+Date: Thu, 15 Jul 2021 16:26:27 -0700
+Subject: [PATCH] scheduler/job.c: use gziptoany for raw files (not just raw
+ printers)
+
+---
+ scheduler/job.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/scheduler/job.c b/scheduler/job.c
+index d8c2efcc6..b448acda5 100644
+--- a/scheduler/job.c
++++ b/scheduler/job.c
+@@ -501,6 +501,7 @@ cupsdContinueJob(cupsd_job_t *job) /* I - Job */
+ int backroot; /* Run backend as root? */
+ int pid; /* Process ID of new filter process */
+ int banner_page; /* 1 if banner page, 0 otherwise */
++ int raw_file; /* 1 if file type is vnd.cups-raw */
+ int filterfds[2][2] = { { -1, -1 }, { -1, -1 } };
+ /* Pipes used between filters */
+ int envc; /* Number of environment variables */
+@@ -746,8 +747,11 @@ cupsdContinueJob(cupsd_job_t *job) /* I - Job */
+ * Add decompression/raw filter as needed...
+ */
+
++ raw_file = !strcmp(job->filetypes[job->current_file]->super, "application") &&
++ !strcmp(job->filetypes[job->current_file]->type, "vnd.cups-raw");
++
+ if ((job->compressions[job->current_file] && (!job->printer->remote || job->num_files == 1)) ||
+- (!job->printer->remote && job->printer->raw && job->num_files > 1))
++ (!job->printer->remote && (job->printer->raw || raw_file) && job->num_files > 1))
+ {
+ /*
+ * Add gziptoany filter to the front of the list...
+--
+2.31.1
+
diff --git a/SOURCES/cups-banners.patch b/SOURCES/cups-banners.patch
new file mode 100644
index 0000000..aa19282
--- /dev/null
+++ b/SOURCES/cups-banners.patch
@@ -0,0 +1,12 @@
+diff -up cups-1.5b1/scheduler/banners.c.banners cups-1.5b1/scheduler/banners.c
+--- cups-1.5b1/scheduler/banners.c.banners 2011-05-20 05:49:49.000000000 +0200
++++ cups-1.5b1/scheduler/banners.c 2011-05-23 17:35:30.000000000 +0200
+@@ -110,6 +110,8 @@ cupsdLoadBanners(const char *d) /* I -
+ if ((ext = strrchr(dent->filename, '.')) != NULL)
+ if (!strcmp(ext, ".bck") ||
+ !strcmp(ext, ".bak") ||
++ !strcmp(ext, ".rpmnew") ||
++ !strcmp(ext, ".rpmsave") ||
+ !strcmp(ext, ".sav"))
+ continue;
+
diff --git a/SOURCES/cups-cleanfiles.patch b/SOURCES/cups-cleanfiles.patch
new file mode 100644
index 0000000..05437f3
--- /dev/null
+++ b/SOURCES/cups-cleanfiles.patch
@@ -0,0 +1,16 @@
+diff --git a/scheduler/main.c b/scheduler/main.c
+index e1fa357..53ca94a 100644
+--- a/scheduler/main.c
++++ b/scheduler/main.c
+@@ -1760,6 +1760,11 @@ select_timeout(int fds) /* I - Number of descriptors returned */
+ /*
+ * Check for any job activity...
+ */
++ if (JobHistoryUpdate && timeout > JobHistoryUpdate)
++ {
++ timeout = JobHistoryUpdate;
++ why = "update job history";
++ }
+
+ for (job = (cupsd_job_t *)cupsArrayFirst(ActiveJobs);
+ job;
diff --git a/SOURCES/cups-deprecate-drivers.patch b/SOURCES/cups-deprecate-drivers.patch
new file mode 100644
index 0000000..afcfa59
--- /dev/null
+++ b/SOURCES/cups-deprecate-drivers.patch
@@ -0,0 +1,177 @@
+diff --git a/cgi-bin/admin.c b/cgi-bin/admin.c
+index 02b9d9d..669cb65 100644
+--- a/cgi-bin/admin.c
++++ b/cgi-bin/admin.c
+@@ -619,6 +619,7 @@ do_am_printer(http_t *http, /* I - HTTP connection */
+ *oldinfo; /* Old printer information */
+ const cgi_file_t *file; /* Uploaded file, if any */
+ const char *var; /* CGI variable */
++ char *ppd_name = NULL; /* Pointer to PPD name */
+ char uri[HTTP_MAX_URI], /* Device or printer URI */
+ *uriptr, /* Pointer into URI */
+ evefile[1024] = ""; /* IPP Everywhere PPD file */
+@@ -1124,12 +1125,12 @@ do_am_printer(http_t *http, /* I - HTTP connection */
+
+ if (!file)
+ {
+- var = cgiGetVariable("PPD_NAME");
+- if (!strcmp(var, "everywhere"))
++ ppd_name = cgiGetVariable("PPD_NAME");
++ if (!strcmp(ppd_name, "everywhere"))
+ get_printer_ppd(cgiGetVariable("DEVICE_URI"), evefile, sizeof(evefile));
+- else if (strcmp(var, "__no_change__"))
++ else if (strcmp(ppd_name, "__no_change__"))
+ ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_NAME, "ppd-name",
+- NULL, var);
++ NULL, ppd_name);
+ }
+
+ ippAddString(request, IPP_TAG_PRINTER, IPP_TAG_TEXT, "printer-location",
+@@ -1219,7 +1220,7 @@ do_am_printer(http_t *http, /* I - HTTP connection */
+
+ cgiCopyTemplateLang("printer-modified.tmpl");
+ }
+- else
++ else if (ppd_name && (strcmp(ppd_name, "everywhere") == 0 || strstr(ppd_name, "driverless")))
+ {
+ /*
+ * Set the printer options...
+@@ -1229,6 +1230,16 @@ do_am_printer(http_t *http, /* I - HTTP connection */
+ do_set_options(http, 0);
+ return;
+ }
++ else
++ {
++ /*
++ * If we don't have an everywhere model, show printer-added
++ * template with warning about drivers going away...
++ */
++
++ cgiStartHTML(title);
++ cgiCopyTemplateLang("printer-added.tmpl");
++ }
+
+ cgiEndHTML();
+ }
+diff --git a/scheduler/printers.c b/scheduler/printers.c
+index 3bfe4a8..248bdba 100644
+--- a/scheduler/printers.c
++++ b/scheduler/printers.c
+@@ -950,6 +950,8 @@ cupsdLoadAllPrinters(void)
+ *value, /* Pointer to value */
+ *valueptr; /* Pointer into value */
+ cupsd_printer_t *p; /* Current printer */
++ int found_raw = 0; /* Flag whether raw queue is installed */
++ int found_driver = 0; /* Flag whether queue with classic driver is installed */
+
+
+ /*
+@@ -1025,6 +1027,30 @@ cupsdLoadAllPrinters(void)
+
+ cupsdSetPrinterAttrs(p);
+
++ if ((p->device_uri && strncmp(p->device_uri, "ipp:", 4) && strncmp(p->device_uri, "ipps:", 5) && strncmp(p->device_uri, "implicitclass:", 14)) ||
++ !p->make_model ||
++ (p->make_model && strstr(p->make_model, "IPP Everywhere") == NULL && strstr(p->make_model, "driverless") == NULL))
++ {
++ /*
++ * Warn users about printer drivers and raw queues will be deprecated.
++ * It will warn users in the following scenarios:
++ * - the queue doesn't use ipp, ipps or implicitclass backend, which means
++ * it doesn't communicate via IPP and is raw or uses a driver for sure
++ * - the queue doesn't have make_model - it is raw
++ * - the queue uses a correct backend, but the model is not IPP Everywhere/driverless
++ */
++ if (!p->make_model)
++ {
++ cupsdLogMessage(CUPSD_LOG_DEBUG, "Queue %s is a raw queue, which is deprecated.", p->name);
++ found_raw = 1;
++ }
++ else
++ {
++ cupsdLogMessage(CUPSD_LOG_DEBUG, "Queue %s uses a printer driver, which is deprecated.", p->name);
++ found_driver = 1;
++ }
++ }
++
+ if (strncmp(p->device_uri, "file:", 5) && p->state != IPP_PRINTER_STOPPED)
+ {
+ /*
+@@ -1415,6 +1441,12 @@ cupsdLoadAllPrinters(void)
+ }
+ }
+
++ if (found_raw)
++ cupsdLogMessage(CUPSD_LOG_WARN, "Raw queues are deprecated and will stop working in a future version of CUPS. See https://github.com/OpenPrinting/cups/issues/103");
++
++ if (found_driver)
++ cupsdLogMessage(CUPSD_LOG_WARN, "Printer drivers are deprecated and will stop working in a future version of CUPS. See https://github.com/OpenPrinting/cups/issues/103");
++
+ cupsFileClose(fp);
+ }
+
+diff --git a/systemv/lpadmin.c b/systemv/lpadmin.c
+index ca6d386..daf24d5 100644
+--- a/systemv/lpadmin.c
++++ b/systemv/lpadmin.c
+@@ -632,7 +632,7 @@ main(int argc, /* I - Number of command-line arguments */
+
+ num_options = cupsRemoveOption("ppd-name", num_options, &options);
+ }
+- else if (ppd_name || file)
++ else if ((ppd_name && strncmp(ppd_name, "driverless:", 11)) || file)
+ {
+ _cupsLangPuts(stderr, _("lpadmin: Printer drivers are deprecated and will stop working in a future version of CUPS."));
+ }
+diff --git a/templates/choose-model.tmpl b/templates/choose-model.tmpl
+index e916cf8..9c9b71f 100644
+--- a/templates/choose-model.tmpl
++++ b/templates/choose-model.tmpl
+@@ -39,7 +39,7 @@
+ |
+
+ |
+diff --git a/templates/printer-added.tmpl b/templates/printer-added.tmpl
+index 0ccf6d3..9ebc835 100644
+--- a/templates/printer-added.tmpl
++++ b/templates/printer-added.tmpl
+@@ -1,4 +1,15 @@
+-Add Printer
++Add Printer {printer_name}
+
+ Printer {printer_name} has been added
+ successfully.
++
++
++Note:Printer drivers and raw queues are deprecated and will stop working in a future version of CUPS.
++
++
++
+diff --git a/test/run-stp-tests.sh b/test/run-stp-tests.sh
+index 4498a8c..8776874 100755
+--- a/test/run-stp-tests.sh
++++ b/test/run-stp-tests.sh
+@@ -1049,10 +1049,10 @@ fi
+
+ # Warning log messages
+ count=`$GREP '^W ' $BASE/log/error_log | $GREP -v CreateProfile | $GREP -v 'libusb error' | $GREP -v ColorManager | $GREP -v 'Avahi client failed' | wc -l | awk '{print $1}'`
+-if test $count != 8; then
+- echo "FAIL: $count warning messages, expected 8."
++if test $count != 10; then
++ echo "FAIL: $count warning messages, expected 10."
+ $GREP '^W ' $BASE/log/error_log
+- echo " FAIL: $count warning messages, expected 8.
" >>$strfile
++ echo " FAIL: $count warning messages, expected 10.
" >>$strfile
+ echo " " >>$strfile
+ $GREP '^W ' $BASE/log/error_log | sed -e '1,$s/&/&/g' -e '1,$s/>$strfile
+ echo "
" >>$strfile
diff --git a/SOURCES/cups-direct-usb.patch b/SOURCES/cups-direct-usb.patch
new file mode 100644
index 0000000..4e25ce7
--- /dev/null
+++ b/SOURCES/cups-direct-usb.patch
@@ -0,0 +1,27 @@
+diff -up cups-1.5b1/backend/usb-unix.c.direct-usb cups-1.5b1/backend/usb-unix.c
+--- cups-1.5b1/backend/usb-unix.c.direct-usb 2011-05-20 05:49:49.000000000 +0200
++++ cups-1.5b1/backend/usb-unix.c 2011-05-23 17:52:14.000000000 +0200
+@@ -102,6 +102,9 @@ print_device(const char *uri, /* I - De
+ _cups_strncasecmp(hostname, "Minolta", 7);
+ #endif /* __FreeBSD__ || __NetBSD__ || __OpenBSD__ || __DragonFly__ */
+
++ if (use_bc && !strncmp(uri, "usb:/dev/", 9))
++ use_bc = 0;
++
+ if ((device_fd = open_device(uri, &use_bc)) == -1)
+ {
+ if (getenv("CLASS") != NULL)
+@@ -331,12 +334,7 @@ open_device(const char *uri, /* I - Dev
+ if (!strncmp(uri, "usb:/dev/", 9))
+ #ifdef __linux
+ {
+- /*
+- * Do not allow direct devices anymore...
+- */
+-
+- errno = ENODEV;
+- return (-1);
++ return (open(uri + 4, O_RDWR | O_EXCL));
+ }
+ else if (!strncmp(uri, "usb://", 6))
+ {
diff --git a/SOURCES/cups-driverd-timeout.patch b/SOURCES/cups-driverd-timeout.patch
new file mode 100644
index 0000000..b7240a3
--- /dev/null
+++ b/SOURCES/cups-driverd-timeout.patch
@@ -0,0 +1,21 @@
+diff -up cups-1.7b1/scheduler/ipp.c.driverd-timeout cups-1.7b1/scheduler/ipp.c
+--- cups-1.7b1/scheduler/ipp.c.driverd-timeout 2013-04-19 12:24:43.003841810 +0200
++++ cups-1.7b1/scheduler/ipp.c 2013-04-19 12:24:43.204839107 +0200
+@@ -4556,7 +4556,7 @@ copy_model(cupsd_client_t *con, /* I -
+ close(temppipe[1]);
+
+ /*
+- * Wait up to 30 seconds for the PPD file to be copied...
++ * Wait up to 70 seconds for the PPD file to be copied...
+ */
+
+ total = 0;
+@@ -4576,7 +4576,7 @@ copy_model(cupsd_client_t *con, /* I -
+ FD_SET(temppipe[0], &input);
+ FD_SET(CGIPipes[0], &input);
+
+- timeout.tv_sec = 30;
++ timeout.tv_sec = 70;
+ timeout.tv_usec = 0;
+
+ if ((i = select(maxfd, &input, NULL, NULL, &timeout)) < 0)
diff --git a/SOURCES/cups-dymo-deviceid.patch b/SOURCES/cups-dymo-deviceid.patch
new file mode 100644
index 0000000..3ff1ffd
--- /dev/null
+++ b/SOURCES/cups-dymo-deviceid.patch
@@ -0,0 +1,11 @@
+diff -up cups-2.3.1/ppdc/sample.drv.dymo-deviceid cups-2.3.1/ppdc/sample.drv
+--- cups-2.3.1/ppdc/sample.drv.dymo-deviceid 2019-12-16 09:22:34.476492212 +0100
++++ cups-2.3.1/ppdc/sample.drv 2019-12-16 09:23:44.665003895 +0100
+@@ -129,6 +129,7 @@ Version "2.3"
+ {
+ Manufacturer "DYMO"
+ ModelName "Label Printer"
++ Attribute "1284DeviceID" "" "MFG:DYMO;MDL:LabelWriter 400;"
+ Attribute NickName "" "DYMO Label Printer"
+ PCFileName "dymo.ppd"
+ DriverType label
diff --git a/SOURCES/cups-failover-backend.patch b/SOURCES/cups-failover-backend.patch
new file mode 100644
index 0000000..1bcf627
--- /dev/null
+++ b/SOURCES/cups-failover-backend.patch
@@ -0,0 +1,876 @@
+diff -up cups-2.3.3/backend/failover.c.failover cups-2.3.3/backend/failover.c
+--- cups-2.3.3/backend/failover.c.failover 2020-06-11 08:49:20.515264358 +0200
++++ cups-2.3.3/backend/failover.c 2020-06-11 08:49:20.515264358 +0200
+@@ -0,0 +1,837 @@
++/*
++ * Failover Backend for the Common UNIX Printing System (CUPS).
