diff -ur cups-2.3.3.orig/scheduler/client.c cups-2.3.3/scheduler/client.c --- cups-2.3.3.orig/scheduler/client.c 2022-08-03 16:51:45.007093746 +0000 +++ cups-2.3.3/scheduler/client.c 2022-08-03 16:52:32.629492394 +0000 @@ -615,7 +615,7 @@ mime_type_t *type; /* MIME type of file */ static unsigned request_id = 0; /* Request ID for temp files */ #ifdef WITH_LSPP - security_context_t spoolcon; /* context of the job file */ + char *spoolcon; /* context of the job file */ context_t clicon; /* contex_t container for con->scon */ context_t tmpcon; /* temp context to swap the level */ char *clirange; /* SELinux sensitivity range */ diff -ur cups-2.3.3.orig/scheduler/client.c.orig cups-2.3.3/scheduler/client.c.orig --- cups-2.3.3.orig/scheduler/client.c.orig 2022-08-03 16:51:45.006093759 +0000 +++ cups-2.3.3/scheduler/client.c.orig 2022-08-03 16:52:32.628492407 +0000 @@ -620,7 +620,7 @@ mime_type_t *type; /* MIME type of file */ static unsigned request_id = 0; /* Request ID for temp files */ #ifdef WITH_LSPP - security_context_t spoolcon; /* context of the job file */ + char *spoolcon; /* context of the job file */ context_t clicon; /* contex_t container for con->scon */ context_t tmpcon; /* temp context to swap the level */ char *clirange; /* SELinux sensitivity range */ diff -ur cups-2.3.3.orig/scheduler/client.h cups-2.3.3/scheduler/client.h --- cups-2.3.3.orig/scheduler/client.h 2022-08-03 16:51:44.984094037 +0000 +++ cups-2.3.3/scheduler/client.h 2022-08-03 16:52:32.606492684 +0000 @@ -71,7 +71,7 @@ AuthorizationRef authref; /* Authorization ref */ #endif /* HAVE_AUTHORIZATION_H */ #ifdef WITH_LSPP - security_context_t scon; /* Security context of connection */ + char *scon; /* Security context of connection */ uid_t auid; /* Audit loginuid of the client */ #endif /* WITH_LSPP */ }; diff -ur cups-2.3.3.orig/scheduler/ipp.c cups-2.3.3/scheduler/ipp.c --- cups-2.3.3.orig/scheduler/ipp.c 2022-08-03 16:51:45.010093709 +0000 +++ cups-2.3.3/scheduler/ipp.c 2022-08-03 16:52:32.632492356 +0000 @@ -36,8 +36,6 @@ #include #include #include -#include -#include #endif /* WITH_LSPP */ /* @@ -1270,7 +1268,7 @@ security_id_t psid; /* SELinux SID for the printer */ context_t printercon; /* Printer's context string */ struct stat printerstat; /* Printer's stat buffer */ - security_context_t devcon; /* Printer's SELinux context */ + char *devcon; /* Printer's SELinux context */ struct avc_entry_ref avcref; /* Pointer to the access vector cache */ security_class_t tclass; /* Object class for the SELinux check */ access_vector_t avr; /* Access method being requested */ @@ -1636,18 +1634,51 @@ /* * The printer does not exist, so for now assume it's a FileDevice */ - tclass = SECCLASS_FILE; - avr = FILE__WRITE; + tclass = string_to_security_class("file"); + if (tclass <= 0) + { + send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate security class \"file\"")); + return (NULL); + } + + avr = string_to_av_perm(tclass, "write"); + if (avr <= 0) + { + send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate av perm \"write\" of security class \"file\"")); + return (NULL); + } } else if (S_ISCHR(printerstat.st_mode)) { - tclass = SECCLASS_CHR_FILE; - avr = CHR_FILE__WRITE; + tclass = string_to_security_class("chr_file"); + if (tclass <= 0) + { + send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate security class \"chr_file\"")); + return (NULL); + } + + avr = string_to_av_perm(tclass, "write"); + if (avr <= 0) + { + send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate av perm \"write\" of