ALT Linux Sisyphus

diff -ur cups-2.3.3.orig/scheduler/client.c cups-2.3.3/scheduler/client.c
--- cups-2.3.3.orig/scheduler/client.c	2022-08-03 16:51:45.007093746 +0000
+++ cups-2.3.3/scheduler/client.c	2022-08-03 16:52:32.629492394 +0000
@@ -615,7 +615,7 @@
   mime_type_t		*type;		/* MIME type of file */
   static unsigned	request_id = 0;	/* Request ID for temp files */
 #ifdef WITH_LSPP
-  security_context_t	spoolcon;	/* context of the job file */
+  char			*spoolcon;	/* context of the job file */
   context_t		clicon;		/* contex_t container for con->scon */
   context_t		tmpcon;		/* temp context to swap the level */
   char			*clirange;	/* SELinux sensitivity range */
diff -ur cups-2.3.3.orig/scheduler/client.c.orig cups-2.3.3/scheduler/client.c.orig
--- cups-2.3.3.orig/scheduler/client.c.orig	2022-08-03 16:51:45.006093759 +0000
+++ cups-2.3.3/scheduler/client.c.orig	2022-08-03 16:52:32.628492407 +0000
@@ -620,7 +620,7 @@
   mime_type_t		*type;		/* MIME type of file */
   static unsigned	request_id = 0;	/* Request ID for temp files */
 #ifdef WITH_LSPP
-  security_context_t	spoolcon;	/* context of the job file */
+  char			*spoolcon;	/* context of the job file */
   context_t		clicon;		/* contex_t container for con->scon */
   context_t		tmpcon;		/* temp context to swap the level */
   char			*clirange;	/* SELinux sensitivity range */
diff -ur cups-2.3.3.orig/scheduler/client.h cups-2.3.3/scheduler/client.h
--- cups-2.3.3.orig/scheduler/client.h	2022-08-03 16:51:44.984094037 +0000
+++ cups-2.3.3/scheduler/client.h	2022-08-03 16:52:32.606492684 +0000
@@ -71,7 +71,7 @@
   AuthorizationRef	authref;	/* Authorization ref */
 #endif /* HAVE_AUTHORIZATION_H */
 #ifdef WITH_LSPP
-  security_context_t	scon;		/* Security context of connection */
+  char			*scon;		/* Security context of connection */
   uid_t			auid;		/* Audit loginuid of the client */
 #endif /* WITH_LSPP */
 };
diff -ur cups-2.3.3.orig/scheduler/ipp.c cups-2.3.3/scheduler/ipp.c
--- cups-2.3.3.orig/scheduler/ipp.c	2022-08-03 16:51:45.010093709 +0000
+++ cups-2.3.3/scheduler/ipp.c	2022-08-03 16:52:32.632492356 +0000
@@ -36,8 +36,6 @@
 #include <selinux/selinux.h>
 #include <selinux/context.h>
 #include <selinux/avc.h>
-#include <selinux/flask.h>
-#include <selinux/av_permissions.h>
 #endif /* WITH_LSPP */
 
 /*
@@ -1270,7 +1268,7 @@
   security_id_t	psid;			/* SELinux SID for the printer */
   context_t	printercon;		/* Printer's context string */
   struct stat	printerstat;		/* Printer's stat buffer */
-  security_context_t	devcon;		/* Printer's SELinux context */
+  char		*devcon;		/* Printer's SELinux context */
   struct avc_entry_ref	avcref;		/* Pointer to the access vector cache */
   security_class_t	tclass;		/* Object class for the SELinux check */
   access_vector_t	avr;		/* Access method being requested */
@@ -1636,18 +1634,51 @@
 	/*
 	 * The printer does not exist, so for now assume it's a FileDevice
 	 */
-	tclass = SECCLASS_FILE;
-	avr = FILE__WRITE;
+	tclass = string_to_security_class("file");
+	if (tclass <= 0)
+	{
+		send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate security class \"file\""));
+		return (NULL);
+	}
+
+	avr = string_to_av_perm(tclass, "write");
+	if (avr <= 0)
+	{
+		send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate av perm \"write\" of security class \"file\""));
+		return (NULL);
+	}
       }
       else if (S_ISCHR(printerstat.st_mode))
       {
-	tclass = SECCLASS_CHR_FILE;
-	avr = CHR_FILE__WRITE;
+	tclass = string_to_security_class("chr_file");
+	if (tclass <= 0)
+	{
+		send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate security class \"chr_file\""));
+		return (NULL);
+	}
+
+	avr = string_to_av_perm(tclass, "write");
+	if (avr <= 0)
+	{
+		send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate av perm \"write\" of security class \"chr_file\""));
+		return (NULL);
+	}
       }
       else if (S_ISREG(printerstat.st_mode))
       {
-	tclass = SECCLASS_FILE;
-	avr = FILE__WRITE;
+	tclass = string_to_security_class("file");
+	if (tclass <= 0)
+	{
+		send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate security class \"file\""));
+		return (NULL);
+	}
+
+	avr = string_to_av_perm(tclass, "write");
+	if (avr <= 0)
+	{
+		send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate av perm \"write\" of security class \"file\""));
+		return (NULL);
+	}
       }
       else
       {
@@ -3920,7 +3951,7 @@
   struct avc_entry_ref	avcref;		/* AVC entry cache pointer */
   security_class_t	tclass;		/* SELinux security class */
   access_vector_t	avr;		/* SELinux access being queried */
-  security_context_t	spoolfilecon;	/* SELinux context of the spool file */
+  char			*spoolfilecon;	/* SELinux context of the spool file */
 
