ALT Linux repositórios
S: | 2.4.7-alt1 |
5.0: | 1.3.10-alt1 |
4.1: | 1.3.10-alt0.M41.4 |
+updates: | 1.3.9-alt1.M41.1 |
4.0: | 1.2.12-alt6.M40.9 |
+updates: | 1.2.12-alt6.M40.8 |
3.0: | 1.1.20-alt14.1 |
Group :: Sistema/Servidores
RPM: cups
Main Changelog Spec Patches Sources Download Gear Bugs e FR Repocop
Patch: ALT-fc-lspp.patch
Download
Download
diff -ur cups-2.3.3.orig/scheduler/client.c cups-2.3.3/scheduler/client.c
--- cups-2.3.3.orig/scheduler/client.c 2022-08-03 16:51:45.007093746 +0000
+++ cups-2.3.3/scheduler/client.c 2022-08-03 16:52:32.629492394 +0000
@@ -615,7 +615,7 @@
mime_type_t *type; /* MIME type of file */
static unsigned request_id = 0; /* Request ID for temp files */
#ifdef WITH_LSPP
- security_context_t spoolcon; /* context of the job file */
+ char *spoolcon; /* context of the job file */
context_t clicon; /* contex_t container for con->scon */
context_t tmpcon; /* temp context to swap the level */
char *clirange; /* SELinux sensitivity range */
diff -ur cups-2.3.3.orig/scheduler/client.c.orig cups-2.3.3/scheduler/client.c.orig
--- cups-2.3.3.orig/scheduler/client.c.orig 2022-08-03 16:51:45.006093759 +0000
+++ cups-2.3.3/scheduler/client.c.orig 2022-08-03 16:52:32.628492407 +0000
@@ -620,7 +620,7 @@
mime_type_t *type; /* MIME type of file */
static unsigned request_id = 0; /* Request ID for temp files */
#ifdef WITH_LSPP
- security_context_t spoolcon; /* context of the job file */
+ char *spoolcon; /* context of the job file */
context_t clicon; /* contex_t container for con->scon */
context_t tmpcon; /* temp context to swap the level */
char *clirange; /* SELinux sensitivity range */
diff -ur cups-2.3.3.orig/scheduler/client.h cups-2.3.3/scheduler/client.h
--- cups-2.3.3.orig/scheduler/client.h 2022-08-03 16:51:44.984094037 +0000
+++ cups-2.3.3/scheduler/client.h 2022-08-03 16:52:32.606492684 +0000
@@ -71,7 +71,7 @@
AuthorizationRef authref; /* Authorization ref */
#endif /* HAVE_AUTHORIZATION_H */
#ifdef WITH_LSPP
- security_context_t scon; /* Security context of connection */
+ char *scon; /* Security context of connection */
uid_t auid; /* Audit loginuid of the client */
#endif /* WITH_LSPP */
};
diff -ur cups-2.3.3.orig/scheduler/ipp.c cups-2.3.3/scheduler/ipp.c
--- cups-2.3.3.orig/scheduler/ipp.c 2022-08-03 16:51:45.010093709 +0000
+++ cups-2.3.3/scheduler/ipp.c 2022-08-03 16:52:32.632492356 +0000
@@ -36,8 +36,6 @@
#include <selinux/selinux.h>
#include <selinux/context.h>
#include <selinux/avc.h>
-#include <selinux/flask.h>
-#include <selinux/av_permissions.h>
#endif /* WITH_LSPP */
/*
@@ -1270,7 +1268,7 @@
security_id_t psid; /* SELinux SID for the printer */
context_t printercon; /* Printer's context string */
struct stat printerstat; /* Printer's stat buffer */
- security_context_t devcon; /* Printer's SELinux context */
+ char *devcon; /* Printer's SELinux context */
struct avc_entry_ref avcref; /* Pointer to the access vector cache */
security_class_t tclass; /* Object class for the SELinux check */
access_vector_t avr; /* Access method being requested */
@@ -1636,18 +1634,51 @@
/*
* The printer does not exist, so for now assume it's a FileDevice
*/
- tclass = SECCLASS_FILE;
- avr = FILE__WRITE;
+ tclass = string_to_security_class("file");
+ if (tclass <= 0)
+ {
+ send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate security class \"file\""));
+ return (NULL);
+ }
+
+ avr = string_to_av_perm(tclass, "write");
+ if (avr <= 0)
+ {
+ send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate av perm \"write\" of security class \"file\""));
+ return (NULL);
+ }
}
else if (S_ISCHR(printerstat.st_mode))
{
- tclass = SECCLASS_CHR_FILE;
- avr = CHR_FILE__WRITE;
+ tclass = string_to_security_class("chr_file");