security class \"chr_file\"")); + return (NULL); + } } else if (S_ISREG(printerstat.st_mode)) { - tclass = SECCLASS_FILE; - avr = FILE__WRITE; + tclass = string_to_security_class("file"); + if (tclass <= 0) + { + send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate security class \"file\"")); + return (NULL); + } + + avr = string_to_av_perm(tclass, "write"); + if (avr <= 0) + { + send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate av perm \"write\" of security class \"file\"")); + return (NULL); + } } else { @@ -3920,7 +3951,7 @@ struct avc_entry_ref avcref; /* AVC entry cache pointer */ security_class_t tclass; /* SELinux security class */ access_vector_t avr; /* SELinux access being queried */ - security_context_t spoolfilecon; /* SELinux context of the spool file */ + char *spoolfilecon; /* SELinux context of the spool file */ /* @@ -3971,8 +4002,22 @@ return -1; } avc_entry_ref_init(&avcref); - tclass = SECCLASS_FILE; - avr = FILE__READ; + + tclass = string_to_security_class("file"); + if (tclass <= 0) + { + cupsdLogJob(job, CUPSD_LOG_ERROR, + "check_context: SELinux failed to translate security class \"file\""); + return -1; + } + + avr = string_to_av_perm(tclass, "read"); + if (avr <= 0) + { + cupsdLogJob(job, CUPSD_LOG_ERROR, + "check_context: SELinux failed to translate av perm \"read\" of security class \"file\""); + return -1; + } /* * Perform the check with the client as the subject, first with the job as the object @@ -4486,7 +4531,7 @@ char *jobclearance; /* SELinux low end clearance */ context_t jobcon; /* SELinux context of the job */ context_t tmpcon; /* Temp context to set the level */ - security_context_t spoolcon; /* Context of the file in the spool */ + char *spoolcon; /* Context of the file in the spool */ #endif /* WITH_LSPP */ diff -ur cups-2.3.3.orig/scheduler/ipp.c.orig cups-2.3.3/scheduler/ipp.c.orig --- cups-2.3.3.orig/scheduler/ipp.c.orig 2022-08-03 16:51:45.009093721 +0000 +++ cups-2.3.3/scheduler/ipp.c.orig 2022-08-03 16:52:32.631492369 +0000 @@ -36,8 +36,6 @@ #include #include #include -#include -#include #endif /* WITH_LSPP */ /* @@ -1270,7 +1268,7 @@ security_id_t psid; /* SELinux SID for the printer */ context_t printercon; /* Printer's context string */ struct stat printerstat; /* Printer's stat buffer */ - security_context_t devcon; /* Printer's SELinux context */ + char *devcon; /* Printer's SELinux context */ struct avc_entry_ref avcref; /* Pointer to the access vector cache */ security_class_t tclass; /* Object class for the SELinux check */ access_vector_t avr; /* Access method being requested */ @@ -1636,18 +1634,51 @@ /* * The printer does not exist, so for now assume it's a FileDevice */ - tclass = SECCLASS_FILE; - avr = FILE__WRITE; + tclass = string_to_security_class("file"); + if (tclass <= 0) + { + send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate security class \"file\"")); + return (NULL); + } + + avr = string_to_av_perm(tclass, "write"); + if (avr <= 0) + { + send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate av perm \"write\" of security class \"file\"")); + return (NULL); + } } else if (S_ISCHR(printerstat.st_mode)) { - tclass = SECCLASS_CHR_FILE; - avr = CHR_FILE__WRITE; + tclass = string_to_security_class("chr_file"); + if (tclass <= 0) + { + send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate security class \"chr_file\"")); + return (NULL); + } + + avr = string_to_av_perm(tclass, "write"); + if (avr <= 0) + { + send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate av perm \"write\" of