++ *
++ * Copyright (c) 2014, Red Hat, Inc.
++ * All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * * Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ * * Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * * Neither the name of Red Hat, Inc. nor the names of its contributors
++ * may be used to endorse or promote products derived from this software
++ * without specific prior written permission.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
++ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
++ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
++ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT,
++ * INC. BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
++ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
++ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
++ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
++ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
++ * USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
++ * DAMAGE.
++ *
++ * Original version by Clark Hale, Red Hat, Inc.
++ *
++ * This backend presents a fake printer that will choose the first
++ * available printer from a list of IPP URIs.
++ *
++ * Option failover contains a comma separated list of IPP URIs. The
++ * URIs are attempted in-order.
++ *
++ * Option failover-retries contains an integer that indicates how many
++ * times to iterate through the failover list before completely
++ * failing.
++ *
++ * Contents:
++ * main() - Checks each printer in a failover list, and
++ * sends job data to the first available printer
++ * move_job() - Sends and IPP Move-Job request
++ * check_printer() - Checks a printer's attributes to see
++ * if it's enabled and accepting jobs
++ * read_config() - Read the backends configuration from
++ * options
++ * get_printer_attributes() - Sends an IPP Get-Attributes request to
++ * a URI
++ * sigterm_handler() - Handle SIGTERM that cancels the job
++ * password_cb() - Password call back used to disable password
++ * prompt
++ */
++#include
++#include
++#include
++#include
++#include
++#include
++#include "backend-private.h"
++
++/*
++ * Return Values
++ */
++typedef enum fo_state_e
++{
++ FO_PRINTER_GOOD = 0,
++ FO_PRINTER_BAD,
++ FO_PRINTER_BUSY,
++ FO_AUTH_REQUIRED
++} fo_state_t;
++
++/*
++ * Constants
++ */
++#define FAILOVER_DEFAULT_RETRIES (3)
++#define FAILOVER_PASSWORD_RETRIES_MAX (3)
++
++/*
++ * Local Functions
++ */
++static int check_printer(const char *device_uri);
++static int read_config(cups_array_t *printer_array, int *retries,
++ const char *options);
++static int get_printer_attributes(const char *device_uri,
++ ipp_t **attributes);
++static int move_job(int jobid, const char *dest);
++static void sigterm_handler(int sig);
++static const char *password_cb(const char *);
++
++/*
++ * Global Variables
++ */
++static int job_canceled = 0; /* Job canceled */
++static char *password = NULL; /* password for device */
++static int password_retries = 0;
++static const char *auth_info_required = "none";
++
++/*
++ * 'main()' - Checks each printer in a failover list, and
++ * sends job data to the first available printer
++ * Usage:
++ * printer-uri job-id user title copies options [file]
++ *
++ * The printer-uri option is not used, but it still required to fit
++ * to the backend(7) standards.
++ */
++int
++main(int argc, char *argv[])
++{
++ const char *selected_uri = NULL; /* URI of selected printer */
++ const char *tmp_device_uri; /* Device URI to check */
++ cups_array_t *printer_array; /* Array of available printers */
++ int printer_count = 0; /* current printer array index */
++ int retry_max = 1; /* maximum retries before exit */
++ int retry_count = 0; /* current retry number */
++ int auth_failed_count = 0; /* auth failures per loop */
++ int rc = CUPS_BACKEND_OK;
++#if defined(HAVE_SIGACTION) && !defined(HAVE_SIGSET)
++ struct sigaction action; /* Actions for POSIX signals */
++#endif /* HAVE_SIGACTION && !HAVE_SIGSET */
++
++ /*
++ * Check args
++ */
++ if (argc == 1)
++ {
++ /*
++ * print out discovery data
++ */
++ char *backendName;
++
++ if ((backendName = strrchr(argv[0], '/')) != NULL)
++ backendName++;
++ else
++ backendName = argv[0];
++
++ _cupsLangPrintf(stderr,"network %s \"Unknown\" \"%s (%s)\"\n",
++ backendName,
++ _cupsLangString(cupsLangDefault(), _("Failover Printer")),
++ backendName);
++
++ return (CUPS_BACKEND_OK);
++ }
++ else if (argc < 6)
++ {
++ _cupsLangPrintf(stderr,
++ _("Usage: %s job-id user title copies options [file]"),
++ argv[0]);
++ return (CUPS_BACKEND_STOP);
++ }
++
++ fprintf(stderr, "DEBUG: Failover backend starting up.\n");
++
++ /*
++ * Don't buffer status messages
++ */
++ setbuf(stderr, NULL);
++
++ /*
++ * Ignore SIGPIPE and catch SIGTERM signals...
++ */
++#ifdef HAVE_SIGSET
++ sigset(SIGPIPE, SIG_IGN);
++ sigset(SIGTERM, sigterm_handler);
++#elif defined(HAVE_SIGACTION)
++ memset(&action, 0, sizeof(action));
++ action.sa_handler = SIG_IGN;
++ sigaction(SIGPIPE, &action, NULL);
++
++ sigemptyset(&action.sa_mask);
++ sigaddset(&action.sa_mask, SIGTERM);
++ action.sa_handler = sigterm_handler;
++ sigaction(SIGTERM, &action, NULL);
++#else
++ signal(SIGPIPE, SIG_IGN);
++ signal(SIGTERM, sigterm_handler);
++#endif /* HAVE_SIGSET */
++
++ printer_array = cupsArrayNew(NULL, NULL);
++
++ /*
++ * Read Configuration
++ */
++ if ((rc = read_config(printer_array, &retry_max,
++ argv[5])) != CUPS_BACKEND_OK)
++ {
++ fprintf(stderr, "ERROR: Failed to read configuration options!\n");
++ goto cleanup;
++ }
++
++ /*
++ * Main Retry Loop
++ */
++ for (retry_count = 0; retry_count < retry_max; retry_count++)
++ {
++ fprintf(stderr, "DEBUG: Retry loop #%d\n", retry_count + 1);
++
++ /*
++ * Reset Counters
++ */
++ printer_count = 0;
++ auth_failed_count = 0;
++
++ tmp_device_uri = (char *)cupsArrayFirst(printer_array);
++
++ do
++ {
++ if (job_canceled)
++ {
++ fprintf(stderr, "DEBUG: Job Canceled\n");
++ goto cleanup;
++ }
++
++ fprintf(stderr,"DEBUG: Checking printer #%d: %s\n",
++ printer_count+1, tmp_device_uri);
++
++ rc = check_printer(tmp_device_uri);
++
++ // Printer is available and not busy.
++ if ( rc == FO_PRINTER_GOOD )
++ {
++ selected_uri = tmp_device_uri;
++ break;
++ }
++ // Printer is busy
++ else if (rc == FO_PRINTER_BUSY)
++ {
++ fprintf(stderr, "DEBUG: Waiting for job to complete.\n");
++ sleep(2);
++ continue;
++ }
++ // Authorization is required to access the printer.
++ else if (rc == FO_AUTH_REQUIRED)
++ {
++ auth_failed_count++;
++ fprintf(stderr, "DEBUG: auth_failed_count = %d\n", auth_failed_count);
++ }
++ // Printer is stopped or not accepting jobs
++ else
++ {
++ if (!printer_count)
++ fprintf(stderr, "INFO: Primary Printer, %s, not available. "
++ "Attempting Failovers...\n",
++ tmp_device_uri);
++ else
++ fprintf(stderr, "INFO: Failover Printer, %s, not available. "
++ "Attempting Failovers..\n",
++ tmp_device_uri);
++ printer_count++;
++ tmp_device_uri = (char *)cupsArrayNext(printer_array);
++ }
++ } while (tmp_device_uri != NULL);
++
++ if (selected_uri && !printer_count)
++ fprintf(stderr, "STATE: -primary-printer-failed\n");
++ else
++ fprintf(stderr, "STATE: +primary-printer-failed\n");
++
++ if (job_canceled)
++ {
++ fprintf(stderr, "DEBUG: Job Canceled\n");
++ goto cleanup;
++ }
++
++ if (!selected_uri && auth_failed_count == printer_count)
++ {
++ fprintf(stderr, "ERROR: All failover printers failed with "
++ "authorization issues.\n");
++ rc = CUPS_BACKEND_AUTH_REQUIRED;
++ fprintf(stderr, "ATTR: auth-info-required=%s\n", auth_info_required);
++ goto cleanup;
++ }
++ else if (!selected_uri && retry_count + 1 < retry_max)
++ {
++ fprintf(stderr, "INFO: No suitable printer found...retrying...\n");
++ sleep(2);
++ continue;
++ }
++ else if (selected_uri)
++ {
++ fprintf(stderr, "DEBUG: Using printer, %s.\n", selected_uri);
++ break;
++ }
++ }
++
++ if (!selected_uri)
++ {
++ fprintf(stderr, "ERROR: No suitable printer found. Aborting print\n");
++ rc = CUPS_BACKEND_FAILED;
++ goto cleanup;
++ }
++
++ rc = move_job(atoi(argv[1]), selected_uri);
++
++ if (job_canceled)
++ rc = CUPS_BACKEND_OK;
++
++cleanup :
++ if (job_canceled)
++ rc = CUPS_BACKEND_OK;
++
++ tmp_device_uri = (char *)cupsArrayFirst(printer_array);
++ do
++ {
++ free((void *)tmp_device_uri);
++ } while ((tmp_device_uri = (char *)cupsArrayNext(printer_array)) != NULL);
++
++ cupsArrayDelete(printer_array);
++ sleep(2);
++ return (rc);
++}
++
++/*
++ * 'check_printer()' - Checks the status of a remote printer and returns
++ * back a good/bad/busy status.
++ */
++int
++check_printer(const char *device_uri)
++{
++ ipp_t *attributes = NULL; /* attributes for device_uri */
++ ipp_attribute_t *tmp_attribute; /* for examining attribs */
++ int rc = FO_PRINTER_GOOD; /* return code */
++ char *reason; /* printer state reason */
++ int i;
++
++ fprintf(stderr, "DEBUG: Checking printer %s\n",device_uri);
++
++ rc = get_printer_attributes(device_uri, &attributes);
++ if ( rc != CUPS_BACKEND_OK )
++ {
++ fprintf(stderr, "DEBUG: Failed to get attributes from printer: %s\n",
++ device_uri);
++ if ( rc == CUPS_BACKEND_AUTH_REQUIRED )
++ return (FO_AUTH_REQUIRED);
++ else
++ return (FO_PRINTER_BAD);
++ }
++
++ /*
++ * Check if printer is accepting jobs
++ */
++ if ((tmp_attribute = ippFindAttribute(attributes,
++ "printer-is-accepting-jobs",
++ IPP_TAG_BOOLEAN)) != NULL &&
++ !tmp_attribute->values[0].boolean)
++ {
++ fprintf(stderr,
++ "DEBUG: Printer, %s, is not accepting jobs.\n",
++ device_uri);
++
++ rc = FO_PRINTER_BAD;
++ }
++
++ /*
++ * Check if printer is stopped or busy processing
++ */
++ if ((tmp_attribute = ippFindAttribute(attributes,
++ "printer-state",
++ IPP_TAG_ENUM)) != NULL)
++ {
++ // Printer Stopped
++ if ( tmp_attribute->values[0].integer == IPP_PRINTER_STOPPED )
++ {
++ fprintf(stderr, "DEBUG: Printer, %s, stopped.\n", device_uri);
++ rc = FO_PRINTER_BAD;
++ }
++ // Printer Busy
++ else if ( tmp_attribute->values[0].integer == IPP_PRINTER_PROCESSING )
++ {
++ fprintf(stderr, "DEBUG: Printer %s is busy.\n", device_uri);
++ rc = FO_PRINTER_BUSY;
++ }
++ }
++
++ /*
++ * Parse through the printer-state-reasons
++ */
++ if ((tmp_attribute = ippFindAttribute(attributes, "printer-state-reasons",
++ IPP_TAG_KEYWORD)) != NULL)
++ {
++ for (i = 0; i < tmp_attribute->num_values; i++)
++ {
++ reason = tmp_attribute->values[i].string.text;
++ int len = strlen(reason);
++
++ if (len > 8 && !strcmp(reason + len - 8, "-warning"))
++ {
++ fprintf(stderr, "DEBUG: Printer Supply Warning, %s\n", reason);
++ rc = FO_PRINTER_BAD;
++ }
++ else if (len > 6 && !strcmp(reason + len - 6, "-error"))
++ {
++ fprintf(stderr, "DEBUG: Printer Supply Error, %s\n", reason);
++ rc = FO_PRINTER_BAD;
++ }
++ }
++ }
++
++ return (rc);
++}
++
++/*
++ * 'read_config()' - Parses the failover and failover-retries options
++ *
++ */
++static int
++read_config(cups_array_t *printer_array, int *retries, const char *options)
++{
++
++ const char *tmp; /* temporary ptr */
++ char *tok_tmp; /* temporary ptr for option parsing */
++ int jobopts_count = 0; /* number of options */
++ cups_option_t *jobopts = NULL; /* job options */
++
++
++ fprintf(stderr, "DEBUG: Reading Configuration.\n");
++ jobopts_count = cupsParseOptions(options, 0, &jobopts);
++
++ if (!jobopts_count)
++ {
++ fprintf(stderr,
++ "ERROR: No job options! Cannot find failover options!\n");
++ return (CUPS_BACKEND_STOP);
++ }
++
++ /*
++ * Get attributes from the primary printer
++ */
++ fprintf(stderr, "DEBUG: Searching for failover option.\n");
++
++ if ((tmp = cupsGetOption("failover", jobopts_count, jobopts)) != NULL)
++ {
++ fprintf(stderr, "DEBUG: Failover option contents: %s.\n", tmp);
++
++ tok_tmp = strdup(tmp);
++
++ tmp = strtok(tok_tmp, ",");
++ do
++ {
++ cupsArrayAdd(printer_array, strdup(tmp));
++ } while ((tmp = strtok(NULL,",")) != NULL);
++
++ free(tok_tmp);
++ }
++ else
++ {
++ /*
++ * The queue is misconfigured, so return back CUPS_BACKEND_STOP
++ */
++ fprintf(stderr, "ERROR: failover option not specified!\n");
++ return (CUPS_BACKEND_STOP);
++ }
++
++ /*
++ * Get the failover-retries value, if it exists.