 
  /*
@@ -3971,8 +4002,22 @@
     return -1;
   }
   avc_entry_ref_init(&avcref);
-  tclass = SECCLASS_FILE;
-  avr = FILE__READ;
+ 
+  tclass = string_to_security_class("file");
+  if (tclass <= 0)
+  {
+    cupsdLogJob(job, CUPSD_LOG_ERROR,
+      "check_context: SELinux failed to translate security class \"file\"");
+    return -1;
+  }
+
+  avr = string_to_av_perm(tclass, "read");
+  if (avr <= 0)
+  {
+    cupsdLogJob(job, CUPSD_LOG_ERROR,
+      "check_context: SELinux failed to translate av perm \"read\" of security class \"file\"");
+    return -1;
+  }
 
  /*
   * Perform the check with the client as the subject, first with the job as the object
@@ -4486,7 +4531,7 @@
   char		*jobclearance;		/* SELinux low end clearance */
   context_t	jobcon;			/* SELinux context of the job */
   context_t	tmpcon;			/* Temp context to set the level */
-  security_context_t	spoolcon;	/* Context of the file in the spool */
+  char		*spoolcon;	/* Context of the file in the spool */
 #endif /* WITH_LSPP */
 
 
diff -ur cups-2.3.3.orig/scheduler/ipp.c.orig cups-2.3.3/scheduler/ipp.c.orig
--- cups-2.3.3.orig/scheduler/ipp.c.orig	2022-08-03 16:51:45.009093721 +0000
+++ cups-2.3.3/scheduler/ipp.c.orig	2022-08-03 16:52:32.631492369 +0000
@@ -36,8 +36,6 @@
 #include <selinux/selinux.h>
 #include <selinux/context.h>
 #include <selinux/avc.h>
-#include <selinux/flask.h>
-#include <selinux/av_permissions.h>
 #endif /* WITH_LSPP */
 
 /*
@@ -1270,7 +1268,7 @@
   security_id_t	psid;			/* SELinux SID for the printer */
   context_t	printercon;		/* Printer's context string */
   struct stat	printerstat;		/* Printer's stat buffer */
-  security_context_t	devcon;		/* Printer's SELinux context */
+  char		*devcon;		/* Printer's SELinux context */
   struct avc_entry_ref	avcref;		/* Pointer to the access vector cache */
   security_class_t	tclass;		/* Object class for the SELinux check */
   access_vector_t	avr;		/* Access method being requested */
@@ -1636,18 +1634,51 @@
 	/*
 	 * The printer does not exist, so for now assume it's a FileDevice
 	 */
-	tclass = SECCLASS_FILE;
-	avr = FILE__WRITE;
+	tclass = string_to_security_class("file");
+	if (tclass <= 0)
+	{
+		send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate security class \"file\""));
+		return (NULL);
+	}
+
+	avr = string_to_av_perm(tclass, "write");
+	if (avr <= 0)
+	{
+		send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate av perm \"write\" of security class \"file\""));
+		return (NULL);
+	}
       }
       else if (S_ISCHR(printerstat.st_mode))
       {
-	tclass = SECCLASS_CHR_FILE;
-	avr = CHR_FILE__WRITE;
+	tclass = string_to_security_class("chr_file");
+	if (tclass <= 0)
+	{
+		send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate security class \"chr_file\""));
+		return (NULL);
+	}
+
+	avr = string_to_av_perm(tclass, "write");
+	if (avr <= 0)
+	{
+		send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate av perm \"write\" of security class \"chr_file\""));
+		return (NULL);
+	}
       }
       else if (S_ISREG(printerstat.st_mode))
       {
-	tclass = SECCLASS_FILE;
-	avr = FILE__WRITE;
+	tclass = string_to_security_class("file");
+	if (tclass <= 0)
+	{
+		send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate security class \"file\""));
+		return (NULL);
+	}
+
+	avr = string_to_av_perm(tclass, "write");
+	if (avr <= 0)
+	{
+		send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate av perm \"write\" of security class \"file\""));
+		return (NULL);
+	}
       }
       else
       {
@@ -3920,7 +3951,7 @@
   struct avc_entry_ref	avcref;		/* AVC entry cache pointer */
   security_class_t	tclass;		/* SELinux security class */
   access_vector_t	avr;		/* SELinux access being queried */
-  security_context_t	spoolfilecon;	/* SELinux context of the spool file */
+  char			*spoolfilecon;	/* SELinux context of the spool file */
 
