Created attachment 632167 [details] AVC messages Description of problem: I've backported a security fix of cups-pk-helper, which uses setgid and setuid (see #865815), into Fedora. Running updated cups-pk-helper with cupsd_config_t without setgid and setuid capabilities results in AVC denial. Version-Release number of selected component (if applicable): selinux-policy-3.10.0-91.fc16.noarch selinux-policy-3.10.0-156.fc17.noarch selinux-policy-3.11.1-36.fc18.noarch and rawhide as well How reproducible: Always Steps to Reproduce: 1. install cups-pk-helper-0.1.3-4.fc16 or cups-pk-helper-0.2.2-2.fc17 or cups-pk-helper-0.2.4-1.fc18 or cups-pk-helper-0.2.4-1.fc19 2. run 'touch /tmp/cupsd.conf' 3. run 'gdbus call --system --dest org.opensuse.CupsPkHelper.Mechanism --object-path / --method org.opensuse.CupsPkHelper.Mechanism.FileGet "/admin/conf/cupsd.conf" "/tmp/cupsd.conf"' Actual results: AVC denial. Expected results: No AVC denial. Additional info: Let me know if you want to have separate bugs for all those Fedora versions. I haven't pushed updates for the cups-pk-helper yet because of this. I'll push them right after this will be resolved.
Fixed in selinux-policy-3.11.1-44.fc18.noarch
Hi, do you plan to backport this to F16, F17 and rawhide? Regards Marek
Yes, added.
selinux-policy-3.10.0-96.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-96.fc16
Package selinux-policy-3.10.0-96.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-96.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-18243/selinux-policy-3.10.0-96.fc16 then log in and leave karma (feedback).
selinux-policy-3.10.0-96.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.