++ */
++ fprintf(stderr, "DEBUG: Searching for failover-retries option.\n");
++
++ if ((tmp = cupsGetOption("failover-retries",
++ jobopts_count, jobopts)) != NULL)
++ {
++ fprintf(stderr, "DEBUG: failover-retries option contents: %s.\n", tmp);
++ *retries = atoi(tmp);
++ }
++ else
++ {
++ *retries = FAILOVER_DEFAULT_RETRIES;
++ fprintf(stderr, "DEBUG: Failed to get failover-retries option\n");
++ fprintf(stderr, "DEBUG: Defaulted to %d retries\n", *retries);
++ }
++
++ return (CUPS_BACKEND_OK);
++}
++
++/*
++ * 'get_printer_attributes()' - Sends an IPP Get-Attributes request to
++ * a URI
++ */
++int
++get_printer_attributes(const char *device_uri, ipp_t **attributes)
++{
++ char uri[HTTP_MAX_URI]; /* Updated URI without login */
++ int version; /* IPP version */
++ char scheme[256]; /* Scheme in URI */
++ ipp_status_t ipp_status; /* Status of IPP request */
++ char hostname[1024]; /* Hostname */
++ char resource[1024]; /* Resource infoo */
++ char addrname[256]; /* Address name */
++ int port; /* IPP Port number */
++ char portname[255]; /* Port as string */
++ http_t *http; /* HTTP connection */
++ ipp_t *request; /* IPP request */
++ int rc = CUPS_BACKEND_OK; /* Return Code */
++ char username[256]; /* Username for device URI */
++ char *option_ptr; /* for parsing resource opts */
++ const char * const pattrs[] = /* Printer attributes wanted */
++ {
++ "printer-is-accepting-jobs",
++ "printer-state",
++ "printer-state-reasons"
++ };
++
++ if (job_canceled)
++ return (CUPS_BACKEND_OK);
++
++ fprintf(stderr, "DEBUG: Getting Printer Attributes.\n");
++ fprintf(stderr, "DEBUG: Device URL %s.\n", device_uri);
++
++ /*
++ * Parse device_uri
++ */
++ if (httpSeparateURI(HTTP_URI_CODING_ALL, device_uri, scheme, sizeof(scheme),
++ username, sizeof(username), hostname, sizeof(hostname),
++ &port, resource, sizeof(resource)) != HTTP_URI_OK)
++ {
++ fprintf(stderr, "ERROR: Problem parsing device_uri, %s\n", device_uri);
++ return (CUPS_BACKEND_STOP);
++ }
++
++ if (!port)
++ port = IPP_PORT;
++
++ sprintf(portname, "%d", port);
++
++ fprintf(stderr, "DEBUG: Getting Printer Attributes.\n");
++
++ /*
++ * Configure password
++ */
++ cupsSetPasswordCB(password_cb);
++
++ /*
++ * reset, in case a previous attempt for
++ * another printer left residue
++ */
++ cupsSetUser(NULL);
++ password = NULL;
++ password_retries = 0;
++
++ if (*username)
++ {
++ if ((password = strchr(username, ':')) != NULL)
++ {
++ *password = '\0';
++ password++;
++ }
++
++ cupsSetUser(username);
++ }
++ else if (!getuid())
++ {
++ const char *username_env;
++
++ if ((username_env = getenv("AUTH_USERNAME")) != NULL)
++ {
++ cupsSetUser(username_env);
++ password = getenv("AUTH_PASSWORD");
++ }
++ }
++
++ /*
++ * Try connecting to the remote server...
++ */
++ fprintf(stderr, "DEBUG: Connecting to %s:%d\n", hostname, port);
++ _cupsLangPuts(stderr, _("INFO: Connecting to printer...\n"));
++
++ http = httpConnectEncrypt(hostname, port, cupsEncryption());
++
++ /*
++ * Deal the socket not being open.
++ */
++ if (!http)
++ {
++ int error = errno; /* Connection error */
++
++ switch (error)
++ {
++ case EHOSTDOWN :
++ _cupsLangPuts(stderr, _("WARNING: "
++ "The printer may not exist or "
++ "is unavailable at this time.\n"));
++ break;
++ case EHOSTUNREACH :
++ _cupsLangPuts(stderr, _("WARNING: "
++ "The printer is unreachable at this "
++ "time.\n"));
++ break;
++ case ECONNREFUSED :
++ _cupsLangPuts(stderr, _("WARNING: "
++ "Connection Refused.\n"));
++ break;
++ default :
++ fprintf(stderr, "DEBUG: Connection error: %s\n", strerror(errno));
++ break;
++ }
++
++ rc = CUPS_BACKEND_FAILED;
++ sleep(5);
++ goto prt_available_cleanup;
++ }
++
++
++#ifdef AF_INET6
++ if (http->hostaddr->addr.sa_family == AF_INET6)
++ fprintf(stderr, "DEBUG: Connected to [%s]:%d (IPv6)...\n",
++ httpAddrString(http->hostaddr, addrname, sizeof(addrname)),
++ ntohs(http->hostaddr->ipv6.sin6_port));
++ else
++#endif /* AF_INET6 */
++ if (http->hostaddr->addr.sa_family == AF_INET)
++ fprintf(stderr, "DEBUG: Connected to %s:%d (IPv4)...\n",
++ httpAddrString(http->hostaddr, addrname, sizeof(addrname)),
++ ntohs(http->hostaddr->ipv4.sin_port));
++
++ /*
++ * Search the resource string for options.
++ * We only care about version, for the moment.
++ */
++ version = 11;
++
++ if ((option_ptr = strchr(resource, '?')) != NULL)
++ {
++ *option_ptr++ = '\0';
++
++ if ((option_ptr = strstr(option_ptr, "version="))!=NULL)
++ {
++ int minor; /* minor version from URI */
++ int major; /* major version from URI */
++ char *version_str; /* ipp version */
++
++ option_ptr += 8;
++ version_str = option_ptr;
++
++ while (*option_ptr && *option_ptr != '&' && *option_ptr != '+')
++ option_ptr++;
++
++ if (*option_ptr)
++ *option_ptr = '\0';
++
++ sscanf(version_str, "%d.%d", &major, &minor);
++
++ version = (major * 10) + minor;
++
++ switch(version)
++ {
++ case 10 :
++ case 11 :
++ case 20 :
++ case 21 :
++ fprintf(stderr,
++ "DEBUG: Set version to %d from URI\n",
++ version);
++ break;
++ default :
++ _cupsLangPrintf(stderr,
++ _("DEBUG: Invalid version, %d, from URI. "
++ "Using default of 1.1 \n"),
++ version);
++ version = 11;
++ }
++ }
++ }
++
++
++ /*
++ * Build a URI for the printer. We can't use the URI in argv[0]
++ * because it might contain username:password information...
++ */
++ if (httpAssembleURI(HTTP_URI_CODING_ALL, uri, sizeof(uri), scheme, NULL,
++ hostname, port, resource) != HTTP_URI_OK)
++ {
++ fprintf(stderr, "ERROR: Problem assembling printer URI from host %s, "
++ "port %d, resource %s\n", hostname, port, resource);
++ return (CUPS_BACKEND_STOP);
++ }
++
++ /*
++ * Build the IPP request...
++ */
++ request = ippNewRequest(IPP_GET_PRINTER_ATTRIBUTES);
++ request->request.op.version[0] = version / 10;
++ request->request.op.version[1] = version % 10;
++
++ ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_URI, "printer-uri",
++ NULL, uri);
++
++ ippAddStrings(request, IPP_TAG_OPERATION, IPP_TAG_KEYWORD,
++ "requested-attributes", sizeof(pattrs) / sizeof(pattrs[0]),
++ NULL, pattrs);
++
++ /*
++ * Do the request...
++ */
++ fputs("DEBUG: Getting supported attributes...\n", stderr);
++
++ fprintf(stderr, "DEBUG: IPP Request Structure Built.\n");
++
++ *attributes = cupsDoRequest(http, request, resource);
++ ipp_status = cupsLastError();
++
++ fprintf(stderr, "DEBUG: Get-Printer-Attributes: %s (%s)\n",
++ ippErrorString(ipp_status), cupsLastErrorString());
++
++ if (ipp_status > IPP_OK_CONFLICT)
++ {
++ fprintf(stderr, "DEBUG: Get-Printer-Attributes returned %s.\n",
++ ippErrorString(ipp_status));
++ switch(ipp_status)
++ {
++ case IPP_FORBIDDEN :
++ case IPP_NOT_AUTHORIZED :
++ _cupsLangPuts(stderr, _("ERROR: Not Authorized.\n"));
++ rc = CUPS_BACKEND_AUTH_REQUIRED;
++ break;
++ case IPP_PRINTER_BUSY :
++ case IPP_SERVICE_UNAVAILABLE :
++ _cupsLangPuts(stderr, _("ERROR: "
++ "The printer is not responding.\n"));
++ rc = CUPS_BACKEND_FAILED;
++ break;
++ case IPP_BAD_REQUEST :
++ case IPP_VERSION_NOT_SUPPORTED :
++ fprintf(stderr, "ERROR: Destination does not support IPP version %d\n",
++ version);
++ case IPP_NOT_FOUND :
++ _cupsLangPuts(stderr, _("ERROR: "
++ "The printer configuration is incorrect or the "
++ "printer no longer exists.\n"));
++ rc = CUPS_BACKEND_STOP;
++ break;
++ default :
++ rc = CUPS_BACKEND_FAILED;
++ }
++ goto prt_available_cleanup;
++ }
++
++prt_available_cleanup :
++ httpClose(http);
++ return (rc);
++}
++
++static int
++move_job(int jobid, /* Job ID */
++ const char *dest) /* Destination ipp address */
++{
++ ipp_t *request; /* IPP Request */
++ char job_uri[HTTP_MAX_URI]; /* job-uri */
++
++ http_t* http = httpConnectEncrypt(cupsServer(), ippPort(), cupsEncryption());
++
++ if (!http)
++ {
++ _cupsLangPrintf(stderr,
++ _("failover: Unable to connect to server: %s\n"),
++ strerror(errno));
++ return (CUPS_BACKEND_FAILED);
++ }
++
++ /*
++ * Build a CUPS_MOVE_JOB request, which requires the following
++ * attributes:
++ *
++ * job-uri/printer-uri
++ * job-printer-uri
++ * requesting-user-name
++ */
++
++ request = ippNewRequest(CUPS_MOVE_JOB);
++
++ snprintf(job_uri, sizeof(job_uri), "ipp://localhost/jobs/%d", jobid);
++ ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_URI, "job-uri", NULL,
++ job_uri);
++
++ ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_NAME,
++ "requesting-user-name",
++ NULL, cupsUser());
++
++ ippAddString(request, IPP_TAG_JOB, IPP_TAG_URI, "job-printer-uri",
++ NULL, dest);
++
++ /*
++ * Do the request and get back a response...
++ */
++
++ ippDelete(cupsDoRequest(http, request, "/jobs"));
++
++ httpClose(http);
++
++ if (cupsLastError() > IPP_OK_CONFLICT)
++ {
++ _cupsLangPrintf(stderr, "failover: %s\n", cupsLastErrorString());
++ return (CUPS_BACKEND_FAILED);
++ }
++ else
++ return (CUPS_BACKEND_OK);
++}
++
++/*
++ * 'sigterm_handler()' - handles a sigterm, i.e. job canceled
++ */
++static void
++sigterm_handler(int sig)
++{
++ if (!job_canceled)
++ {
++ write(2, "DEBUG: Got SIGTERM.\n", 20);
++ job_canceled = 1;
++ }
++ else
++ {
++ /*
++ * Job has already been canceled, so just exit
++ */
++ exit(1);
++ }
++}
++
++/*
++ * 'password_cb()' - Disable the password prompt for cupsDoFileRequest().
++ */
++static const char * /* O - Password */
++password_cb(const char *prompt) /* I - Prompt (not used) */
++{
++ auth_info_required = "username,password";
++ password_retries++;
++
++ if(password_retries < FAILOVER_PASSWORD_RETRIES_MAX)
++ return (password);
++ else
++ return (NULL);
++}
+diff -up cups-2.3.3/backend/Makefile.failover cups-2.3.3/backend/Makefile
+--- cups-2.3.3/backend/Makefile.failover 2020-04-27 20:04:29.000000000 +0200
++++ cups-2.3.3/backend/Makefile 2020-06-11 08:52:31.212642019 +0200
+@@ -22,6 +22,7 @@ include ../Makedefs
+ RBACKENDS = \
+ ipp \
+ lpd \
++ failover \
+ $(DNSSD_BACKEND)
+ UBACKENDS = \
+ snmp \
+@@ -45,6 +46,7 @@ LIBOBJS = \
+ OBJS = \
+ ipp.o \
+ lpd.o \
++ failover.o \
+ dnssd.o \
+ snmp.o \
+ socket.o \
+@@ -276,6 +278,15 @@ lpd: lpd.o ../cups/$(LIBCUPS) libbackend
+
+
+ #
++# failover
++#
++
++failover: failover.o ../cups/$(LIBCUPS) libbackend.a
++ echo Linking $@...
++ $(LD_CC) $(ALL_LDFLAGS) -o failover failover.o libbackend.a $(LINKCUPS)
++
++
++#
+ # snmp
+ #
+
diff --git a/SOURCES/cups-fips-restrict-md5.patch b/SOURCES/cups-fips-restrict-md5.patch
new file mode 100644
index 0000000..41223fa
--- /dev/null
+++ b/SOURCES/cups-fips-restrict-md5.patch
@@ -0,0 +1,124 @@
+diff --git a/cups/http-support.c b/cups/http-support.c
+index a4bc079..9ee2309 100644
+--- a/cups/http-support.c
++++ b/cups/http-support.c
+@@ -1430,6 +1430,12 @@ _httpSetDigestAuthString(
+ * Use old RFC 2069 Digest method...
+ */
+
++ if (cg->digestoptions == _CUPS_DIGESTOPTIONS_DENYMD5)
++ {
++ DEBUG_puts("3_httpSetDigestAuthString: MD5 Digest is disabled.");
++ return (0);
++ }
++
+ /* H(A1) = H(username:realm:password) */
+ snprintf(temp, sizeof(temp), "%s:%s:%s", username, http->realm, password);
+ hashsize = (size_t)cupsHashData("md5", (unsigned char *)temp, strlen(temp), hash, sizeof(hash));
+diff --git a/cups/md5passwd.c b/cups/md5passwd.c
+index 9af5de2..5c9a64e 100644
+--- a/cups/md5passwd.c
++++ b/cups/md5passwd.c
+@@ -19,6 +19,9 @@
+ /*
+ * 'httpMD5()' - Compute the MD5 sum of the username:group:password.
+ *
++ * The function was used for HTTP Digest authentication. Since CUPS 2.4.0
++ * it produces an empty string. Please use @link cupsDoAuthentication@ instead.
++ *
+ * @deprecated@
+ */
+
+@@ -28,22 +31,13 @@ httpMD5(const char *username, /* I - User name */
+ const char *passwd, /* I - Password string */
+ char md5[33]) /* O - MD5 string */
+ {
+- unsigned char sum[16]; /* Sum data */
+- char line[256]; /* Line to sum */
+-
+-
+- /*
+- * Compute the MD5 sum of the user name, group name, and password.
+- */
++ (void)username;
++ (void)realm;
++ (void)passwd;
+
+- snprintf(line, sizeof(line), "%s:%s:%s", username, realm, passwd);
+- cupsHashData("md5", (unsigned char *)line, strlen(line), sum, sizeof(sum));
++ md5[0] = '\0';
+
+- /*
+- * Return the sum...
+- */
+-
+- return ((char *)cupsHashString(sum, sizeof(sum), md5, 33));
++ return (NULL);
+ }
+
+
+@@ -52,6 +46,9 @@ httpMD5(const char *username, /* I - User name */
+ * with the server-supplied nonce value, method, and
+ * request-uri.
+ *
++ * The function was used for HTTP Digest authentication. Since CUPS 2.4.0
++ * it produces an empty string. Please use @link cupsDoAuthentication@ instead.
++ *
+ * @deprecated@
+ */
+
+@@ -61,35 +58,22 @@ httpMD5Final(const char *nonce, /* I - Server nonce value */
+ const char *resource, /* I - Resource path */
+ char md5[33]) /* IO - MD5 sum */
+ {
+- unsigned char sum[16]; /* Sum data */
+- char line[1024]; /* Line of data */
+- char a2[33]; /* Hash of method and resource */
+-
++ (void)nonce;
++ (void)method;
++ (void)resource;
+
+- /*
+- * First compute the MD5 sum of the method and resource...
+- */
++ md5[0] = '\0';
+
+- snprintf(line, sizeof(line), "%s:%s", method, resource);
+- cupsHashData("md5", (unsigned char *)line, strlen(line), sum, sizeof(sum));
+- cupsHashString(sum, sizeof(sum), a2, sizeof(a2));
+-
+- /*
+- * Then combine A1 (MD5 of username, realm, and password) with the nonce
+- * and A2 (method + resource) values to get the final MD5 sum for the
+- * request...