 
  /*
@@ -3971,8 +4002,22 @@
     return -1;
   }
   avc_entry_ref_init(&avcref);
-  tclass = SECCLASS_FILE;
-  avr = FILE__READ;
+ 
+  tclass = string_to_security_class("file");
+  if (tclass <= 0)
+  {
+    cupsdLogJob(job, CUPSD_LOG_ERROR,
+      "check_context: SELinux failed to translate security class \"file\"");
+    return -1;
+  }
+
+  avr = string_to_av_perm(tclass, "read");
+  if (avr <= 0)
+  {
+    cupsdLogJob(job, CUPSD_LOG_ERROR,
+      "check_context: SELinux failed to translate av perm \"read\" of security class \"file\"");
+    return -1;
+  }
 
  /*
   * Perform the check with the client as the subject, first with the job as the object
@@ -4486,7 +4531,7 @@
   char		*jobclearance;		/* SELinux low end clearance */
   context_t	jobcon;			/* SELinux context of the job */
   context_t	tmpcon;			/* Temp context to set the level */
-  security_context_t	spoolcon;	/* Context of the file in the spool */
+  char		*spoolcon;	/* Context of the file in the spool */
 #endif /* WITH_LSPP */
 
 
diff -ur cups-2.3.3.orig/scheduler/job.c cups-2.3.3/scheduler/job.c
--- cups-2.3.3.orig/scheduler/job.c	2022-08-03 16:51:45.007093746 +0000
+++ cups-2.3.3/scheduler/job.c	2022-08-03 16:52:32.629492394 +0000
@@ -31,8 +31,6 @@
 #include <selinux/selinux.h>
 #include <selinux/context.h>
 #include <selinux/avc.h>
-#include <selinux/flask.h>
-#include <selinux/av_permissions.h>
 #endif /* WITH_LSPP */
 