+ if (tclass <= 0)
+ {
+ send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate security class \"chr_file\""));
+ return (NULL);
+ }
+
+ avr = string_to_av_perm(tclass, "write");
+ if (avr <= 0)
+ {
+ send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate av perm \"write\" of security class \"chr_file\""));
+ return (NULL);
+ }
}
else if (S_ISREG(printerstat.st_mode))
{
- tclass = SECCLASS_FILE;
- avr = FILE__WRITE;
+ tclass = string_to_security_class("file");
+ if (tclass <= 0)
+ {
+ send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate security class \"file\""));
+ return (NULL);
+ }
+
+ avr = string_to_av_perm(tclass, "write");
+ if (avr <= 0)
+ {
+ send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate av perm \"write\" of security class \"file\""));
+ return (NULL);
+ }
}
else
{
@@ -3920,7 +3951,7 @@
struct avc_entry_ref avcref; /* AVC entry cache pointer */
security_class_t tclass; /* SELinux security class */
access_vector_t avr; /* SELinux access being queried */
- security_context_t spoolfilecon; /* SELinux context of the spool file */
+ char *spoolfilecon; /* SELinux context of the spool file */
/*
@@ -3971,8 +4002,22 @@
return -1;
}
avc_entry_ref_init(&avcref);
- tclass = SECCLASS_FILE;
- avr = FILE__READ;
+
+ tclass = string_to_security_class("file");
+ if (tclass <= 0)
+ {
+ cupsdLogJob(job, CUPSD_LOG_ERROR,
+ "check_context: SELinux failed to translate security class \"file\"");
+ return -1;
+ }
+
+ avr = string_to_av_perm(tclass, "read");
+ if (avr <= 0)
+ {
+ cupsdLogJob(job, CUPSD_LOG_ERROR,
+ "check_context: SELinux failed to translate av perm \"read\" of security class \"file\"");
+ return -1;
+ }
/*
* Perform the check with the client as the subject, first with the job as the object
@@ -4486,7 +4531,7 @@
char *jobclearance; /* SELinux low end clearance */
context_t jobcon; /* SELinux context of the job */
context_t tmpcon; /* Temp context to set the level */
- security_context_t spoolcon; /* Context of the file in the spool */
+ char *spoolcon; /* Context of the file in the spool */
#endif /* WITH_LSPP */
diff -ur cups-2.3.3.orig/scheduler/ipp.c.orig cups-2.3.3/scheduler/ipp.c.orig
--- cups-2.3.3.orig/scheduler/ipp.c.orig 2022-08-03 16:51:45.009093721 +0000
+++ cups-2.3.3/scheduler/ipp.c.orig 2022-08-03 16:52:32.631492369 +0000
@@ -36,8 +36,6 @@
#include <selinux/selinux.h>
#include <selinux/context.h>
#include <selinux/avc.h>
-#include <selinux/flask.h>
-#include <selinux/av_permissions.h>
#endif /* WITH_LSPP */
/*
@@ -1270,7 +1268,7 @@
security_id_t psid; /* SELinux SID for the printer */
context_t printercon; /* Printer's context string */
struct stat printerstat; /* Printer's stat buffer */
- security_context_t devcon; /* Printer's SELinux context */
+ char *devcon; /* Printer's SELinux context */
struct avc_entry_ref avcref; /* Pointer to the access vector cache */
security_class_t tclass; /* Object class for the SELinux check */
access_vector_t avr; /* Access method being requested */
@@ -1636,18 +1634,51 @@
/*
* The printer does not exist, so for now assume it's a FileDevice
*/
- tclass = SECCLASS_FILE;
- avr = FILE__WRITE;
+ tclass = string_to_security_class("file");
+ if (tclass <= 0)
+ {
+ send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate security class \"file\""));
+ return (NULL);
+ }
+
+ avr = string_to_av_perm(tclass, "write");
+ if (avr <= 0)
+ {
+ send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate av perm \"write\" of security class \"file\""));
+ return (NULL);
+ }
}
else if (S_ISCHR(printerstat.st_mode))
{
- tclass = SECCLASS_CHR_FILE;
- avr = CHR_FILE__WRITE;
+ tclass = string_to_security_class("chr_file");
+ if (tclass <= 0)
+ {