+- */
+-
+- snprintf(line, sizeof(line), "%s:%s:%s", md5, nonce, a2);
+- cupsHashData("md5", (unsigned char *)line, strlen(line), sum, sizeof(sum));
+-
+- return ((char *)cupsHashString(sum, sizeof(sum), md5, 33));
++ return (NULL);
+ }
+
+
+ /*
+ * 'httpMD5String()' - Convert an MD5 sum to a character string.
+ *
++ * The function was used for HTTP Digest authentication. Since CUPS 2.4.0
++ * it produces an empty string. Please use @link cupsDoAuthentication@ instead.
++ *
+ * @deprecated@
+ */
+
+@@ -98,5 +82,9 @@ httpMD5String(const unsigned char *sum, /* I - MD5 sum data */
+ char md5[33])
+ /* O - MD5 sum in hex */
+ {
+- return ((char *)cupsHashString(sum, 16, md5, 33));
++ (void)sum;
++
++ md5[0] = '\0';
++
++ return (NULL);
+ }
diff --git a/SOURCES/cups-freebind.patch b/SOURCES/cups-freebind.patch
new file mode 100644
index 0000000..6d9ba43
--- /dev/null
+++ b/SOURCES/cups-freebind.patch
@@ -0,0 +1,15 @@
+diff -up cups-2.0.2/cups/http-addr.c.freebind cups-2.0.2/cups/http-addr.c
+--- cups-2.0.2/cups/http-addr.c.freebind 2015-02-10 14:46:33.000000000 +0100
++++ cups-2.0.2/cups/http-addr.c 2015-02-10 14:50:35.074759141 +0100
+@@ -186,6 +186,10 @@ httpAddrListen(http_addr_t *addr, /* I -
+ val = 1;
+ setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, CUPS_SOCAST &val, sizeof(val));
+
++#ifdef __linux
++ setsockopt(fd, IPPROTO_IP, IP_FREEBIND, CUPS_SOCAST &val, sizeof(val));
++#endif /* __linux */
++
+ #ifdef IPV6_V6ONLY
+ if (addr->addr.sa_family == AF_INET6)
+ setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, CUPS_SOCAST &val, sizeof(val));
+diff -up cups-2.0.2/scheduler/listen.c.freebind cups-2.0.2/scheduler/listen.c
diff --git a/SOURCES/cups-fstack-strong.patch b/SOURCES/cups-fstack-strong.patch
new file mode 100644
index 0000000..0cdbcd5
--- /dev/null
+++ b/SOURCES/cups-fstack-strong.patch
@@ -0,0 +1,49 @@
+diff --git a/config-scripts/cups-compiler.m4 b/config-scripts/cups-compiler.m4
+index 733b06c..bb770f0 100644
+--- a/config-scripts/cups-compiler.m4
++++ b/config-scripts/cups-compiler.m4
+@@ -123,21 +123,35 @@ if test -n "$GCC"; then
+ OPTIM="-fPIC $OPTIM"
+ fi
+
+- # The -fstack-protector option is available with some versions of
+- # GCC and adds "stack canaries" which detect when the return address
+- # has been overwritten, preventing many types of exploit attacks.
+- AC_MSG_CHECKING(whether compiler supports -fstack-protector)
++ # The -fstack-protector-strong and -fstack-protector options are available
++ # with some versions of# GCC and adds "stack canaries" which detect
++ # when the return address has been overwritten, preventing many types of exploit attacks.
++ # First check for -fstack-protector-strong, then for -fstack-protector...
++ AC_MSG_CHECKING([whether compiler supports -fstack-protector-strong])
+ OLDCFLAGS="$CFLAGS"
+- CFLAGS="$CFLAGS -fstack-protector"
+- AC_TRY_LINK(,,
++ CFLAGS="$CFLAGS -fstack-protector-strong"
++ AC_TRY_LINK(,,[
+ if test "x$LSB_BUILD" = xy; then
+ # Can't use stack-protector with LSB binaries...
+ OPTIM="$OPTIM -fno-stack-protector"
+ else
+- OPTIM="$OPTIM -fstack-protector"
++ OPTIM="$OPTIM -fstack-protector-strong"
+ fi
+- AC_MSG_RESULT(yes),
+- AC_MSG_RESULT(no))
++ AC_MSG_RESULT(yes)
++ ], [
++ AC_MSG_CHECKING([whether compiler supports -fstack-protector])
++ CFLAGS="$OLDCFLAGS -fstack-protector"
++ AC_LINK_IFELSE([AC_LANG_PROGRAM()], [
++ AS_IF([test "x$LSB_BUILD" = xy], [
++ # Can't use stack-protector with LSB binaries...
++ OPTIM="$OPTIM -fno-stack-protector"
++ ], [
++ OPTIM="$OPTIM -fstack-protector"
++ ])
++ ], [
++ AC_MSG_RESULT([no])
++ ])
++ ])
+ CFLAGS="$OLDCFLAGS"
+
+ if test "x$LSB_BUILD" != xy; then
diff --git a/SOURCES/cups-ipp-multifile.patch b/SOURCES/cups-ipp-multifile.patch
new file mode 100644
index 0000000..beac7fa
--- /dev/null
+++ b/SOURCES/cups-ipp-multifile.patch
@@ -0,0 +1,15 @@
+diff -up cups-1.7.0/backend/ipp.c.ipp-multifile cups-1.7.0/backend/ipp.c
+--- cups-1.7.0/backend/ipp.c.ipp-multifile 2013-10-24 15:52:00.745814354 +0100
++++ cups-1.7.0/backend/ipp.c 2013-10-24 15:53:46.463266724 +0100
+@@ -1758,7 +1758,10 @@ main(int argc, /* I - Number of comm
+ ippAddBoolean(request, IPP_TAG_OPERATION, "last-document",
+ (i + 1) >= num_files);
+
+- if (document_format)
++ if (num_files > 1)
++ ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_MIMETYPE,
++ "document-format", NULL, "application/octet-stream");
++ else if (document_format)
+ ippAddString(request, IPP_TAG_OPERATION, IPP_TAG_MIMETYPE,
+ "document-format", NULL, document_format);
+
diff --git a/SOURCES/cups-logs.patch b/SOURCES/cups-logs.patch
new file mode 100644
index 0000000..75b3e26
--- /dev/null
+++ b/SOURCES/cups-logs.patch
@@ -0,0 +1,16 @@
+diff --git a/scheduler/log.c b/scheduler/log.c
+index 17331ff02..41ddb4cb9 100644
+--- a/scheduler/log.c
++++ b/scheduler/log.c
+@@ -569,11 +569,7 @@ cupsdLogJob(cupsd_job_t *job, /* I - Job */
+ * Format and write the log message...
+ */
+
+-#ifdef HAVE_SYSTEMD_SD_JOURNAL_H
+- if (job && strcmp(ErrorLog, "syslog"))
+-#else
+ if (job)
+-#endif /* HAVE_SYSTEMD_SD_JOURNAL_H */
+ snprintf(jobmsg, sizeof(jobmsg), "[Job %d] %s", job->id, message);
+ else
+ strlcpy(jobmsg, message, sizeof(jobmsg));
diff --git a/SOURCES/cups-lspp.patch b/SOURCES/cups-lspp.patch
new file mode 100644
index 0000000..7c094d2
--- /dev/null
+++ b/SOURCES/cups-lspp.patch
@@ -0,0 +1,1990 @@
+diff -up cups-2.3.0/config.h.in.lspp cups-2.3.0/config.h.in
+--- cups-2.3.0/config.h.in.lspp 2019-08-23 17:19:38.000000000 +0200
++++ cups-2.3.0/config.h.in 2019-10-07 12:24:43.058597468 +0200
+@@ -684,4 +684,11 @@ static __inline int _cups_abs(int i) { r
+ # endif /* __GNUC__ || __STDC_VERSION__ */
+ #endif /* !HAVE_ABS && !abs */
+
++/*
++ * Are we trying to meet LSPP requirements?
++ */
++
++#undef WITH_LSPP
++
++
+ #endif /* !_CUPS_CONFIG_H_ */
+diff -up cups-2.3.0/config-scripts/cups-lspp.m4.lspp cups-2.3.0/config-scripts/cups-lspp.m4
+--- cups-2.3.0/config-scripts/cups-lspp.m4.lspp 2019-10-07 12:24:43.058597468 +0200
++++ cups-2.3.0/config-scripts/cups-lspp.m4 2019-10-07 12:24:43.058597468 +0200
+@@ -0,0 +1,36 @@
++dnl
++dnl LSPP code for the Common UNIX Printing System (CUPS).
++dnl
++dnl Copyright 2005-2006 by Hewlett-Packard Development Company, L.P.
++dnl
++dnl This program is free software; you can redistribute it and/or modify
++dnl it under the terms of the GNU General Public License as published by
++dnl the Free Software Foundation; version 2.
++dnl
++dnl This program is distributed in the hope that it will be useful, but
++dnl WITHOUT ANY WARRANTY; without even the implied warranty of
++dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++dnl General Public License for more details.
++dnl
++dnl You should have received a copy of the GNU General Public License
++dnl along with this program; if not, write to the Free Software Foundation,
++dnl Inc., 51 Franklin Street, Fifth Floor Boston, MA 02110-1301 USA
++dnl
++
++dnl Are we trying to meet LSPP requirements
++AC_ARG_ENABLE(lspp, [ --enable-lspp turn on auditing and label support, default=no])
++
++if test x"$enable_lspp" != xno; then
++ case "$uname" in
++ Linux)
++ AC_CHECK_LIB(audit,audit_log_user_message, [LIBAUDIT="-laudit" AC_SUBST(LIBAUDIT)])
++ AC_CHECK_HEADER(libaudit.h)
++ AC_CHECK_LIB(selinux,getpeercon, [LIBSELINUX="-lselinux" AC_SUBST(LIBSELINUX)])
++ AC_CHECK_HEADER(selinux/selinux.h)
++ AC_DEFINE(WITH_LSPP)
++ ;;
++ *)
++ # All others
++ ;;
++ esac
++fi
+diff -up cups-2.3.0/configure.ac.lspp cups-2.3.0/configure.ac
+--- cups-2.3.0/configure.ac.lspp 2019-10-07 12:24:43.058597468 +0200
++++ cups-2.3.0/configure.ac 2019-10-07 12:39:20.122546282 +0200
+@@ -34,6 +34,8 @@ sinclude(config-scripts/cups-dnssd.m4)
+ sinclude(config-scripts/cups-startup.m4)
+ sinclude(config-scripts/cups-defaults.m4)
+
++sinclude(config-scripts/cups-lspp.m4)
++
+ INSTALL_LANGUAGES=""
+ UNINSTALL_LANGUAGES=""
+ LANGFILES=""
+diff -up cups-2.3.0/filter/common.c.lspp cups-2.3.0/filter/common.c
+--- cups-2.3.0/filter/common.c.lspp 2019-08-23 17:19:38.000000000 +0200
++++ cups-2.3.0/filter/common.c 2019-10-07 12:24:43.059597461 +0200
+@@ -11,6 +11,12 @@
+ * Include necessary headers...
+ */
+
++#include "config.h"
++#ifdef WITH_LSPP
++#define _GNU_SOURCE
++#include
++#endif /* WITH_LSPP */
++
+ #include "common.h"
+ #include
+
+@@ -293,6 +299,18 @@ WriteLabelProlog(const char *label, /* I
+ {
+ const char *classification; /* CLASSIFICATION environment variable */
+ const char *ptr; /* Temporary string pointer */
++#ifdef WITH_LSPP
++ int i, /* counter */
++ n, /* counter */
++ lines, /* number of lines needed */
++ line_len, /* index into tmp_label */
++ label_len, /* length of the label in characters */
++ label_index, /* index into the label */
++ longest, /* length of the longest line */
++ longest_line, /* index to the longest line */
++ max_width; /* maximum width in characters */
++ char **wrapped_label; /* label with line breaks */
++#endif /* WITH_LSPP */
+
+
+ /*
+@@ -315,6 +333,124 @@ WriteLabelProlog(const char *label, /* I
+ return;
+ }
+
++#ifdef WITH_LSPP
++ if (strncmp(classification, "LSPP:", 5) == 0 && label == NULL)
++ {
++ /*
++ * Based on the 12pt fixed width font below determine the max_width
++ */
++ max_width = width / 8;
++ longest_line = 0;
++ longest = 0;
++ classification += 5; // Skip the "LSPP:"
++ label_len = strlen(classification);
++
++ if (label_len > max_width)
++ {
++ lines = 1 + (int)(label_len / max_width);
++ line_len = (int)(label_len / lines);
++ wrapped_label = malloc(sizeof(*wrapped_label) * lines);
++ label_index = i = n = 0;
++ while (classification[label_index])
++ {
++ if ((label_index + line_len) > label_len)
++ break;
++ switch (classification[label_index + line_len + i])
++ {
++ case ':':
++ case ',':
++ case '-':
++ i++;
++ wrapped_label[n++] = strndup(&classification[label_index], (line_len + i));
++ label_index += line_len + i;
++ i = 0;
++ break;
++ default:
++ i++;
++ break;
++ }
++ if ((i + line_len) == max_width)
++ {
++ wrapped_label[n++] = strndup(&(classification[label_index]), (line_len + i));
++ label_index = label_index + line_len + i;
++ i = 0;
++ }
++ }
++ wrapped_label[n] = strndup(&classification[label_index], label_len - label_index);
++ }
++ else
++ {
++ lines = 1;
++ wrapped_label = malloc(sizeof(*wrapped_label));
++ wrapped_label[0] = (char*)classification;
++ }
++
++ for (n = 0; n < lines; n++ )
++ {
++ printf("userdict/ESPp%c(", ('a' + n));
++ for (ptr = wrapped_label[n], i = 0; *ptr; ptr ++, i++)
++ if (*ptr < 32 || *ptr > 126)
++ printf("\\%03o", *ptr);
++ else
++ {
++ if (*ptr == '(' || *ptr == ')' || *ptr == '\\')
++ putchar('\\');
++
++ printf("%c", *ptr);
++ }
++ if (i > longest)
++ {
++ longest = i;
++ longest_line = n;
++ }
++ printf(")put\n");
++ }
++
++ /*
++ * For LSPP use a fixed width font so that line wrapping can be calculated
++ */
++
++ puts("userdict/ESPlf /Nimbus-Mono findfont 12 scalefont put");
++
++ /*
++ * Finally, the procedure to write the labels on the page...
++ */
++
++ printf("userdict/ESPwl{\n"
++ " ESPlf setfont\n");
++ printf(" ESPp%c stringwidth pop dup 12 add exch -0.5 mul %.0f add\n ",
++ 'a' + longest_line, width * 0.5f);
++ for (n = 1; n < lines; n++)
++ printf(" dup");
++ printf("\n 1 setgray\n");
++ printf(" dup 6 sub %.0f %d index %.0f ESPrf\n",
++ (bottom - 2.0), (2 + lines), 6.0 + (16.0 * lines));
++ printf(" dup 6 sub %.0f %d index %.0f ESPrf\n",
++ (top - 6.0 - (16.0 * lines)), (2 + lines), 4.0 + (16.0 * lines));
++ printf(" 0 setgray\n");
++ printf(" dup 6 sub %.0f %d index %.0f ESPrs\n",
++ (bottom - 2.0), (2 + lines), 6.0 + (16.0 * lines));
++ printf(" dup 6 sub %.0f %d index %.0f ESPrs\n",
++ (top - 6.0 - (16.0 * lines)), (2 + lines), 4.0 + (16.0 * lines));
++ for (n = 0; n < lines; n ++)
++ {
++ printf(" dup %.0f moveto ESPp%c show\n",
++ bottom + 6.0 + ((lines - (n+1)) * 16.0), 'a' + n);
++ printf(" %.0f moveto ESPp%c show\n", top + 2.0 - ((n + 1) * 16.0), 'a' + n);
++ }
++ printf(" pop\n"
++ "}bind put\n");
++
++ /*
++ * Do some clean up at the end of the LSPP special case
++ */
++ free(wrapped_label);
++
++ }
++ else
++ {
++#endif /* !WITH_LSPP */
++
+ /*
+ * Set the classification + page label string...