 /*
@@ -2370,7 +2368,7 @@
   char		filename[1024];		/* Job control filename */
   cups_file_t	*fp;			/* Job file */
 #ifdef WITH_LSPP
-  security_context_t	spoolcon;	/* context of the job control file */
+  char			*spoolcon;	/* context of the job control file */
   context_t		jobcon;		/* contex_t container for job->scon */
   context_t		tmpcon;		/* Temp context to swap the level */
   char			*jobclearance;	/* SELinux low end clearance */
@@ -5001,7 +4999,7 @@
   security_id_t		psid;		/* SELinux SID for the printer */
   context_t		printercon;	/* Printer's context string */
   struct stat		printerstat;	/* Printer's stat buffer */
-  security_context_t	devcon;		/* Printer's SELinux context */
+  char			*devcon;		/* Printer's SELinux context */
   struct avc_entry_ref	avcref;		/* Pointer to the access vector cache */
   security_class_t	tclass;		/* Object class for the SELinux check */
   access_vector_t	avr;		/* Access method being requested */
@@ -5220,18 +5218,63 @@
 	/*
 	 * The printer does not exist, so for now assume it's a FileDevice
 	 */
-	tclass = SECCLASS_FILE;
-	avr = FILE__WRITE;
+	tclass = string_to_security_class("file");
+	if (tclass <= 0)
+	{
+		cupsdLogJob(job, CUPSD_LOG_ERROR,
+			    "StartJob: SELinux failed to translate security class \"file\"");
+		cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL);
+		return ;
+	}
+
+	avr = string_to_av_perm(tclass, "write");
+	if (avr <= 0)
+	{
+		cupsdLogJob(job, CUPSD_LOG_ERROR,
+			    "StartJob: SELinux failed to translate av perm \"write\" of security class \"file\"");
+		cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL);
+		return ;
+	}
       }
       else if (S_ISCHR(printerstat.st_mode))
       {
-	tclass = SECCLASS_CHR_FILE;
-	avr = CHR_FILE__WRITE;
+	tclass = string_to_security_class("chr_file");
+	if (tclass <= 0)
+	{
+		cupsdLogJob(job, CUPSD_LOG_ERROR,
+			    "StartJob: SELinux failed to translate security class \"chr_file\"");
+		cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL);
+		return ;
+	}
+
+	avr = string_to_av_perm(tclass, "write");
+	if (avr <= 0)
+	{
+		cupsdLogJob(job, CUPSD_LOG_ERROR,
+			    "StartJob: SELinux failed to translate av perm \"write\" of security class \"chr_file\"");
+		cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL);
+		return ;
+	}
       }
       else if (S_ISREG(printerstat.st_mode))
       {
-	tclass = SECCLASS_FILE;
-	avr = FILE__WRITE;
+	tclass = string_to_security_class("file");
+	if (tclass <= 0)
+	{
+		cupsdLogJob(job, CUPSD_LOG_ERROR,
+			    "StartJob: SELinux failed to translate security class \"file\"");
+		cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL);
+		return ;
+	}
+
+	avr = string_to_av_perm(tclass, "write");
+	if (avr <= 0)
+	{
+		cupsdLogJob(job, CUPSD_LOG_ERROR,
+			    "StartJob: SELinux failed to translate av perm \"write\" of security class \"file\"");
+		cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL);
+		return ;
+	}
       }
       else
       {
diff -ur cups-2.3.3.orig/scheduler/job.h cups-2.3.3/scheduler/job.h
--- cups-2.3.3.orig/scheduler/job.h	2022-08-03 16:51:44.986094012 +0000
+++ cups-2.3.3/scheduler/job.h	2022-08-03 16:52:32.608492659 +0000
@@ -92,7 +92,7 @@
   int			num_keywords;	/* Number of PPD keywords */
   cups_option_t		*keywords;	/* PPD keywords */
 #ifdef WITH_LSPP
-  security_context_t	scon;		/* Security context of job */
+  char			*scon;		/* Security context of job */
   uid_t			auid;		/* Audit loginuid for this job */
 #endif /* WITH_LSPP */
 };
diff -ur cups-2.3.3.orig/scheduler/printers.c cups-2.3.3/scheduler/printers.c
--- cups-2.3.3.orig/scheduler/printers.c	2022-08-03 16:51:45.004093784 +0000
+++ cups-2.3.3/scheduler/printers.c	2022-08-03 16:52:32.625492444 +0000
@@ -2267,7 +2267,7 @@
   char		*audit_message;		/* Audit message string */
   char		*printerfile;		/* Path to a local printer dev */
   char		*rangestr;		/* Printer's range if its available */
-  security_context_t	devcon;		/* Printer SELinux context */
+  char		*devcon;		/* Printer SELinux context */
   context_t	printercon;		/* context_t for the printer */
 #endif /* WITH_LSPP */
 
diff -ur cups-2.3.3.orig/scheduler/printers.c.orig cups-2.3.3/scheduler/printers.c.orig
--- cups-2.3.3.orig/scheduler/printers.c.orig	2022-08-03 16:51:44.994093911 +0000
+++ cups-2.3.3/scheduler/printers.c.orig	2022-08-03 16:52:32.616492558 +0000
@@ -2266,7 +2266,7 @@
   char		*audit_message;		/* Audit message string */
   char		*printerfile;		/* Path to a local printer dev */
   char		*rangestr;		/* Printer's range if its available */
-  security_context_t	devcon;		/* Printer SELinux context */
+  char		*devcon;		/* Printer SELinux context */
   context_t	printercon;		/* context_t for the printer */
 #endif /* WITH_LSPP */

diff --git a/config-scripts/cups-lspp.m4 b/config-scripts/cups-lspp.m4
index 9c59fab..55bd1bb 100644
--- a/config-scripts/cups-lspp.m4
+++ b/config-scripts/cups-lspp.m4
@@ -21,7 +21,7 @@ dnl Are we trying to meet LSPP requirements
 AC_ARG_ENABLE(lspp, [  --enable-lspp           turn on auditing and label support, default=no])
 
 if test x"$enable_lspp" != xno; then
-    case "$uname" in
+    case "$(uname)" in
         Linux)
             AC_CHECK_LIB(audit,audit_log_user_message, [LIBAUDIT="-laudit" AC_SUBST(LIBAUDIT)])
             AC_CHECK_HEADER(libaudit.h)

S:	2.4.7-alt1
5.0:	1.3.10-alt1
4.1:	1.3.10-alt0.M41.4
+updates:	1.3.9-alt1.M41.1
4.0:	1.2.12-alt6.M40.9
+updates:	1.2.12-alt6.M40.8
3.0:	1.1.20-alt14.1