security class \"chr_file\"")); + return (NULL); + } } else if (S_ISREG(printerstat.st_mode)) { - tclass = SECCLASS_FILE; - avr = FILE__WRITE; + tclass = string_to_security_class("file"); + if (tclass <= 0) + { + send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate security class \"file\"")); + return (NULL); + } + + avr = string_to_av_perm(tclass, "write"); + if (avr <= 0) + { + send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux failed to translate av perm \"write\" of security class \"file\"")); + return (NULL); + } } else { @@ -3920,7 +3951,7 @@ struct avc_entry_ref avcref; /* AVC entry cache pointer */ security_class_t tclass; /* SELinux security class */ access_vector_t avr; /* SELinux access being queried */ - security_context_t spoolfilecon; /* SELinux context of the spool file */ + char *spoolfilecon; /* SELinux context of the spool file */ /* @@ -3971,8 +4002,22 @@ return -1; } avc_entry_ref_init(&avcref); - tclass = SECCLASS_FILE; - avr = FILE__READ; + + tclass = string_to_security_class("file"); + if (tclass <= 0) + { + cupsdLogJob(job, CUPSD_LOG_ERROR, + "check_context: SELinux failed to translate security class \"file\""); + return -1; + } + + avr = string_to_av_perm(tclass, "read"); + if (avr <= 0) + { + cupsdLogJob(job, CUPSD_LOG_ERROR, + "check_context: SELinux failed to translate av perm \"read\" of security class \"file\""); + return -1; + } /* * Perform the check with the client as the subject, first with the job as the object @@ -4486,7 +4531,7 @@ char *jobclearance; /* SELinux low end clearance */ context_t jobcon; /* SELinux context of the job */ context_t tmpcon; /* Temp context to set the level */ - security_context_t spoolcon; /* Context of the file in the spool */ + char *spoolcon; /* Context of the file in the spool */ #endif /* WITH_LSPP */ diff -ur cups-2.3.3.orig/scheduler/job.c cups-2.3.3/scheduler/job.c --- cups-2.3.3.orig/scheduler/job.c 2022-08-03 16:51:45.007093746 +0000 +++ cups-2.3.3/scheduler/job.c 2022-08-03 16:52:32.629492394 +0000 @@ -31,8 +31,6 @@ #include #include #include -#include -#include #endif /* WITH_LSPP */ /* @@ -2370,7 +2368,7 @@ char filename[1024]; /* Job control filename */ cups_file_t *fp; /* Job file */ #ifdef WITH_LSPP - security_context_t spoolcon; /* context of the job control file */ + char *spoolcon; /* context of the job control file */ context_t jobcon; /* contex_t container for job->scon */ context_t tmpcon; /* Temp context to swap the level */ char *jobclearance; /* SELinux low end clearance */ @@ -5001,7 +4999,7 @@ security_id_t psid; /* SELinux SID for the printer */ context_t printercon; /* Printer's context string */ struct stat printerstat; /* Printer's stat buffer */ - security_context_t devcon; /* Printer's SELinux context */ + char *devcon; /* Printer's SELinux context */ struct avc_entry_ref avcref; /* Pointer to the access vector cache */ security_class_t tclass; /* Object class for the SELinux check */ access_vector_t avr; /* Access method being requested */ @@ -5220,18 +5218,63 @@ /* * The printer does not exist, so for now assume it's a FileDevice */ - tclass = SECCLASS_FILE; - avr = FILE__WRITE; + tclass = string_to_security_class("file"); + if (tclass <= 0) + { + cupsdLogJob(job, CUPSD_LOG_ERROR, + "StartJob: SELinux failed to translate security class \"file\""); + cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL); + return ; + } + + avr = string_to_av_perm(tclass, "write"); + if (avr <= 0) + { + cupsdLogJob(job, CUPSD_LOG_ERROR, + "StartJob: SELinux failed to translate av perm \"write\" of