Bug 550015 - CUPS policy update for System V style interface scripts
Summary: CUPS policy update for System V style interface scripts
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.4
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
: 556856 (view as bug list)
Depends On: 464570
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-12-23 09:56 UTC by Tim Waugh
Modified: 2018-07-16 17:10 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 464570
Environment:
Last Closed: 2010-03-30 07:49:53 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Patch to add interface to RHEL5 (1.56 KB, application/octet-stream)
2010-01-14 14:46 UTC, Daniel Walsh
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2010:0182 0 normal SHIPPED_LIVE selinux-policy bug fix update 2010-03-29 12:19:53 UTC

Description Tim Waugh 2009-12-23 09:56:58 UTC
The cupsd_interface_t type is missing in Red Hat Enterprise Linux 5. (Original report on cups.general, 22/12/09.)

+++ This bug was initially created as a clone of Bug #464570 +++

Description of problem:
When using the lpadmin '-i' option to set an interface script for a printer, SELinux audit messages are seen because the script is not executable.

cupsd creates the file as /etc/cups/interfaces/$NAME, and needs to be able to modify/remove that filename.  It also needs to be able to execute it, in the same way that filters are executed.

I think what's required is:

1. a new type, cups_interface_t, which is like cups_etc_rw_t but which also allows execution.
2. files in /etc/cups/interfaces to be labelled cups_interface_t

Version-Release number of selected component (if applicable):
selinux-policy-3.3.1-91.fc9

How reproducible:
100%

Steps to Reproduce:

cat <<EOF >my-interface-script
#!/bin/sh
touch /tmp/test
EOF

lpadmin -p x -i my-interface-script
cupsenable x
accept x

echo . | lp -dx

ls -l /tmp/test
# File should exist
  
Actual results:
/tmp/test does not exist.

Expected results:
/tmp/test exists.

Additional info:
Here are the audit messages:

type=AVC msg=audit(1222701812.402:592): avc:  denied  { execute } for  pid=3556 
comm="cupsd" name="x" dev=md2 ino=1157032 scontext=system_u:system_r:cupsd_t:s0-
s0:c0.c1023 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1222701812.402:592): arch=c000003e syscall=21 success=yes
 exit=0 a0=7fff09a44f60 a1=1 a2=16 a3=0 items=0 ppid=1 pid=3556 auid=4294967295 
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=429496729
5 comm="cupsd" exe="/usr/sbin/cupsd" subj=system_u:system_r:cupsd_t:s0-s0:c0.c10
23 key=(null)
type=AVC msg=audit(1222701839.391:593): avc:  denied  { execute_no_trans } for  pid=20638 comm="cupsd" path="/etc/cups/interfaces/x" dev=md2 ino=1157032 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1222701839.391:593): arch=c000003e syscall=59 success=yes exit=0 a0=7fff09a46e30 a1=7fdc029bc420 a2=7fff09a45530 a3=7fff09a45100 items=0 ppid=3556 pid=20638 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="x" exe="/bin/bash" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)

--- Additional comment from dwalsh on 2008-09-29 15:09:35 EDT ---

Fixed in selinux-policy-3.3.1-97.fc9.noarch

--- Additional comment from twaugh on 2008-10-09 10:07:50 EDT ---

selinux-policy-3.3.1-99.fc9 fixes it for me.  Thanks!

--- Additional comment from dwalsh on 2008-11-17 17:05:51 EDT ---

Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Comment 1 Daniel Walsh 2010-01-14 14:46:13 UTC
Created attachment 383685 [details]
Patch to add interface to RHEL5

Miroslav please add this patch.

Comment 2 Tim Waugh 2010-01-19 16:21:55 UTC
*** Bug 556856 has been marked as a duplicate of this bug. ***

Comment 3 Miroslav Grepl 2010-01-28 16:12:52 UTC
Fixed in selinux-policy-2.4.6-271.el5

Comment 8 errata-xmlrpc 2010-03-30 07:49:53 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0182.html


Note You need to log in before you can comment on or make changes to this bug.