Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 229673 - [LSPP] cups is overriding mls when querying jobs with lpq -al
Summary: [LSPP] cups is overriding mls when querying jobs with lpq -al
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: cups
Version: 5.0
Hardware: All
OS: Linux
medium
urgent
Target Milestone: ---
: ---
Assignee: Tim Waugh
QA Contact: David Lawrence
URL:
Whiteboard:
Depends On:
Blocks: 234654 RHEL5LSPPCertTracker
TreeView+ depends on / blocked
 
Reported: 2007-02-22 17:56 UTC by Klaus Heinrich Kiwi
Modified: 2018-10-19 22:54 UTC (History)
4 users (show)

Fixed In Version: RHSA-2007-1020
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-10-31 13:48:45 UTC


Attachments (Terms of Use)
Proposed patch to fix access check (deleted)
2007-02-26 23:49 UTC, Matt Anderson
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2007:1020 normal SHIPPED_LIVE Important: cups security and bug fix update 2007-10-31 13:48:34 UTC

Description Klaus Heinrich Kiwi 2007-02-22 17:56:54 UTC
Description of problem:
lpq -al <job-id> can be used to check file names/job information from jobs
scheduled by a user in a higher mls level (read-up)

Version-Release number of selected component (if applicable):
-bash-3.1$ rpm -qa | grep cups
cups-libs-1.2.4-11.5.el5
cups-libs-1.2.4-11.5.el5
cups-1.2.4-11.5.el5


How reproducible:
always

Steps to Reproduce:
Have a system with a printer installed

 # Log in as user in s5-s5 level: 
ssh user//s5-s5@host
 # Print some file
lpr -P <printer-instance> <filename>
 # Check job id with
lpstat -W all <printer-instance>
 # Log out
exit
 # Log in as user in s0-s0 level:
ssh user//s0-s0@host
 # check lpq specifying job id:
lpq -al <job-id>

 # You can also check all jobs with something similar to:
for ((i=0; i<100; i++)); do lpq -al $i; done;

  
Actual results:
User in s0-s0 level can check the s5-s5 job name and attributes

Expected results:
User in s0-s0 level can't see s5-s5 jobs



Additional info:
This is required for lspp evaluation

Comment 1 Klaus Heinrich Kiwi 2007-02-22 19:54:39 UTC
changing summary to a more precise one

Comment 2 Matt Anderson 2007-02-26 23:49:23 UTC
Created attachment 148840 [details]
Proposed patch to fix access check

The following patch adds a function check_context() which has the code which
used to be in get_jobs() but is now also called from get_job_attrs() and
validate_user()

The code also distinguishes better in the cups log file if the action was
allowed because the system is in permissive mode which was not clear before.
e.g. 
I [26/Feb/2007:14:53:10 -0500] check_context: allowing operation due to
permissive mode

If a user uses the `lpq -al <job-id>` command to query a file that is outside
their level the system returns "lpq: Job #<job-id> does not exist!" and the
following is left in the cups log:
D [26/Feb/2007:14:54:22 -0500] Get-Job-Attributes ipp://localhost/jobs/42
D [26/Feb/2007:14:54:22 -0500] check_context: client context
user_u:user_r:user_lpr_t:SystemLow job context
root:sysadm_r:sysadm_lpr_t:s6-SystemHigh
I [26/Feb/2007:14:54:22 -0500] check_context: SELinux denied access based on
the client context
I [26/Feb/2007:14:54:22 -0500] check_context: SELinux denied access to the
spool file
D [26/Feb/2007:14:54:22 -0500] Get-Job-Attributes client-error-not-found: Job
#42 does not exist!

Comment 6 Klaus Heinrich Kiwi 2007-03-24 00:14:51 UTC
verified fix on cups-1.2.4-11.6.el5

You may close the bug - Thank you

Comment 11 errata-xmlrpc 2007-10-31 13:48:45 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-1020.html



Note You need to log in before you can comment on or make changes to this bug.