security class \"file\""); + cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL); + return ; + } } else if (S_ISCHR(printerstat.st_mode)) { - tclass = SECCLASS_CHR_FILE; - avr = CHR_FILE__WRITE; + tclass = string_to_security_class("chr_file"); + if (tclass <= 0) + { + cupsdLogJob(job, CUPSD_LOG_ERROR, + "StartJob: SELinux failed to translate security class \"chr_file\""); + cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL); + return ; + } + + avr = string_to_av_perm(tclass, "write"); + if (avr <= 0) + { + cupsdLogJob(job, CUPSD_LOG_ERROR, + "StartJob: SELinux failed to translate av perm \"write\" of security class \"chr_file\""); + cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL); + return ; + } } else if (S_ISREG(printerstat.st_mode)) { - tclass = SECCLASS_FILE; - avr = FILE__WRITE; + tclass = string_to_security_class("file"); + if (tclass <= 0) + { + cupsdLogJob(job, CUPSD_LOG_ERROR, + "StartJob: SELinux failed to translate security class \"file\""); + cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL); + return ; + } + + avr = string_to_av_perm(tclass, "write"); + if (avr <= 0) + { + cupsdLogJob(job, CUPSD_LOG_ERROR, + "StartJob: SELinux failed to translate av perm \"write\" of security class \"file\""); + cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL); + return ; + } } else { diff -ur cups-2.3.3.orig/scheduler/job.h cups-2.3.3/scheduler/job.h --- cups-2.3.3.orig/scheduler/job.h 2022-08-03 16:51:44.986094012 +0000 +++ cups-2.3.3/scheduler/job.h 2022-08-03 16:52:32.608492659 +0000 @@ -92,7 +92,7 @@ int num_keywords; /* Number of PPD keywords */ cups_option_t *keywords; /* PPD keywords */ #ifdef WITH_LSPP - security_context_t scon; /* Security context of job */ + char *scon; /* Security context of job */ uid_t auid; /* Audit loginuid for this job */ #endif /* WITH_LSPP */ }; diff -ur cups-2.3.3.orig/scheduler/printers.c cups-2.3.3/scheduler/printers.c --- cups-2.3.3.orig/scheduler/printers.c 2022-08-03 16:51:45.004093784 +0000 +++ cups-2.3.3/scheduler/printers.c 2022-08-03 16:52:32.625492444 +0000 @@ -2267,7 +2267,7 @@ char *audit_message; /* Audit message string */ char *printerfile; /* Path to a local printer dev */ char *rangestr; /* Printer's range if its available */ - security_context_t devcon; /* Printer SELinux context */ + char *devcon; /* Printer SELinux context */ context_t printercon; /* context_t for the printer */ #endif /* WITH_LSPP */ diff -ur cups-2.3.3.orig/scheduler/printers.c.orig cups-2.3.3/scheduler/printers.c.orig --- cups-2.3.3.orig/scheduler/printers.c.orig 2022-08-03 16:51:44.994093911 +0000 +++ cups-2.3.3/scheduler/printers.c.orig 2022-08-03 16:52:32.616492558 +0000 @@ -2266,7 +2266,7 @@ char *audit_message; /* Audit message string */ char *printerfile; /* Path to a local printer dev */ char *rangestr; /* Printer's range if its available */ - security_context_t devcon; /* Printer SELinux context */ + char *devcon; /* Printer SELinux context */ context_t printercon; /* context_t for the printer */ #endif /* WITH_LSPP */ diff --git a/config-scripts/cups-lspp.m4 b/config-scripts/cups-lspp.m4 index 9c59fab..55bd1bb 100644 --- a/config-scripts/cups-lspp.m4 +++ b/config-scripts/cups-lspp.m4 @@ -21,7 +21,7 @@ dnl Are we trying to meet LSPP requirements AC_ARG_ENABLE(lspp, [ --enable-lspp turn on auditing and label support, default=no]) if test x"$enable_lspp" != xno; then - case "$uname" in + case "$(uname)" in Linux) AC_CHECK_LIB(audit,audit_log_user_message, [LIBAUDIT="-laudit" AC_SUBST(LIBAUDIT)]) AC_CHECK_HEADER(libaudit.h)