trouble with a transition to verify access to a printer

All of lore.kernel.org
 help / color / mirror / Atom feed

* trouble with a transition to verify access to a printer
@ 2006-08-15 15:02 Matt Anderson
  2006-08-16 14:48 ` Christopher J. PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Matt Anderson @ 2006-08-15 15:02 UTC (permalink / raw)
  To: selinux

I'm having some trouble verifying a user has access to a given printer.
 In the CUPS architecture a user submits their job over a socket
connection to the server which queues it and eventually prints it.  The
server can get the client's context via getpeercon() and that
information is stored as metadata with the job.  Often the context is
user_u:user_r:user_lpr_t:SystemLow  and the context of the running cupsd
is system_u:system_r:cupsd_t:SystemLow-SystemHigh.

In order to keep the security decisions out of cupsd it was suggested
that a helper program be used.  The cupsd server could setexeccon() this
program with the job's stored context and the helper would use access()
to determine if it could write to the printer device (typically
/dev/parport0 with context system_u:object_r:printer_device_t:SystemLow)

When run in enforcing mode however I get the following AVC deny message:

type=AVC msg=audit(1155470231.462:11179): avc:  denied  { transition }
for  pid=3046 comm="cupsd" name="lspp-access" dev=sda4 ino=420583
scontext=system_u:system_r:cupsd_t:s0-s15:c0.c255
tcontext=user_u:user_r:user_lpr_t:s0 tclass=process

I've included the audit2allow output below based on running in
permissive mode.  Even after loading the module it generates I still get
the same AVC deny on the transition.

pebenito suggested on #selinux that since cupsd was switching identities
and roles that was causing the deny.  If thats the case, is there anyway
around that?  Is there a better way to solve this problem?

thanks
-matt

require {
      class chr_file { read write };
      class fd use;
      class file { entrypoint read };
      class process { noatsecure rlimitinh sigchld siginh transition };
      class unix_stream_socket write;
      type cupsd_exec_t;
      type cupsd_t;
      type printer_device_t;
      type setrans_t;
      type user_lpr_t;
      role system_r;
      role user_r;
};

allow cupsd_t user_lpr_t:process { noatsecure rlimitinh };
allow cupsd_t user_lpr_t:process { siginh transition };
allow setrans_t self:unix_stream_socket write;
allow user_lpr_t cupsd_exec_t:file { entrypoint read };
allow user_lpr_t cupsd_t:fd use;
allow user_lpr_t cupsd_t:process sigchld;
allow user_lpr_t printer_device_t:chr_file { read write };

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: trouble with a transition to verify access to a printer
  2006-08-15 15:02 trouble with a transition to verify access to a printer Matt Anderson
@ 2006-08-16 14:48 ` Christopher J. PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2006-08-16 14:48 UTC (permalink / raw)
  To: Matt Anderson; +Cc: selinux

On Tue, 2006-08-15 at 11:02 -0400, Matt Anderson wrote:
> I'm having some trouble verifying a user has access to a given printer.
>  In the CUPS architecture a user submits their job over a socket
> connection to the server which queues it and eventually prints it.  The
> server can get the client's context via getpeercon() and that
> information is stored as metadata with the job.  Often the context is
> user_u:user_r:user_lpr_t:SystemLow  and the context of the running cupsd
> is system_u:system_r:cupsd_t:SystemLow-SystemHigh.
> 
> In order to keep the security decisions out of cupsd it was suggested
> that a helper program be used.  The cupsd server could setexeccon() this
> program with the job's stored context and the helper would use access()
> to determine if it could write to the printer device (typically
> /dev/parport0 with context system_u:object_r:printer_device_t:SystemLow)
> 
> When run in enforcing mode however I get the following AVC deny message:
> 
> type=AVC msg=audit(1155470231.462:11179): avc:  denied  { transition }
> for  pid=3046 comm="cupsd" name="lspp-access" dev=sda4 ino=420583
> scontext=system_u:system_r:cupsd_t:s0-s15:c0.c255
> tcontext=user_u:user_r:user_lpr_t:s0 tclass=process

> pebenito suggested on #selinux that since cupsd was switching identities
> and roles that was causing the deny.  If thats the case, is there anyway
> around that?

You would either have to use the unconditional exemption for role and
identity changes, which has no constraint (except having a valid
context) on the roles and identities it can set, or alter the
constraints to allow this combination.

> Is there a better way to solve this problem?

Another way would be for the helper to just getfilecon() the device, and
then use that context and the getpeercon() context to do a
security_compute_av().  This has an advantage of not requiring a
setexeccon() in cups, as the context could be passed on the command
line.  The down side is that it doesn't do a DAC check, but that doesn't
appear to be relevant in this case.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2006-08-16 14:47 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-08-15 15:02 trouble with a transition to verify access to a printer Matt Anderson
2006-08-16 14:48 ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.