cups... new avcs?

Tom London selinux at comcast.net
Mon Aug 2 14:41:01 UTC 2004 

Agree regarding read-only /usr setups.  Looks like
cups is writing a python file called
/usr/share/printconf/util/backend.pyo.

Here are avc's from a permissive boot
(sorry I forgot to include in original message):
Aug  2 07:33:27 fedora kernel: audit(1091457207.688:0): avc:  denied  { 
write }
for  pid=1997 exe=/usr/bin/python name=util dev=hda2 ino=4309019 
scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usr_t 
tclass=dir
Aug  2 07:33:27 fedora kernel: audit(1091457207.689:0): avc:  denied  { 
remove_name } for  pid=1997 exe=/usr/bin/python name=backend.pyo 
dev=hda2 ino=4309038 scontext=system_u:system_r:cupsd_t 
tcontext=system_u:object_r:usr_t tclass=dir
Aug  2 07:33:27 fedora kernel: audit(1091457207.726:0): avc:  denied  { 
add_name } for  pid=1997 exe=/usr/bin/python name=backend.pyo 
scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usr_t 
tclass=dir
Aug  2 07:33:27 fedora kernel: audit(1091457207.726:0): avc:  denied  { 
create } for  pid=1997 exe=/usr/bin/python name=backend.pyo 
scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usr_t 
tclass=file
Aug  2 07:33:27 fedora kernel: audit(1091457207.728:0): avc:  denied  { 
write }
for  pid=1997 exe=/usr/bin/python 
path=/usr/share/printconf/util/backend.pyo dev=hda2 ino=4309038 
scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usr_t 
tclass=file

Sigh....
[/usr/share/printconf/util/ contains a bunch of python .py
and .pyo files, a file named 'smbprint', and a file named
'strip_control_file.sh'.  All the files are labeled
system_u:object_r:printconf_t, except for one named
'print.py'. It is labeled system_u:object_r:bin_t.]

I'll file a bugzilla against cups for this....
    tom

Russell Coker wrote:

>On Mon, 2 Aug 2004 07:00, Tom London <selinux at comcast.net> wrote:
>  
>
>>I noticed what I think are new avcs coming from starting cups:
>>
>>Aug  1 13:49:59 fedora kernel: audit(1091393399.153:0): avc:  denied  {
>>write }
>>for  pid=2117 exe=/usr/bin/python name=util dev=hda2 ino=4309019
>>scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usr_t
>>tclass=dir
>>
>>ino#4309019 is /usr/share/printconf/util
>>(not sure why cups wants to write there ....)
>>    
>>
>
>What is under that directory tree?
>
>What does cups do in this situation if you put the machine in permissive mode 
>and do the same print operation?
>
>Naturally we can't give cups access to usr_t.  We could use a different label 
>for the directory in question as an interim measure.  But I think that this 
>is really a bug in cups.  I don't think that there's any good reason for cups 
>to be writing there.  I think that systems with a /usr file system mounted 
>read-only should work fine as print servers!
>
>  
>

More information about the fedora-selinux-list mailing list