+ send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate security class \"chr_file\""));
+ return (NULL);
+ }
+
+ avr = string_to_av_perm(tclass, "write");
+ if (avr <= 0)
+ {
+ send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate av perm \"write\" of security class \"chr_file\""));
+ return (NULL);
+ }
}
else if (S_ISREG(printerstat.st_mode))
{
- tclass = SECCLASS_FILE;
- avr = FILE__WRITE;
+ tclass = string_to_security_class("file");
+ if (tclass <= 0)
+ {
+ send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate security class \"file\""));
+ return (NULL);
+ }
+
+ avr = string_to_av_perm(tclass, "write");
+ if (avr <= 0)
+ {
+ send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate av perm \"write\" of security class \"file\""));
+ return (NULL);
+ }
}
else
{
@@ -3920,7 +3951,7 @@
struct avc_entry_ref avcref; /* AVC entry cache pointer */
security_class_t tclass; /* SELinux security class */
access_vector_t avr; /* SELinux access being queried */
- security_context_t spoolfilecon; /* SELinux context of the spool file */
+ char *spoolfilecon; /* SELinux context of the spool file */
/*
@@ -3971,8 +4002,22 @@
return -1;
}
avc_entry_ref_init(&avcref);
- tclass = SECCLASS_FILE;
- avr = FILE__READ;
+
+ tclass = string_to_security_class("file");
+ if (tclass <= 0)
+ {
+ cupsdLogJob(job, CUPSD_LOG_ERROR,
+ "check_context: SELinux failed to translate security class \"file\"");
+ return -1;
+ }
+
+ avr = string_to_av_perm(tclass, "read");
+ if (avr <= 0)
+ {
+ cupsdLogJob(job, CUPSD_LOG_ERROR,
+ "check_context: SELinux failed to translate av perm \"read\" of security class \"file\"");
+ return -1;
+ }
/*
* Perform the check with the client as the subject, first with the job as the object
@@ -4486,7 +4531,7 @@
char *jobclearance; /* SELinux low end clearance */
context_t jobcon; /* SELinux context of the job */
context_t tmpcon; /* Temp context to set the level */
- security_context_t spoolcon; /* Context of the file in the spool */
+ char *spoolcon; /* Context of the file in the spool */
#endif /* WITH_LSPP */
diff -ur cups-2.3.3.orig/scheduler/job.c cups-2.3.3/scheduler/job.c
--- cups-2.3.3.orig/scheduler/job.c 2022-08-03 16:51:45.007093746 +0000
+++ cups-2.3.3/scheduler/job.c 2022-08-03 16:52:32.629492394 +0000
@@ -31,8 +31,6 @@
#include <selinux/selinux.h>
#include <selinux/context.h>
#include <selinux/avc.h>
-#include <selinux/flask.h>
-#include <selinux/av_permissions.h>
#endif /* WITH_LSPP */
/*
@@ -2370,7 +2368,7 @@
char filename[1024]; /* Job control filename */
cups_file_t *fp; /* Job file */
#ifdef WITH_LSPP
- security_context_t spoolcon; /* context of the job control file */
+ char *spoolcon; /* context of the job control file */
context_t jobcon; /* contex_t container for job->scon */
context_t tmpcon; /* Temp context to swap the level */
char *jobclearance; /* SELinux low end clearance */
@@ -5001,7 +4999,7 @@
security_id_t psid; /* SELinux SID for the printer */
context_t printercon; /* Printer's context string */
struct stat printerstat; /* Printer's stat buffer */
- security_context_t devcon; /* Printer's SELinux context */
+ char *devcon; /* Printer's SELinux context */
struct avc_entry_ref avcref; /* Pointer to the access vector cache */
security_class_t tclass; /* Object class for the SELinux check */
access_vector_t avr; /* Access method being requested */
@@ -5220,18 +5218,63 @@
/*
* The printer does not exist, so for now assume it's a FileDevice
*/
- tclass = SECCLASS_FILE;
- avr = FILE__WRITE;
+ tclass = string_to_security_class("file");
+ if (tclass <= 0)
+ {
+ cupsdLogJob(job, CUPSD_LOG_ERROR,
+ "StartJob: SELinux failed to translate security class \"file\"");
+ cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL);
+ return ;
+ }