+ */
+@@ -395,7 +531,10 @@ WriteLabelProlog(const char *label, /* I
+ printf(" %.0f moveto ESPpl show\n", top - 14.0);
+ puts("pop");
+ puts("}bind put");
++ }
++#ifdef WITH_LSPP
+ }
++#endif /* WITH_LSPP */
+
+
+ /*
+diff -up cups-2.3.0/filter/pstops.c.lspp cups-2.3.0/filter/pstops.c
+--- cups-2.3.0/filter/pstops.c.lspp 2019-08-23 17:19:38.000000000 +0200
++++ cups-2.3.0/filter/pstops.c 2019-10-07 12:24:43.059597461 +0200
+@@ -3170,6 +3170,18 @@ write_label_prolog(pstops_doc_t *doc, /*
+ {
+ const char *classification; /* CLASSIFICATION environment variable */
+ const char *ptr; /* Temporary string pointer */
++#ifdef WITH_LSPP
++ int i, /* counter */
++ n, /* counter */
++ lines, /* number of lines needed */
++ line_len, /* index into tmp_label */
++ label_len, /* length of the label in characters */
++ label_index, /* index into the label */
++ longest, /* length of the longest line */
++ longest_line, /* index to the longest line */
++ max_width; /* maximum width in characters */
++ char **wrapped_label; /* label with line breaks */
++#endif /* WITH_LSPP */
+
+
+ /*
+@@ -3192,6 +3204,124 @@ write_label_prolog(pstops_doc_t *doc, /*
+ return;
+ }
+
++#ifdef WITH_LSPP
++ if (strncmp(classification, "LSPP:", 5) == 0 && label == NULL)
++ {
++ /*
++ * Based on the 12pt fixed width font below determine the max_width
++ */
++ max_width = width / 8;
++ longest_line = 0;
++ longest = 0;
++ classification += 5; // Skip the "LSPP:"
++ label_len = strlen(classification);
++
++ if (label_len > max_width)
++ {
++ lines = 1 + (int)(label_len / max_width);
++ line_len = (int)(label_len / lines);
++ wrapped_label = malloc(sizeof(*wrapped_label) * lines);
++ label_index = i = n = 0;
++ while (classification[label_index])
++ {
++ if ((label_index + line_len) > label_len)
++ break;
++ switch (classification[label_index + line_len + i])
++ {
++ case ':':
++ case ',':
++ case '-':
++ i++;
++ wrapped_label[n++] = strndup(&classification[label_index], (line_len + i));
++ label_index += line_len + i;
++ i = 0;
++ break;
++ default:
++ i++;
++ break;
++ }
++ if ((i + line_len) == max_width)
++ {
++ wrapped_label[n++] = strndup(&(classification[label_index]), (line_len + i));
++ label_index = label_index + line_len + i;
++ i = 0;
++ }
++ }
++ wrapped_label[n] = strndup(&classification[label_index], label_len - label_index);
++ }
++ else
++ {
++ lines = 1;
++ wrapped_label = malloc(sizeof(*wrapped_label));
++ wrapped_label[0] = (char*)classification;
++ }
++
++ for (n = 0; n < lines; n++ )
++ {
++ printf("userdict/ESPp%c(", ('a' + n));
++ for (ptr = wrapped_label[n], i = 0; *ptr; ptr ++, i++)
++ if (*ptr < 32 || *ptr > 126)
++ printf("\\%03o", *ptr);
++ else
++ {
++ if (*ptr == '(' || *ptr == ')' || *ptr == '\\')
++ putchar('\\');
++
++ printf("%c", *ptr);
++ }
++ if (i > longest)
++ {
++ longest = i;
++ longest_line = n;
++ }
++ printf(")put\n");
++ }
++
++ /*
++ * For LSPP use a fixed width font so that line wrapping can be calculated
++ */
++
++ puts("userdict/ESPlf /Nimbus-Mono findfont 12 scalefont put");
++
++ /*
++ * Finally, the procedure to write the labels on the page...
++ */
++
++ printf("userdict/ESPwl{\n"
++ " ESPlf setfont\n");
++ printf(" ESPp%c stringwidth pop dup 12 add exch -0.5 mul %.0f add\n ",
++ 'a' + longest_line, width * 0.5f);
++ for (n = 1; n < lines; n++)
++ printf(" dup");
++ printf("\n 1 setgray\n");
++ printf(" dup 6 sub %.0f %d index %.0f ESPrf\n",
++ (bottom - 2.0), (2 + lines), 6.0 + (16.0 * lines));
++ printf(" dup 6 sub %.0f %d index %.0f ESPrf\n",
++ (top - 6.0 - (16.0 * lines)), (2 + lines), 4.0 + (16.0 * lines));
++ printf(" 0 setgray\n");
++ printf(" dup 6 sub %.0f %d index %.0f ESPrs\n",
++ (bottom - 2.0), (2 + lines), 6.0 + (16.0 * lines));
++ printf(" dup 6 sub %.0f %d index %.0f ESPrs\n",
++ (top - 6.0 - (16.0 * lines)), (2 + lines), 4.0 + (16.0 * lines));
++ for (n = 0; n < lines; n ++)
++ {
++ printf(" dup %.0f moveto ESPp%c show\n",
++ bottom + 6.0 + ((lines - (n+1)) * 16.0), 'a' + n);
++ printf(" %.0f moveto ESPp%c show\n", top + 2.0 - ((n + 1) * 16.0), 'a' + n);
++ }
++ printf(" pop\n"
++ "}bind put\n");
++
++ /*
++ * Do some clean up at the end of the LSPP special case
++ */
++ free(wrapped_label);
++
++ }
++ else
++ {
++#endif /* !WITH_LSPP */
++
+ /*
+ * Set the classification + page label string...
+ */
+@@ -3270,7 +3400,10 @@ write_label_prolog(pstops_doc_t *doc, /*
+ doc_printf(doc, " %.0f moveto ESPpl show\n", top - 14.0);
+ doc_puts(doc, "pop\n");
+ doc_puts(doc, "}bind put\n");
++ }
++#ifdef WITH_LSPP
+ }
++#endif /* WITH_LSPP */
+
+
+ /*
+diff -up cups-2.3.0/Makedefs.in.lspp cups-2.3.0/Makedefs.in
+--- cups-2.3.0/Makedefs.in.lspp 2019-10-07 12:24:43.059597461 +0200
++++ cups-2.3.0/Makedefs.in 2019-10-07 12:37:19.200565805 +0200
+@@ -174,7 +174,7 @@ IPPFIND_MAN = @IPPFIND_MAN@
+ LDFLAGS = @LDFLAGS@
+ LINKCUPS = @LINKCUPS@
+ LINKCUPSSTATIC = ../cups/$(LIBCUPSSTATIC) $(LIBS)
+-LIBS = $(LIBGSSAPI) $(DNSSDLIBS) $(SSLLIBS) $(LIBZ) $(COMMONLIBS)
++LIBS = $(LIBGSSAPI) $(DNSSDLIBS) $(SSLLIBS) $(LIBZ) $(COMMONLIBS) @LIBAUDIT@ @LIBSELINUX@
+ ONDEMANDFLAGS = @ONDEMANDFLAGS@
+ ONDEMANDLIBS = @ONDEMANDLIBS@
+ OPTIM = @OPTIM@
+diff -up cups-2.3.0/scheduler/client.c.lspp cups-2.3.0/scheduler/client.c
+--- cups-2.3.0/scheduler/client.c.lspp 2019-08-23 17:19:38.000000000 +0200
++++ cups-2.3.0/scheduler/client.c 2019-10-07 12:33:10.459693580 +0200
+@@ -19,12 +19,20 @@
+ #define _HTTP_NO_PRIVATE
+ #include "cupsd.h"
+
++#ifndef _GNU_SOURCE
++#define _GNU_SOURCE
++#endif /* !defined(_GNU_SOURCE) */
+ #ifdef __APPLE__
+ # include
+ #endif /* __APPLE__ */
+ #ifdef HAVE_TCPD_H
+ # include
+ #endif /* HAVE_TCPD_H */
++#ifdef WITH_LSPP
++# include
++# include
++# include
++#endif /* WITH_LSPP */
+
+
+ /*
+@@ -265,6 +273,59 @@ cupsdAcceptClient(cupsd_listener_t *lis)
+ }
+ #endif /* HAVE_TCPD_H */
+
++#ifdef WITH_LSPP
++ if (is_lspp_config())
++ {
++ struct ucred cr;
++ unsigned int cl=sizeof(cr);
++
++ if (getsockopt(httpGetFd(con->http), SOL_SOCKET, SO_PEERCRED, &cr, &cl) == 0)
++ {
++ /*
++ * client_pid_to_auid() can be racey
++ * In this case the pid is based on a socket connected to the client
++ */
++ if ((con->auid = client_pid_to_auid(cr.pid)) == -1)
++ {
++ httpClose(con->http);
++ cupsdLogClient(con, CUPSD_LOG_ERROR,
++ "Unable to determine client auid for client pid=%d",
++ cr.pid);
++ free(con);
++ return;
++ }
++ cupsdLogClient(con, CUPSD_LOG_INFO,
++ "peer's pid=%d, uid=%d, gid=%d, auid=%d",
++ cr.pid, cr.uid, cr.gid, con->auid);
++ }
++ else
++ {
++ httpClose(con->http);
++ cupsdLogClient(con, CUPSD_LOG_ERROR, "getsockopt() failed");
++ free(con);
++ return;
++ }
++
++ /*
++ * get the context of the peer connection
++ */
++ if (getpeercon(httpGetFd(con->http), &con->scon))
++ {
++ httpClose(con->http);
++ cupsdLogClient(con, CUPSD_LOG_ERROR, "getpeercon() failed");
++ free(con);
++ return;
++ }
++
++ cupsdLogClient(con, CUPSD_LOG_INFO, "client context=%s", con->scon);
++ }
++ else
++ {
++ cupsdLogClient(con, CUPSD_LOG_DEBUG, "skipping getpeercon()");
++ cupsdSetString(&con->scon, UNKNOWN_SL);
++ }
++#endif /* WITH_LSPP */
++
+ #ifdef AF_LOCAL
+ if (httpAddrFamily(httpGetAddress(con->http)) == AF_LOCAL)
+ {
+@@ -558,6 +619,13 @@ cupsdReadClient(cupsd_client_t *con) /*
+ struct stat filestats; /* File information */
+ mime_type_t *type; /* MIME type of file */
+ static unsigned request_id = 0; /* Request ID for temp files */
++#ifdef WITH_LSPP
++ security_context_t spoolcon; /* context of the job file */
++ context_t clicon; /* contex_t container for con->scon */
++ context_t tmpcon; /* temp context to swap the level */
++ char *clirange; /* SELinux sensitivity range */
++ char *cliclearance; /* SELinux low end clearance */
++#endif /* WITH_LSPP */
+
+
+ status = HTTP_STATUS_CONTINUE;
+@@ -1679,6 +1747,73 @@ cupsdReadClient(cupsd_client_t *con) /*
+ fcntl(con->file, F_SETFD, fcntl(con->file, F_GETFD) | FD_CLOEXEC);
+ }
+
++#ifdef WITH_LSPP
++ if (strncmp(con->scon, UNKNOWN_SL, strlen(UNKNOWN_SL)) != 0)
++ {
++ if (getfilecon(con->filename, &spoolcon) == -1)
++ {
++ cupsdSendError(con, HTTP_STATUS_SERVER_ERROR, CUPSD_AUTH_NONE);
++ cupsdCloseClient(con);
++ return;
++ }
++ clicon = context_new(con->scon);
++ tmpcon = context_new(spoolcon);
++ freecon(spoolcon);
++ if (!clicon || !tmpcon)
++ {
++ cupsdSendError(con, HTTP_STATUS_SERVER_ERROR, CUPSD_AUTH_NONE);
++ if (clicon)
++ context_free(clicon);
++ if (tmpcon)
++ context_free(tmpcon);
++ cupsdCloseClient(con);
++ return;
++ }
++ clirange = (char *) context_range_get(clicon);
++ if (clirange)
++ {
++ clirange = strdup(clirange);
++ if ((cliclearance = strtok(clirange, "-")) != NULL)
++ {
++ if (context_range_set(tmpcon, cliclearance) == -1)
++ {
++ cupsdSendError(con, HTTP_STATUS_SERVER_ERROR, CUPSD_AUTH_NONE);
++ free(clirange);
++ context_free(tmpcon);
++ context_free(clicon);
++ cupsdCloseClient(con);
++ return;
++ }
++ }
++ else
++ {
++ if (context_range_set(tmpcon, (context_range_get(clicon))) == -1)
++ {
++ cupsdSendError(con, HTTP_STATUS_SERVER_ERROR, CUPSD_AUTH_NONE);
++ free(clirange);
++ context_free(tmpcon);
++ context_free(clicon);
++ cupsdCloseClient(con);
++ return;
++ }
++ }
++ free(clirange);
++ }
++ if (setfilecon(con->filename, context_str(tmpcon)) == -1)
++ {
++ cupsdSendError(con, HTTP_STATUS_SERVER_ERROR, CUPSD_AUTH_NONE);
++ context_free(tmpcon);
++ context_free(clicon);
++ cupsdCloseClient(con);
++ return;
++ }
++ cupsdLogClient(con, CUPSD_LOG_DEBUG2, "%s set to %s",
++ con->filename, context_str(tmpcon));
++ context_free(tmpcon);
++ context_free(clicon);
++ }
++#endif /* WITH_LSPP */
++
+ if (httpGetState(con->http) != HTTP_STATE_POST_SEND)
+ {
+ if (!httpWait(con->http, 0))
+@@ -3174,6 +3309,49 @@ is_path_absolute(const char *path) /* I
+ return (1);
+ }
+
++#ifdef WITH_LSPP
++/*
++ * 'client_pid_to_auid()' - Using the client's pid, read /proc and determine the loginuid.
++ */
++
++uid_t client_pid_to_auid(pid_t clipid)
++{
++ uid_t uid;
++ int len, in;
++ char buf[16] = {0};
++ char fname[32] = {0};
++
++
++ /*
++ * Hopefully this pid is still the one we are interested in.
++ */
++ snprintf(fname, 32, "/proc/%d/loginuid", clipid);
++ in = open(fname, O_NOFOLLOW|O_RDONLY);
++
++ if (in < 0)
++ return (uid_t) -1;
++
++ errno = 0;
++
++ do {
++ len = read(in, buf, sizeof(buf));
++ } while (len < 0 && errno == EINTR);
++
++ close(in);
++
++ if (len < 0 || len >= sizeof(buf))
++ return (uid_t) -1;
++
++ errno = 0;
++ buf[len] = 0;
++ uid = strtol(buf, 0, 10);
++
++ if (errno != 0)
++ return (uid_t) -1;
++ else
++ return uid;
++}
++#endif /* WITH_LSPP */
+
+ /*
+ * 'pipe_command()' - Pipe the output of a command to the remote client.
