Bug 832786 - cupsd rename access to /etc/cpus/printers.conf triggers an error
cupsd rename access to /etc/cpus/printers.conf triggers an error
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-17 07:44 EDT by Michael S. Tsirkin
Modified: 2012-07-19 05:17 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-19 20:29:43 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michael S. Tsirkin 2012-06-17 07:44:51 EDT
Description of problem:
when kde changes printer configuration, cupsd renames
/etc/cups/printers.conf
Tis triggers a warning message in selinux alert browser.

Version-Release number of selected component (if applicable):
3.10.0-130.fc17

How reproducible:


Steps to Reproduce:
1. start kde and run printer settings
2. enter root password
3. click ok
  
Actual results:
selinux altert appears

Expected results:
no alert, printers.conf belongs to cups

Additional info:
Comment 1 Miroslav Grepl 2012-06-17 17:19:15 EDT
Could you add AVC msg which you are getting. 

We are able to fix it using file name transition but I am interested in AVC msg.
Comment 2 Michael S. Tsirkin 2012-06-18 01:33:12 EDT
I think this is it:

[root@robin qemu]# grep cups /var/log/audit/audit.log |grep -i printers.conf
type=AVC msg=audit(1339933136.188:458): avc:  denied  { rename } for  pid=12849 comm="cupsd" name="printers.conf" dev="sda6" ino=8006 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cupsd_etc_t:s0 tclass=file
type=AVC msg=audit(1339947477.700:83): avc:  denied  { rename } for  pid=1154 comm="cupsd" name="printers.conf" dev="sda6" ino=8006 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cupsd_etc_t:s0 tclass=file
type=AVC msg=audit(1339948622.572:70): avc:  denied  { rename } for  pid=1123 comm="cupsd" name="printers.conf" dev="sda6" ino=8006 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cupsd_etc_t:s0 tclass=file
type=AVC msg=audit(1339960110.625:86): avc:  denied  { write } for  pid=1190 comm="cupsd" name="printers.conf.O" dev="sda6" ino=8006 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cupsd_etc_t:s0 tclass=file
type=AVC msg=audit(1339960110.625:87): avc:  denied  { unlink } for  pid=1190 comm="cupsd" name="printers.conf.O" dev="sda6" ino=8006 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cupsd_etc_t:s0 tclass=file

I updated the polocy as selinux troubleshooter suggested
using audit2allow -M mypol and semodule -i mypol.pp,
so the error is masked now. If you need me to reproduce with
selinux troubleshooter, pls tell me how to unmask it again.
Comment 3 Daniel Walsh 2012-06-18 16:09:55 EDT
Looks like you have a mislabeled files.


restorecon -R -v /etc/cups 

Should fix the labels.

I see where we did not have a proper transition rule on printers.conf.O
Comment 4 Daniel Walsh 2012-06-18 16:12:06 EDT
Added transition rule for printers.conf.O

Fixed in selinux-policy-3.10.0-132.fc17

If you modify printers again after fixing the labels, do they become mislabeled again?

Way to test

# restorecon -R -v /etc/cups
Modify printers using kde
# restorecon -R -v /etc/cups

Second run should not fix any labels.
Comment 5 Michael S. Tsirkin 2012-06-18 16:16:54 EDT
neither one prints any errors
Comment 6 Daniel Walsh 2012-06-18 16:37:53 EDT
Ok I added the transition rule, if you see printers.conf get mislabeled again, please reopen.

Fixed in selinux-policy-3.10.0-132.fc17
Comment 7 Fedora Update System 2012-06-19 03:59:23 EDT
selinux-policy-3.10.0-132.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-132.fc17
Comment 8 Fedora Update System 2012-06-19 20:29:43 EDT
selinux-policy-3.10.0-132.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2012-07-19 05:17:45 EDT
selinux-policy-3.10.0-132.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.