+
+ avr = string_to_av_perm(tclass, "write");
+ if (avr <= 0)
+ {
+ cupsdLogJob(job, CUPSD_LOG_ERROR,
+ "StartJob: SELinux failed to translate av perm \"write\" of security class \"file\"");
+ cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL);
+ return ;
+ }
}
else if (S_ISCHR(printerstat.st_mode))
{
- tclass = SECCLASS_CHR_FILE;
- avr = CHR_FILE__WRITE;
+ tclass = string_to_security_class("chr_file");
+ if (tclass <= 0)
+ {
+ cupsdLogJob(job, CUPSD_LOG_ERROR,
+ "StartJob: SELinux failed to translate security class \"chr_file\"");
+ cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL);
+ return ;
+ }
+
+ avr = string_to_av_perm(tclass, "write");
+ if (avr <= 0)
+ {
+ cupsdLogJob(job, CUPSD_LOG_ERROR,
+ "StartJob: SELinux failed to translate av perm \"write\" of security class \"chr_file\"");
+ cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL);
+ return ;
+ }
}
else if (S_ISREG(printerstat.st_mode))
{
- tclass = SECCLASS_FILE;
- avr = FILE__WRITE;
+ tclass = string_to_security_class("file");
+ if (tclass <= 0)
+ {
+ cupsdLogJob(job, CUPSD_LOG_ERROR,
+ "StartJob: SELinux failed to translate security class \"file\"");
+ cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL);
+ return ;
+ }
+
+ avr = string_to_av_perm(tclass, "write");
+ if (avr <= 0)
+ {
+ cupsdLogJob(job, CUPSD_LOG_ERROR,
+ "StartJob: SELinux failed to translate av perm \"write\" of security class \"file\"");
+ cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL);
+ return ;
+ }
}
else
{
diff -ur cups-2.3.3.orig/scheduler/job.h cups-2.3.3/scheduler/job.h
--- cups-2.3.3.orig/scheduler/job.h 2022-08-03 16:51:44.986094012 +0000
+++ cups-2.3.3/scheduler/job.h 2022-08-03 16:52:32.608492659 +0000
@@ -92,7 +92,7 @@
int num_keywords; /* Number of PPD keywords */
cups_option_t *keywords; /* PPD keywords */
#ifdef WITH_LSPP
- security_context_t scon; /* Security context of job */
+ char *scon; /* Security context of job */
uid_t auid; /* Audit loginuid for this job */
#endif /* WITH_LSPP */
};
diff -ur cups-2.3.3.orig/scheduler/printers.c cups-2.3.3/scheduler/printers.c
--- cups-2.3.3.orig/scheduler/printers.c 2022-08-03 16:51:45.004093784 +0000
+++ cups-2.3.3/scheduler/printers.c 2022-08-03 16:52:32.625492444 +0000
@@ -2267,7 +2267,7 @@
char *audit_message; /* Audit message string */
char *printerfile; /* Path to a local printer dev */
char *rangestr; /* Printer's range if its available */
- security_context_t devcon; /* Printer SELinux context */
+ char *devcon; /* Printer SELinux context */
context_t printercon; /* context_t for the printer */
#endif /* WITH_LSPP */
diff -ur cups-2.3.3.orig/scheduler/printers.c.orig cups-2.3.3/scheduler/printers.c.orig
--- cups-2.3.3.orig/scheduler/printers.c.orig 2022-08-03 16:51:44.994093911 +0000
+++ cups-2.3.3/scheduler/printers.c.orig 2022-08-03 16:52:32.616492558 +0000
@@ -2266,7 +2266,7 @@
char *audit_message; /* Audit message string */
char *printerfile; /* Path to a local printer dev */
char *rangestr; /* Printer's range if its available */
- security_context_t devcon; /* Printer SELinux context */
+ char *devcon; /* Printer SELinux context */
context_t printercon; /* context_t for the printer */
#endif /* WITH_LSPP */
diff --git a/config-scripts/cups-lspp.m4 b/config-scripts/cups-lspp.m4
index 9c59fab..55bd1bb 100644
--- a/config-scripts/cups-lspp.m4
+++ b/config-scripts/cups-lspp.m4
@@ -21,7 +21,7 @@ dnl Are we trying to meet LSPP requirements
AC_ARG_ENABLE(lspp, [ --enable-lspp turn on auditing and label support, default=no])
if test x"$enable_lspp" != xno; then
- case "$uname" in
+ case "$(uname)" in
Linux)
AC_CHECK_LIB(audit,audit_log_user_message, [LIBAUDIT="-laudit" AC_SUBST(LIBAUDIT)])
AC_CHECK_HEADER(libaudit.h)