+diff -up cups-2.3.0/scheduler/client.h.lspp cups-2.3.0/scheduler/client.h
+--- cups-2.3.0/scheduler/client.h.lspp 2019-08-23 17:19:38.000000000 +0200
++++ cups-2.3.0/scheduler/client.h 2019-10-07 12:24:43.113597079 +0200
+@@ -13,6 +13,13 @@
+ #endif /* HAVE_AUTHORIZATION_H */
+
+
++/* Copyright (C) 2005 Trusted Computer Solutions, Inc. */
++/* (c) Copyright 2005-2006 Hewlett-Packard Development Company, L.P. */
++
++#ifdef WITH_LSPP
++#include
++#endif /* WITH_LSPP */
++
+ /*
+ * HTTP client structure...
+ */
+@@ -63,6 +70,10 @@ struct cupsd_client_s
+ #ifdef HAVE_AUTHORIZATION_H
+ AuthorizationRef authref; /* Authorization ref */
+ #endif /* HAVE_AUTHORIZATION_H */
++#ifdef WITH_LSPP
++ security_context_t scon; /* Security context of connection */
++ uid_t auid; /* Audit loginuid of the client */
++#endif /* WITH_LSPP */
+ };
+
+ #define HTTP(con) ((con)->http)
+@@ -136,6 +147,9 @@ extern void cupsdStartListening(void);
+ extern void cupsdStopListening(void);
+ extern void cupsdUpdateCGI(void);
+ extern void cupsdWriteClient(cupsd_client_t *con);
++#ifdef WITH_LSPP
++extern uid_t client_pid_to_auid(pid_t clipid);
++#endif /* WITH_LSPP */
+
+ #ifdef HAVE_SSL
+ extern int cupsdEndTLS(cupsd_client_t *con);
+diff -up cups-2.3.0/scheduler/conf.c.lspp cups-2.3.0/scheduler/conf.c
+--- cups-2.3.0/scheduler/conf.c.lspp 2019-10-07 12:24:43.049597531 +0200
++++ cups-2.3.0/scheduler/conf.c 2019-10-07 12:24:43.113597079 +0200
+@@ -37,6 +37,9 @@
+ # define INADDR_NONE 0xffffffff
+ #endif /* !INADDR_NONE */
+
++#ifdef WITH_LSPP
++# include
++#endif /* WITH_LSPP */
+
+ /*
+ * Configuration variable structure...
+@@ -131,6 +134,10 @@ static const cupsd_var_t cupsd_vars[] =
+ { "ServerName", &ServerName, CUPSD_VARTYPE_STRING },
+ { "StrictConformance", &StrictConformance, CUPSD_VARTYPE_BOOLEAN },
+ { "Timeout", &Timeout, CUPSD_VARTYPE_TIME },
++#ifdef WITH_LSPP
++ { "AuditLog", &AuditLog, CUPSD_VARTYPE_INTEGER },
++ { "PerPageLabels", &PerPageLabels, CUPSD_VARTYPE_BOOLEAN },
++#endif /* WITH_LSPP */
+ { "WebInterface", &WebInterface, CUPSD_VARTYPE_BOOLEAN }
+ };
+ static const cupsd_var_t cupsfiles_vars[] =
+@@ -544,6 +551,9 @@ cupsdReadConfiguration(void)
+ const char *tmpdir; /* TMPDIR environment variable */
+ struct stat tmpinfo; /* Temporary directory info */
+ cupsd_policy_t *p; /* Policy */
++#ifdef WITH_LSPP
++ char *audit_message; /* Audit message string */
++#endif /* WITH_LSPP */
+
+
+ /*
+@@ -864,6 +874,25 @@ cupsdReadConfiguration(void)
+
+ RunUser = getuid();
+
++#ifdef WITH_LSPP
++ if (AuditLog != -1)
++ {
++ /*
++ * ClassifyOverride is set during read_configuration, if its ON, report it now
++ */
++ if (ClassifyOverride)
++ audit_log_user_message(AuditLog, AUDIT_USYS_CONFIG,
++ "[Config] ClassifyOverride=enabled Users can override print banners",
++ ServerName, NULL, NULL, 1);
++ /*
++ * PerPageLabel is set during read_configuration, if its OFF, report it now
++ */
++ if (!PerPageLabels)
++ audit_log_user_message(AuditLog, AUDIT_USYS_CONFIG,
++ "[Config] PerPageLabels=disabled", ServerName, NULL, NULL, 1);
++ }
++#endif /* WITH_LSPP */
++
+ cupsdLogMessage(CUPSD_LOG_INFO, "Remote access is %s.",
+ RemotePort ? "enabled" : "disabled");
+
+@@ -1275,7 +1304,19 @@ cupsdReadConfiguration(void)
+ cupsdClearString(&Classification);
+
+ if (Classification)
++ {
+ cupsdLogMessage(CUPSD_LOG_INFO, "Security set to \"%s\"", Classification);
++#ifdef WITH_LSPP
++ if (AuditLog != -1)
++ {
++ audit_message = NULL;
++ cupsdSetStringf(&audit_message, "[Config] Classification=%s", Classification);
++ audit_log_user_message(AuditLog, AUDIT_LABEL_LEVEL_CHANGE, audit_message,
++ ServerName, NULL, NULL, 1);
++ cupsdClearString(&audit_message);
++ }
++#endif /* WITH_LSPP */
++ }
+
+ /*
+ * Check the MaxClients setting, and then allocate memory for it...
+@@ -3830,6 +3871,18 @@ read_location(cups_file_t *fp, /* I - C
+ return ((FatalErrors & CUPSD_FATAL_CONFIG) ? 0 : linenum);
+ }
+
++#ifdef WITH_LSPP
++int is_lspp_config()
++{
++ if (Classification != NULL)
++ return ((_cups_strcasecmp(Classification, MLS_CONFIG) == 0)
++ || (_cups_strcasecmp(Classification, TE_CONFIG) == 0)
++ || (_cups_strcasecmp(Classification, SELINUX_CONFIG) == 0));
++ else
++ return 0;
++}
++#endif /* WITH_LSPP */
++
+
+ /*
+ * 'read_policy()' - Read a definition.
+diff -up cups-2.3.0/scheduler/conf.h.lspp cups-2.3.0/scheduler/conf.h
+--- cups-2.3.0/scheduler/conf.h.lspp 2019-08-23 17:19:38.000000000 +0200
++++ cups-2.3.0/scheduler/conf.h 2019-10-07 12:24:43.113597079 +0200
+@@ -243,6 +243,13 @@ VAR char *ServerKeychain VALUE(NULL);
+ /* Keychain holding cert + key */
+ #endif /* HAVE_SSL */
+
++#ifdef WITH_LSPP
++VAR int AuditLog VALUE(-1),
++ /* File descriptor for audit */
++ PerPageLabels VALUE(TRUE);
++ /* Put the label on each page */
++#endif /* WITH_LSPP */
++
+ #ifdef HAVE_ONDEMAND
+ VAR int IdleExitTimeout VALUE(60);
+ /* Time after which an idle cupsd will exit */
+@@ -261,6 +268,9 @@ VAR int HaveServerCreds VALUE(0);
+ VAR gss_cred_id_t ServerCreds; /* Server's GSS credentials */
+ #endif /* HAVE_GSSAPI */
+
++#ifdef WITH_LSPP
++extern int is_lspp_config(void);
++#endif /* WITH_LSPP */
+
+ /*
+ * Prototypes...
+diff -up cups-2.3.0/scheduler/cupsd.h.lspp cups-2.3.0/scheduler/cupsd.h
+--- cups-2.3.0/scheduler/cupsd.h.lspp 2019-08-23 17:19:38.000000000 +0200
++++ cups-2.3.0/scheduler/cupsd.h 2019-10-07 12:31:38.458480578 +0200
+@@ -8,6 +8,8 @@
+ * information.
+ */
+
++/* Copyright (C) 2005 Trusted Computer Solutions, Inc. */
++/* (c) Copyright 2005-2006 Hewlett-Packard Development Company, L.P. */
+
+ /*
+ * Include necessary headers.
+@@ -33,6 +35,14 @@
+ # include
+ #endif /* _WIN32 */
+
++#include "config.h"
++#ifdef WITH_LSPP
++# define MLS_CONFIG "mls"
++# define TE_CONFIG "te"
++# define SELINUX_CONFIG "SELinux"
++# define UNKNOWN_SL "UNKNOWN SL"
++#endif /* WITH_LSPP */
++
+ #include "mime.h"
+
+ #if defined(HAVE_CDSASSL)
+diff -up cups-2.3.0/scheduler/ipp.c.lspp cups-2.3.0/scheduler/ipp.c
+--- cups-2.3.0/scheduler/ipp.c.lspp 2019-10-07 12:24:43.016597764 +0200
++++ cups-2.3.0/scheduler/ipp.c 2019-10-07 12:31:01.243798920 +0200
+@@ -11,6 +11,9 @@
+ * information.
+ */
+
++/* Copyright (C) 2005 Trusted Computer Solutions, Inc. */
++/* (c) Copyright 2005-2006 Hewlett-Packard Development Company, L.P. */
++
+ /*
+ * Include necessary headers...
+ */
+@@ -27,6 +30,14 @@ extern int mbr_group_name_to_uuid(const
+ extern int mbr_check_membership_by_id(uuid_t user, gid_t group, int* ismember);
+ #endif /* __APPLE__ */
+
++#ifdef WITH_LSPP
++#include
++#include
++#include
++#include
++#include
++#include
++#endif /* WITH_LSPP */
+
+ /*
+ * Local functions...
+@@ -51,6 +62,9 @@ static void cancel_all_jobs(cupsd_client
+ static void cancel_job(cupsd_client_t *con, ipp_attribute_t *uri);
+ static void cancel_subscription(cupsd_client_t *con, int id);
+ static int check_rss_recipient(const char *recipient);
++#ifdef WITH_LSPP
++static int check_context(cupsd_client_t *con, cupsd_job_t *job);
++#endif /* WITH_LSPP */
+ static int check_quotas(cupsd_client_t *con, cupsd_printer_t *p);
+ static void close_job(cupsd_client_t *con, ipp_attribute_t *uri);
+ static void copy_attrs(ipp_t *to, ipp_t *from, cups_array_t *ra,
+@@ -1240,6 +1254,21 @@ add_job(cupsd_client_t *con, /* I - Cl
+ "time-at-creation",
+ "time-at-processing"
+ };
++#ifdef WITH_LSPP
++ char *audit_message; /* Audit message string */
++ char *printerfile; /* device file pointed to by the printer */
++ char *userheader = NULL; /* User supplied job-sheets[0] */
++ char *userfooter = NULL; /* User supplied job-sheets[1] */
++ int override = 0; /* Was a banner overrode on a job */
++ security_id_t clisid; /* SELinux SID for the client */
++ security_id_t psid; /* SELinux SID for the printer */
++ context_t printercon; /* Printer's context string */
++ struct stat printerstat; /* Printer's stat buffer */
++ security_context_t devcon; /* Printer's SELinux context */
++ struct avc_entry_ref avcref; /* Pointer to the access vector cache */
++ security_class_t tclass; /* Object class for the SELinux check */
++ access_vector_t avr; /* Access method being requested */
++#endif /* WITH_LSPP */
+
+
+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "add_job(%p[%d], %p(%s), %p(%s/%s))",
+@@ -1568,6 +1597,106 @@ add_job(cupsd_client_t *con, /* I - Cl
+
+ attr = ippFindAttribute(con->request, "requesting-user-name", IPP_TAG_NAME);
+
++#ifdef WITH_LSPP
++ if (is_lspp_config())
++ {
++ if (!con->scon || strncmp(con->scon, UNKNOWN_SL, strlen(UNKNOWN_SL)) == 0)
++ {
++ cupsdLogMessage(CUPSD_LOG_ERROR, "add_job: missing classification for connection \'%s\'!", printer->name);
++ send_ipp_status(con, IPP_INTERNAL_ERROR, _("Missing required security attributes."));
++ return (NULL);
++ }
++
++ /*
++ * Perform an access check so that if the user gets feedback at enqueue time
++ */
++
++ printerfile = strstr(printer->device_uri, "/dev/");
++ if (printerfile == NULL && (strncmp(printer->device_uri, "file:/", 6) == 0))
++ printerfile = printer->device_uri + strlen("file:");
++
++ if (printerfile != NULL)
++ {
++ cupsdLogMessage(CUPSD_LOG_DEBUG, "add_job: Attempting an access check on printer device %s",
++ printerfile);
++
++ if (lstat(printerfile, &printerstat) < 0)
++ {
++ if (errno != ENOENT)
++ {
++ send_ipp_status(con, IPP_NOT_AUTHORIZED, _("Unable to stat the printer"));
++ return (NULL);
++ }
++ /*
++ * The printer does not exist, so for now assume it's a FileDevice
++ */
++ tclass = SECCLASS_FILE;
++ avr = FILE__WRITE;
++ }
++ else if (S_ISCHR(printerstat.st_mode))
++ {
++ tclass = SECCLASS_CHR_FILE;
++ avr = CHR_FILE__WRITE;
++ }
++ else if (S_ISREG(printerstat.st_mode))
++ {
++ tclass = SECCLASS_FILE;
++ avr = FILE__WRITE;
++ }
++ else
++ {
++ send_ipp_status(con, IPP_NOT_AUTHORIZED, _("Printer is not a character device or regular file"));
++ return (NULL);
++ }
++ static int avc_initialized = 0;
++ if (!avc_initialized++)
++ avc_init("cupsd_enqueue_", NULL, NULL, NULL, NULL);
++ avc_entry_ref_init(&avcref);
++ if (avc_context_to_sid(con->scon, &clisid) != 0)
++ {
++ send_ipp_status(con, IPP_NOT_AUTHORIZED, _("Unable to get the SELinux sid of the client"));
++ return (NULL);
++ }
++ if (getfilecon(printerfile, &devcon) == -1)
++ {
++ send_ipp_status(con, IPP_NOT_AUTHORIZED, _("Unable to get the SELinux context of the printer"));
++ return (NULL);
++ }
++ printercon = context_new(devcon);
++ cupsdLogMessage(CUPSD_LOG_DEBUG, "add_job: printer context %s client context %s",
++ context_str(printercon), con->scon);
++ context_free(printercon);
++
++ if (avc_context_to_sid(devcon, &psid) != 0)
++ {
++ send_ipp_status(con, IPP_NOT_AUTHORIZED, _("Unable to get the SELinux sid of the printer"));
++ freecon(devcon);
++ return (NULL);
++ }
++ freecon(devcon);
++ if (avc_has_perm(clisid, psid, tclass, avr, &avcref, NULL) != 0)
++ {
++ /*
++ * The access check failed, so cancel the job and send an audit message
++ */
++ if (AuditLog != -1)
++ {
++ audit_message = NULL;
++ cupsdSetStringf(&audit_message, "job=? auid=%u acct=%s obj=%s refused"
++ " unable to access printer=%s", con->auid,
++ con->username, con->scon, printer->name);
++ audit_log_user_message(AuditLog, AUDIT_USER_LABELED_EXPORT, audit_message,
++ ServerName, NULL, NULL, 0);
++ cupsdClearString(&audit_message);
++ }
++
++ send_ipp_status(con, IPP_NOT_AUTHORIZED, _("SELinux prohibits access to the printer"));
++ return (NULL);
++ }
++ }
++ }
++#endif /* WITH_LSPP */
++
+ if ((job = cupsdAddJob(priority, printer->name)) == NULL)
+ {
+ send_ipp_status(con, IPP_INTERNAL_ERROR,
+@@ -1576,6 +1705,32 @@ add_job(cupsd_client_t *con, /* I - Cl
+ return (NULL);
+ }
+
++#ifdef WITH_LSPP
++ if (is_lspp_config())
++ {
++ /*
++ * duplicate the security context and auid of the connection into the job structure
++ */
++ job->scon = strdup(con->scon);
++ job->auid = con->auid;
++
++ /*
++ * add the security context to the request so that on a restart the security
++ * attributes will be able to be restored
++ */
