Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 230723 - [LSPP] cups is overriding mls when querying jobs with lpq -al
Summary: [LSPP] cups is overriding mls when querying jobs with lpq -al
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: cups
Version: 6
Hardware: All
OS: Linux
medium
urgent
Target Milestone: ---
Assignee: Tim Waugh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: FC6Update
TreeView+ depends on / blocked
 
Reported: 2007-03-02 14:54 UTC by Tim Waugh
Modified: 2007-11-30 22:11 UTC (History)
4 users (show)

Fixed In Version: 1.2.10-3.fc6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-04-10 11:54:08 UTC


Attachments (Terms of Use)

Description Tim Waugh 2007-03-02 14:54:50 UTC
+++ This bug was initially created as a clone of Bug #229673 +++

Description of problem:
lpq -al <job-id> can be used to check file names/job information from jobs
scheduled by a user in a higher mls level (read-up)

Version-Release number of selected component (if applicable):
-bash-3.1$ rpm -qa | grep cups
cups-libs-1.2.4-11.5.el5
cups-libs-1.2.4-11.5.el5
cups-1.2.4-11.5.el5


How reproducible:
always

Steps to Reproduce:
Have a system with a printer installed

 # Log in as user in s5-s5 level: 
ssh user//s5-s5@host
 # Print some file
lpr -P <printer-instance> <filename>
 # Check job id with
lpstat -W all <printer-instance>
 # Log out
exit
 # Log in as user in s0-s0 level:
ssh user//s0-s0@host
 # check lpq specifying job id:
lpq -al <job-id>

 # You can also check all jobs with something similar to:
for ((i=0; i<100; i++)); do lpq -al $i; done;

  
Actual results:
User in s0-s0 level can check the s5-s5 job name and attributes

Expected results:
User in s0-s0 level can't see s5-s5 jobs



Additional info:
This is required for lspp evaluation

-- Additional comment from klausk@br.ibm.com on 2007-02-22 14:54 EST --
changing summary to a more precise one

-- Additional comment from mra@hp.com on 2007-02-26 18:49 EST --
Created an attachment (id=148840)
Proposed patch to fix access check

The following patch adds a function check_context() which has the code which
used to be in get_jobs() but is now also called from get_job_attrs() and
validate_user()

The code also distinguishes better in the cups log file if the action was
allowed because the system is in permissive mode which was not clear before.
e.g. 
I [26/Feb/2007:14:53:10 -0500] check_context: allowing operation due to
permissive mode

If a user uses the `lpq -al <job-id>` command to query a file that is outside
their level the system returns "lpq: Job #<job-id> does not exist!" and the
following is left in the cups log:
D [26/Feb/2007:14:54:22 -0500] Get-Job-Attributes ipp://localhost/jobs/42
D [26/Feb/2007:14:54:22 -0500] check_context: client context
user_u:user_r:user_lpr_t:SystemLow job context
root:sysadm_r:sysadm_lpr_t:s6-SystemHigh
I [26/Feb/2007:14:54:22 -0500] check_context: SELinux denied access based on
the client context
I [26/Feb/2007:14:54:22 -0500] check_context: SELinux denied access to the
spool file
D [26/Feb/2007:14:54:22 -0500] Get-Job-Attributes client-error-not-found: Job
#42 does not exist!

Comment 1 Tim Waugh 2007-03-02 15:34:08 UTC
Fixed in 1.2.8-3.fc6.


Note You need to log in before you can comment on or make changes to this bug.