_interface_t type is missing in Red Hat Enterprise Linux 5. (Original report on cups.general, 22/12/09.)

+++ This bug was initially created as a clone of Bug #464570 +++

Description of problem:
When using the lpadmin '-i' option to set an interface script for a printer, SELinux audit messages are seen because the script is not executable.

cupsd creates the file as /etc/cups/interfaces/$NAME, and needs to be able to modify/remove that filename.  It also needs to be able to execute it, in the same way that filters are executed.

I think what's required is:

1. a new type, cups_interface_t, which is like cups_etc_rw_t but which also allows execution.
2. files in /etc/cups/interfaces to be labelled cups_interface_t

Version-Release number of selected component (if applicable):
selinux-policy-3.3.1-91.fc9

How reproducible:
100%

Steps to Reproduce:

cat <<EOF >my-interface-script
#!/bin/sh
touch /tmp/test
EOF

lpadmin -p x -i my-interface-script
cupsenable x
accept x

echo . | lp -dx

ls -l /tmp/test
# File should exist
  
Actual results:
/tmp/test does not exist.

Expected results:
/tmp/test exists.

Additional info:
Here are the audit messages:

type=AVC msg=audit(1222701812.402:592): avc:  denied  { execute } for  pid=3556 
comm="cupsd" name="x" dev=md2 ino=1157032 scontext=system_u:system_r:cupsd_t:s0-
s0:c0.c1023 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1222701812.402:592): arch=c000003e syscall=21 success=yes
 exit=0 a0=7fff09a44f60 a1=1 a2=16 a3=0 items=0 ppid=1 pid=3556 auid=4294967295 
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=429496729
5 comm="cupsd" exe="/usr/sbin/cupsd" subj=system_u:system_r:cupsd_t:s0-s0:c0.c10
23 key=(null)
type=AVC msg=audit(1222701839.391:593): avc:  denied  { execute_no_trans } for  pid=20638 comm="cupsd" path="/etc/cups/interfaces/x" dev=md2 ino=1157032 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1222701839.391:593): arch=c000003e syscall=59 success=yes exit=0 a0=7fff09a46e30 a1=7fdc029bc420 a2=7fff09a45530 a3=7fff09a45100 items=0 ppid=3556 pid=20638 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="x" exe="/bin/bash" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)

--- Additional comment from dwalsh on 2008-09-29 15:09:35 EDT ---

Fixed in selinux-policy-3.3.1-97.fc9.noarch

--- Additional comment from twaugh on 2008-10-09 10:07:50 EDT ---

selinux-policy-3.3.1-99.fc9 fixes it for me.  Thanks!

--- Additional comment from dwalsh on 2008-11-17 17:05:51 EDT ---

Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.
Comment 1 Daniel Walsh 2010-01-14 14:46:13 UTC 
Created attachment 383685 [details]
Patch to add interface to RHEL5

Miroslav please add this patch.
Comment 2 Tim Waugh 2010-01-19 16:21:55 UTC 
*** Bug 556856 has been marked as a duplicate of this bug. ***
Comment 3 Miroslav Grepl 2010-01-28 16:12:52 UTC 
Fixed in selinux-policy-2.4.6-271.el5
Comment 8 errata-xmlrpc 2010-03-30 07:49:53 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0182.html