++ ippAddString(con->request, IPP_TAG_JOB, IPP_TAG_NAME, "security-context",
++ NULL, job->scon);
++ }
++ else
++ {
++ /*
++ * Fill in the security context of the job as unlabeled
++ */
++ cupsdLogMessage(CUPSD_LOG_DEBUG, "add_job: setting context of job to %s", UNKNOWN_SL);
++ cupsdSetString(&job->scon, UNKNOWN_SL);
++ }
++#endif /* WITH_LSPP */
++
+ job->dtype = printer->type & (CUPS_PRINTER_CLASS | CUPS_PRINTER_REMOTE);
+ job->attrs = con->request;
+ job->dirty = 1;
+@@ -1763,6 +1918,29 @@ add_job(cupsd_client_t *con, /* I - Cl
+ ippSetString(job->attrs, &attr, 0, printer->job_sheets[0]);
+ ippSetString(job->attrs, &attr, 1, printer->job_sheets[1]);
+ }
++#ifdef WITH_LSPP
++ else
++ {
++ /*
++ * The option was present, so capture the user supplied strings
++ */
++ userheader = strdup(attr->values[0].string.text);
++
++ if (attr->num_values > 1)
++ userfooter = strdup(attr->values[1].string.text);
++
++ if (Classification != NULL && (strcmp(userheader, Classification) == 0)
++ && userfooter &&(strcmp(userfooter, Classification) == 0))
++ {
++ /*
++ * Since both values are Classification, the user is not trying to Override
++ */
++ free(userheader);
++ if (userfooter) free(userfooter);
++ userheader = userfooter = NULL;
++ }
++ }
++#endif /* WITH_LSPP */
+
+ job->job_sheets = attr;
+
+@@ -1793,6 +1971,9 @@ add_job(cupsd_client_t *con, /* I - Cl
+ "job-sheets=\"%s,none\", "
+ "job-originating-user-name=\"%s\"",
+ Classification, job->username);
++#ifdef WITH_LSPP
++ override = 1;
++#endif /* WITH_LSPP */
+ }
+ else if (attr->num_values == 2 &&
+ strcmp(attr->values[0].string.text,
+@@ -1811,6 +1992,9 @@ add_job(cupsd_client_t *con, /* I - Cl
+ "job-originating-user-name=\"%s\"",
+ attr->values[0].string.text,
+ attr->values[1].string.text, job->username);
++#ifdef WITH_LSPP
++ override = 1;
++#endif /* WITH_LSPP */
+ }
+ else if (strcmp(attr->values[0].string.text, Classification) &&
+ strcmp(attr->values[0].string.text, "none") &&
+@@ -1831,6 +2015,9 @@ add_job(cupsd_client_t *con, /* I - Cl
+ "job-originating-user-name=\"%s\"",
+ attr->values[0].string.text,
+ attr->values[1].string.text, job->username);
++#ifdef WITH_LSPP
++ override = 1;
++#endif /* WITH_LSPP */
+ }
+ }
+ else if (strcmp(attr->values[0].string.text, Classification) &&
+@@ -1871,8 +2058,52 @@ add_job(cupsd_client_t *con, /* I - Cl
+ "job-sheets=\"%s\", "
+ "job-originating-user-name=\"%s\"",
+ Classification, job->username);
++#ifdef WITH_LSPP
++ override = 1;
++#endif /* WITH_LSPP */
++ }
++#ifdef WITH_LSPP
++ if (is_lspp_config() && AuditLog != -1)
++ {
++ audit_message = NULL;
++
++ if (userheader || userfooter)
++ {
++ if (!override)
++ {
++ /*
++ * The user overrode the banner, so audit it
++ */
++ cupsdSetStringf(&audit_message, "job=%d user supplied job-sheets=%s,%s"
++ " using banners=%s,%s", job->id, userheader,
++ userfooter, attr->values[0].string.text,
++ (attr->num_values > 1) ? attr->values[1].string.text : "(null)");
++ audit_log_user_message(AuditLog, AUDIT_LABEL_OVERRIDE, audit_message,
++ ServerName, NULL, NULL, 1);
++ }
++ else
++ {
++ /*
++ * The user tried to override the banner, audit the failure
++ */
++ cupsdSetStringf(&audit_message, "job=%d user supplied job-sheets=%s,%s"
++ " ignored banners=%s,%s", job->id, userheader,
++ userfooter, attr->values[0].string.text,
++ (attr->num_values > 1) ? attr->values[1].string.text : "(null)");
++ audit_log_user_message(AuditLog, AUDIT_LABEL_OVERRIDE, audit_message,
++ ServerName, NULL, NULL, 0);
++ }
++ cupsdClearString(&audit_message);
++ }
+ }
++
++ if (userheader)
++ free(userheader);
++ if (userfooter)
++ free(userfooter);
++#endif /* WITH_LSPP */
+ }
++
+
+ /*
+ * See if we need to add the starting sheet...
+@@ -3648,6 +3879,128 @@ check_rss_recipient(
+ }
+
+
++#ifdef WITH_LSPP
++/*
++ * 'check_context()' - Check SELinux security context of a user and job
++ */
++
++static int /* O - 1 if OK, 0 if not, -1 on error */
++check_context(cupsd_client_t *con, /* I - Client connection */
++ cupsd_job_t *job) /* I - Job */
++{
++ int enforcing; /* is SELinux in enforcing mode */
++ char filename[1024]; /* Filename of the spool file */
++ security_id_t clisid; /* SELinux SID of the client */
++ security_id_t jobsid; /* SELinux SID of the job */
++ security_id_t filesid; /* SELinux SID of the spool file */
++ struct avc_entry_ref avcref; /* AVC entry cache pointer */
++ security_class_t tclass; /* SELinux security class */
++ access_vector_t avr; /* SELinux access being queried */
++ security_context_t spoolfilecon; /* SELinux context of the spool file */
++
++
++ /*
++ * Validate the input to be sure there are contexts to work with...
++ */
++
++ if (con->scon == NULL || job->scon == NULL
++ || strncmp(con->scon, UNKNOWN_SL, strlen(UNKNOWN_SL)) == 0
++ || strncmp(job->scon, UNKNOWN_SL, strlen(UNKNOWN_SL)) == 0)
++ return -1;
++
++ if ((enforcing = security_getenforce()) == -1)
++ {
++ cupsdLogJob(job, CUPSD_LOG_ERROR,
++ "Error while determining SELinux enforcement");
++ return -1;
++ }
++ cupsdLogJob(job, CUPSD_LOG_DEBUG,
++ "check_context: client context %s job context %s",
++ con->scon, job->scon);
++
++
++ /*
++ * Initialize the avc engine...
++ */
++
++ static int avc_initialized = 0;
++ if (! avc_initialized++)
++ {
++ if (avc_init("cupsd", NULL, NULL, NULL, NULL) < 0)
++ {
++ cupsdLogJob(job, CUPSD_LOG_ERROR, "check_context: unable avc_init");
++ return -1;
++ }
++ }
++ if (avc_context_to_sid(con->scon, &clisid) != 0)
++ {
++ cupsdLogJob(job, CUPSD_LOG_ERROR,
++ "check_context: unable to convert %s to SELinux sid",
++ con->scon);
++ return -1;
++ }
++ if (avc_context_to_sid(job->scon, &jobsid) != 0)
++ {
++ cupsdLogJob(job, CUPSD_LOG_ERROR,
++ "check_context: unable to convert %s to SELinux sid",
++ job->scon);
++ return -1;
++ }
++ avc_entry_ref_init(&avcref);
++ tclass = SECCLASS_FILE;
++ avr = FILE__READ;
++
++ /*
++ * Perform the check with the client as the subject, first with the job as the object
++ * if that fails then with the spool file as the object...
++ */
++
++ if (avc_has_perm_noaudit(clisid, jobsid, tclass, avr, &avcref, NULL) != 0)
++ {
++ cupsdLogJob(job, CUPSD_LOG_INFO,
++ "check_context: SELinux denied access "
++ "based on the client context");
++
++ snprintf(filename, sizeof(filename), "%s/c%05d", RequestRoot, job->id);
++ if (getfilecon(filename, &spoolfilecon) == -1)
++ {
++ cupsdLogJob(job, CUPSD_LOG_ERROR,
++ "check_context: Unable to get spoolfile context");
++ return -1;
++ }
++ if (avc_context_to_sid(spoolfilecon, &filesid) != 0)
++ {
++ cupsdLogJob(job, CUPSD_LOG_ERROR,
++ "check_context: Unable to determine the "
++ "SELinux sid for the spool file");
++ freecon(spoolfilecon);
++ return -1;
++ }
++ freecon(spoolfilecon);
++ if (avc_has_perm_noaudit(clisid, filesid, tclass, avr, &avcref, NULL) != 0)
++ {
++ cupsdLogJob(job, CUPSD_LOG_INFO,
++ "check_context: SELinux denied access to the spool file");
++ return 0;
++ }
++ cupsdLogJob(job, CUPSD_LOG_INFO,
++ "check_context: SELinux allowed access to the spool file");
++ return 1;
++ }
++ else
++ if (enforcing == 0)
++ cupsdLogJob(job, CUPSD_LOG_INFO,
++ "check_context: allowing operation due to permissive mode");
++ else
++ cupsdLogJob(job, CUPSD_LOG_INFO,
++ "check_context: SELinux allowed access based on the "
++ "client context");
++
++ return 1;
++}
++#endif /* WITH_LSPP */
++
++
+ /*
+ * 'check_quotas()' - Check quotas for a printer and user.
+ */
+@@ -4103,6 +4456,15 @@ copy_banner(cupsd_client_t *con, /* I -
+ char attrname[255], /* Name of attribute */
+ *s; /* Pointer into name */
+ ipp_attribute_t *attr; /* Attribute */
++#ifdef WITH_LSPP
++ const char *mls_label; /* SL of print job */
++ char *jobrange; /* SELinux sensitivity range */
++ char *jobclearance; /* SELinux low end clearance */
++ context_t jobcon; /* SELinux context of the job */
++ context_t tmpcon; /* Temp context to set the level */
++ security_context_t spoolcon; /* Context of the file in the spool */
++#endif /* WITH_LSPP */
++
+
+
+ cupsdLogMessage(CUPSD_LOG_DEBUG2,
+@@ -4138,6 +4500,85 @@ copy_banner(cupsd_client_t *con, /* I -
+
+ fchmod(cupsFileNumber(out), 0640);
+ fchown(cupsFileNumber(out), RunUser, Group);
++#ifdef WITH_LSPP
++ if (job->scon != NULL &&
++ strncmp(job->scon, UNKNOWN_SL, strlen(UNKNOWN_SL)) != 0)
++ {
++ if (getfilecon(filename, &spoolcon) == -1)
++ {
++ cupsdLogJob(job, CUPSD_LOG_ERROR,
++ "Unable to get the context of the banner file %s - %s",
++ filename, strerror(errno));
++ job->num_files --;
++ return (0);
++ }
++ tmpcon = context_new(spoolcon);
++ jobcon = context_new(job->scon);
++ freecon(spoolcon);
++ if (!tmpcon || !jobcon)
++ {
++ if (tmpcon)
++ context_free(tmpcon);
++ if (jobcon)
++ context_free(jobcon);
++ cupsdLogJob(job, CUPSD_LOG_ERROR,
++ "copy_banner: Unable to get the SELinux contexts");
++ job->num_files --;
++ return (0);
++ }
++ jobrange = (char *) context_range_get(jobcon);
++ if (jobrange)
++ {
++ jobrange = strdup(jobrange);
++ if ((jobclearance = strtok(jobrange, "-")) != NULL)
++ {
++ if (context_range_set(tmpcon, jobclearance) == -1)
++ {
++ cupsdLogJob(job, CUPSD_LOG_ERROR,
++ "copy_banner: Unable to set the "
++ "level of the context for file %s - %s",
++ filename, strerror(errno));
++ free(jobrange);
++ context_free(jobcon);
++ context_free(tmpcon);
++ job->num_files --;
++ return (0);
++ }
++ }
++ else
++ {
++ if (context_range_set(tmpcon, (context_range_get(jobcon))) == -1)
++ {
++ cupsdLogJob(job, CUPSD_LOG_ERROR,
++ "copy_banner: Unable to set the "
++ "level of the context for file %s - %s",
++ filename, strerror(errno));
++ free(jobrange);
++ context_free(jobcon);
++ context_free(tmpcon);
++ job->num_files --;
++ return (0);
++ }
++ }
++ free(jobrange);
++ }
++ if (setfilecon(filename, context_str(tmpcon)) == -1)
++ {
++ cupsdLogJob(job, CUPSD_LOG_ERROR,
++ "copy_banner: Unable to set the "
++ "context of the banner file %s - %s",
++ filename, strerror(errno));
++ context_free(jobcon);
++ context_free(tmpcon);
++ job->num_files --;
++ return (0);
++ }
++ cupsdLogJob(job, CUPSD_LOG_DEBUG2, "copy_banner: %s set to %s",
++ filename, context_str(tmpcon));
++ context_free(jobcon);
++ context_free(tmpcon);
++ }
++#endif /* WITH_LSPP */
+
+ /*
+ * Try the localized banner file under the subdirectory...
+@@ -4232,6 +4673,24 @@ copy_banner(cupsd_client_t *con, /* I -
+ else
+ s = attrname;
+
++#ifdef WITH_LSPP
++ if (strcmp(s, "mls-label") == 0)
++ {
++ if (job->scon != NULL && strncmp(job->scon, UNKNOWN_SL, strlen(UNKNOWN_SL)) != 0)
++ {
++ jobcon = context_new(job->scon);
++ if (_cups_strcasecmp(name, MLS_CONFIG) == 0)
++ mls_label = context_range_get(jobcon);
++ else if (_cups_strcasecmp(name, TE_CONFIG) == 0)
++ mls_label = context_type_get(jobcon);
++ else // default to using the whole context string
++ mls_label = context_str(jobcon);
++ cupsFilePuts(out, mls_label);
++ context_free(jobcon);
++ }
++ continue;
++ }
++#endif /* WITH_LSPP */
+ if (!strcmp(s, "printer-name"))
+ {
+ cupsFilePuts(out, job->dest);
+@@ -6439,6 +6898,22 @@ get_job_attrs(cupsd_client_t *con, /* I
+
+ exclude = cupsdGetPrivateAttrs(policy, con, printer, job->username);
+
++
++#ifdef WITH_LSPP
++ /*
++ * Check SELinux...
++ */
++ if (is_lspp_config() && check_context(con, job) != 1)
++ {
++ /*
++ * Unfortunately we have to lie to the user...
++ */
++ send_ipp_status(con, IPP_NOT_FOUND, _("Job #%d does not exist!"), jobid);
++ return;
++ }
++#endif /* WITH_LSPP */
++
++
+ /*
+ * Copy attributes...
+ */
+@@ -6836,6 +7311,11 @@ get_jobs(cupsd_client_t *con, /* I - C
+ if (username[0] && _cups_strcasecmp(username, job->username))
+ continue;
+
++#ifdef WITH_LSPP
++ if (is_lspp_config() && check_context(con, job) != 1)
++ continue;
++#endif /* WITH_LSPP */
++
+ if (count > 0)
+ ippAddSeparator(con->response);
+
+@@ -11445,6 +11925,11 @@ validate_user(cupsd_job_t *job, /* I
+
+ strlcpy(username, get_username(con), userlen);
+
++#ifdef WITH_LSPP
++ if (is_lspp_config() && check_context(con, job) != 1)
++ return 0;
++#endif /* WITH_LSPP */
++
+ /*
+ * Check the username against the owner...
+ */
+diff -up cups-2.3.0/scheduler/job.c.lspp cups-2.3.0/scheduler/job.c
+--- cups-2.3.0/scheduler/job.c.lspp 2019-10-07 12:24:43.024597707 +0200
++++ cups-2.3.0/scheduler/job.c 2019-10-07 12:30:13.092210820 +0200
+@@ -8,6 +8,9 @@
+ * information.
+ */
+
++/* Copyright (C) 2005 Trusted Computer Solutions, Inc. */
++/* (c) Copyright 2005-2006 Hewlett-Packard Development Company, L.P. */
++
+ /*
+ * Include necessary headers...
+ */
+@@ -23,6 +26,14 @@
+ # endif /* HAVE_IOKIT_PWR_MGT_IOPMLIBPRIVATE_H */
+ #endif /* __APPLE__ */
+
++#ifdef WITH_LSPP
++#include
++#include
++#include
++#include
++#include
++#include
++#endif /* WITH_LSPP */
+
+ /*
+ * Design Notes for Job Management
+@@ -544,6 +555,14 @@ cupsdContinueJob(cupsd_job_t *job) /* I
+ /* PRINTER_STATE_REASONS env var */
+ rip_max_cache[255];
+ /* RIP_MAX_CACHE env variable */
++#ifdef WITH_LSPP
++ char *audit_message = NULL; /* Audit message string */
++ context_t jobcon; /* SELinux context of the job */
++ char *label_template = NULL; /* SL to put in classification
++ env var */
++ const char *mls_label = NULL; /* SL to put in classification
++ env var */
++#endif /* WITH_LSPP */
+
+
+ cupsdLogMessage(CUPSD_LOG_DEBUG2,
+@@ -1080,6 +1099,67 @@ cupsdContinueJob(cupsd_job_t *job) /* I
+ if (final_content_type[0])
+ envp[envc ++] = final_content_type;
+
++#ifdef WITH_LSPP
++ if (is_lspp_config())
++ {
++ if (!job->scon || strncmp(job->scon, UNKNOWN_SL, strlen(UNKNOWN_SL)) == 0)
++ {
++ if (AuditLog != -1)
++ {
++ audit_message = NULL;
++ cupsdSetStringf(&audit_message, "job=%d auid=%u acct=%s printer=%s title=%s",
++ job->id, job->auid, job->username, job->printer->name, title);
++ audit_log_user_message(AuditLog, AUDIT_USER_UNLABELED_EXPORT, audit_message,
++ ServerName, NULL, NULL, 1);
++ cupsdClearString(&audit_message);
++ }
++ }
++ else
++ {
++ jobcon = context_new(job->scon);
++
++ if ((attr = ippFindAttribute(job->attrs, "job-sheets", IPP_TAG_NAME)) == NULL)
++ label_template = strdup(Classification);
++ else if (attr->num_values > 1 &&
++ strcmp(attr->values[1].string.text, "none") != 0)
++ label_template = strdup(attr->values[1].string.text);
++ else
++ label_template = strdup(attr->values[0].string.text);
++
++ if (_cups_strcasecmp(label_template, MLS_CONFIG) == 0)
++ mls_label = context_range_get(jobcon);
++ else if (_cups_strcasecmp(label_template, TE_CONFIG) == 0)
++ mls_label = context_type_get(jobcon);
++ else if (_cups_strcasecmp(label_template, SELINUX_CONFIG) == 0)
++ mls_label = context_str(jobcon);
++ else
++ mls_label = label_template;
++
++ if (mls_label && (PerPageLabels || banner_page))
++ {
++ snprintf(classification, sizeof(classification), "CLASSIFICATION=LSPP:%s", mls_label);
++ envp[envc ++] = classification;
++ }
++
++ if ((AuditLog != -1) && !banner_page)
++ {
++ audit_message = NULL;
++ cupsdSetStringf(&audit_message, "job=%d auid=%u acct=%s printer=%s title=%s"
++ " obj=%s label=%s", job->id, job->auid, job->username,
++ job->printer->name, title, job->scon, mls_label?mls_label:"none");
++ audit_log_user_message(AuditLog, AUDIT_USER_LABELED_EXPORT, audit_message,
++ ServerName, NULL, NULL, 1);
++ cupsdClearString(&audit_message);
++ }
++ context_free(jobcon);
++ free(label_template);
++ }
++ }
++ else
++ /*
++ * Fall through to the non-LSPP behavior
++ */
++#endif /* WITH_LSPP */
+ if (Classification && !banner_page)
+ {
+ if ((attr = ippFindAttribute(job->attrs, "job-sheets",
+@@ -1858,6 +1938,22 @@ cupsdLoadJob(cupsd_job_t *job) /* I - J
+ ippSetString(job->attrs, &job->reasons, 0, "none");
+ }
+
++#ifdef WITH_LSPP
++ if ((attr = ippFindAttribute(job->attrs, "security-context", IPP_TAG_NAME)) != NULL)
++ cupsdSetString(&job->scon, attr->values[0].string.text);
++ else if (is_lspp_config())
++ {
++ /*
++ * There was no security context so delete the job
++ */
++ cupsdLogJob(job, CUPSD_LOG_ERROR,
++ "Missing or bad security-context attribute "
++ "in control file \"%s\"!",
++ jobfile);
++ goto error;
++ }
++#endif /* WITH_LSPP */
++
+ job->impressions = ippFindAttribute(job->attrs, "job-impressions-completed", IPP_TAG_INTEGER);
+ job->sheets = ippFindAttribute(job->attrs, "job-media-sheets-completed", IPP_TAG_INTEGER);
+ job->job_sheets = ippFindAttribute(job->attrs, "job-sheets", IPP_TAG_NAME);
+@@ -2273,6 +2369,14 @@ cupsdSaveJob(cupsd_job_t *job) /* I - J
+ {
+ char filename[1024]; /* Job control filename */
+ cups_file_t *fp; /* Job file */
++#ifdef WITH_LSPP
++ security_context_t spoolcon; /* context of the job control file */
++ context_t jobcon; /* contex_t container for job->scon */
++ context_t tmpcon; /* Temp context to swap the level */
++ char *jobclearance; /* SELinux low end clearance */
++ const char *jobrange; /* SELinux sensitivity range */
++ char *jobrange_copy; /* SELinux sensitivity range */
++#endif /* WITH_LSPP */
+
+
+ cupsdLogMessage(CUPSD_LOG_DEBUG2, "cupsdSaveJob(job=%p(%d)): job->attrs=%p",
+@@ -2295,6 +2399,78 @@ cupsdSaveJob(cupsd_job_t *job) /* I - J
+
+ fchown(cupsFileNumber(fp), RunUser, Group);
+
++#ifdef WITH_LSPP
++ if (job->scon && strncmp(job->scon, UNKNOWN_SL, strlen(UNKNOWN_SL)) != 0)
++ {
++ if (getfilecon(filename, &spoolcon) == -1)
++ {
++ cupsdLogJob(job, CUPSD_LOG_ERROR,
++ "Unable to get context of job control file \"%s\" - %s.",
++ filename, strerror(errno));
++ return;
++ }
++ jobcon = context_new(job->scon);
++ tmpcon = context_new(spoolcon);
++ freecon(spoolcon);
++ if (!jobcon || !tmpcon)
++ {
++ if (jobcon)
++ context_free(jobcon);
++ if (tmpcon)
++ context_free(tmpcon);
++ cupsdLogJob(job, CUPSD_LOG_ERROR, "Unable to get SELinux contexts");
++ return;
++ }
++ jobrange = context_range_get(jobcon);
++ if (jobrange)
++ {
++ jobrange_copy = strdup(jobrange);
++ if ((jobclearance = strtok(jobrange_copy, "-")) != NULL)
++ {
++ if (context_range_set(tmpcon, jobclearance) == -1)
++ {
++ cupsdLogJob(job, CUPSD_LOG_ERROR,
++ "Unable to set the range for "
++ "job control file \"%s\" - %s.",
++ filename, strerror(errno));
++ free(jobrange_copy);
++ context_free(tmpcon);
++ context_free(jobcon);
++ return;
++ }
++ }
++ else
++ {
++ if (context_range_set(tmpcon, (context_range_get(jobcon))) == -1)
++ {
++ cupsdLogJob(job, CUPSD_LOG_ERROR,
++ "Unable to set the range for "
++ "job control file \"%s\" - %s.",
++ filename, strerror(errno));
++ free(jobrange_copy);
++ context_free(tmpcon);
++ context_free(jobcon);
++ return;
++ }
++ }
++ free(jobrange_copy);
++ }
++ if (setfilecon(filename, context_str(tmpcon)) == -1)
++ {
++ cupsdLogJob(job, CUPSD_LOG_ERROR,
++ "Unable to set context of job control file \"%s\" - %s.",
++ filename, strerror(errno));
++ context_free(tmpcon);
++ context_free(jobcon);
++ return;
++ }
++ cupsdLogJob(job, CUPSD_LOG_DEBUG2, "New spool file context=%s",
++ context_str(tmpcon));
++ context_free(tmpcon);
++ context_free(jobcon);
++ }
++#endif /* WITH_LSPP */
++
+ job->attrs->state = IPP_IDLE;
+
+ if (ippWriteIO(fp, (ipp_iocb_t)cupsFileWrite, 1, NULL,
+@@ -3995,6 +4171,19 @@ get_options(cupsd_job_t *job, /* I - Jo
+ banner_page)
+ continue;
+
++#ifdef WITH_LSPP
++ /*
++ * In LSPP mode refuse to honor the page-label
++ */
++ if (is_lspp_config() &&
++ !strcmp(attr->name, "page-label"))
++ {
++ cupsdLogJob(job, CUPSD_LOG_DEBUG,
++ "Ignoring page-label option due to LSPP mode");
++ continue;
++ }
++#endif /* WITH_LSPP */
++
+ /*
+ * Otherwise add them to the list...
+ */
+@@ -4805,6 +4994,18 @@ start_job(cupsd_job_t *job, /* I -
+ cupsd_printer_t *printer) /* I - Printer to print job */
+ {
+ const char *filename; /* Support filename */
++#ifdef WITH_LSPP
++ char *audit_message = NULL; /* Audit message string */
++ char *printerfile = NULL; /* Device file pointed to by the printer */
++ security_id_t clisid; /* SELinux SID for the client */
++ security_id_t psid; /* SELinux SID for the printer */
++ context_t printercon; /* Printer's context string */
++ struct stat printerstat; /* Printer's stat buffer */
++ security_context_t devcon; /* Printer's SELinux context */
++ struct avc_entry_ref avcref; /* Pointer to the access vector cache */
++ security_class_t tclass; /* Object class for the SELinux check */
++ access_vector_t avr; /* Access method being requested */
++#endif /* WITH_LSPP */
+ ipp_attribute_t *cancel_after = ippFindAttribute(job->attrs,
+ "job-cancel-after",
+ IPP_TAG_INTEGER);
+@@ -4993,6 +5194,113 @@ start_job(cupsd_job_t *job, /* I -
+ fcntl(job->side_pipes[1], F_SETFD,
+ fcntl(job->side_pipes[1], F_GETFD) | FD_CLOEXEC);
+
++#ifdef WITH_LSPP
++ if (is_lspp_config())
++ {
++ /*
++ * Perform an access check before printing, but only if the printer starts with /dev/
++ */
++ printerfile = strstr(printer->device_uri, "/dev/");
++ if (printerfile == NULL && (strncmp(printer->device_uri, "file:/", 6) == 0))
++ printerfile = printer->device_uri + strlen("file:");
++
++ if (printerfile != NULL)
++ {
++ cupsdLogJob(job, CUPSD_LOG_DEBUG,
++ "Attempting to check access on printer device %s",
++ printerfile);
++ if (lstat(printerfile, &printerstat) < 0)
++ {
++ if (errno != ENOENT)
++ {
++ cupsdLogJob(job, CUPSD_LOG_ERROR,
++ "Unable to stat the printer");
++ cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL);
++ return ;
++ }
++ /*
++ * The printer does not exist, so for now assume it's a FileDevice
++ */
++ tclass = SECCLASS_FILE;
++ avr = FILE__WRITE;
++ }
++ else if (S_ISCHR(printerstat.st_mode))
++ {
++ tclass = SECCLASS_CHR_FILE;
++ avr = CHR_FILE__WRITE;
++ }
++ else if (S_ISREG(printerstat.st_mode))
++ {
++ tclass = SECCLASS_FILE;
++ avr = FILE__WRITE;
++ }
++ else
++ {
++ cupsdLogJob(job, CUPSD_LOG_ERROR,
++ "StartJob: Printer is not a character device or "
++ "regular file");
++ cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL);
++ return ;
++ }
++ static int avc_initialized = 0;
++ if (!avc_initialized++)
++ avc_init("cupsd_dequeue_", NULL, NULL, NULL, NULL);
++ avc_entry_ref_init(&avcref);
++ if (avc_context_to_sid(job->scon, &clisid) != 0)
++ {
++ cupsdLogJob(job, CUPSD_LOG_ERROR,
++ "Unable to determine the SELinux sid for the job");
++ cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL);
++ return ;
++ }
++ if (getfilecon(printerfile, &devcon) == -1)
++ {
++ cupsdLogJob(job, CUPSD_LOG_ERROR,
++ "Unable to get the SELinux context of %s",
++ printerfile);
++ cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL);
++ return ;
++ }
++ printercon = context_new(devcon);
++ cupsdLogJob(job, CUPSD_LOG_DEBUG,
++ "Printer context %s client context %s",
++ context_str(printercon), job->scon);
++ context_free(printercon);
++
++ if (avc_context_to_sid(devcon, &psid) != 0)
++ {
++ cupsdLogJob(job, CUPSD_LOG_ERROR,
++ "Unable to determine the SELinux sid for the printer");
++ freecon(devcon);
++ cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL);
++ return ;
++ }
++ freecon(devcon);
++
++ if (avc_has_perm(clisid, psid, tclass, avr, &avcref, NULL) != 0)
++ {
++ /*
++ * The access check failed, so cancel the job and send an audit message
++ */
++ if (AuditLog != -1)
++ {
++ audit_message = NULL;
++ cupsdSetStringf(&audit_message, "job=%d auid=%u acct=%s obj=%s canceled"
++ " unable to access printer=%s", job->id,
++ job->auid, (job->username)?job->username:"?", job->scon, printer->name);
++ audit_log_user_message(AuditLog, AUDIT_USER_LABELED_EXPORT, audit_message,
++ ServerName, NULL, NULL, 0);
++ cupsdClearString(&audit_message);
++ }
++
++ cupsdSetJobState(job, IPP_JOB_ABORTED, CUPSD_JOB_DEFAULT, NULL);
++
++ return ;
++ }
++ }
++ }
++#endif /* WITH_LSPP */
++
+ /*
+ * Now start the first file in the job...
+ */
+diff -up cups-2.3.0/scheduler/job.h.lspp cups-2.3.0/scheduler/job.h
+--- cups-2.3.0/scheduler/job.h.lspp 2019-08-23 17:19:38.000000000 +0200
++++ cups-2.3.0/scheduler/job.h 2019-10-07 12:29:54.364371023 +0200
+@@ -7,6 +7,13 @@
+ * Licensed under Apache License v2.0. See the file "LICENSE" for more information.
+ */
+
++/* Copyright (C) 2005 Trusted Computer Solutions, Inc. */
++/* (c) Copyright 2005-2006 Hewlett-Packard Development Company, L.P. */
++
++#ifdef WITH_LSPP
++#include
++#endif /* WITH_LSPP */
++
+ /*
+ * Constants...
+ */
+@@ -84,6 +91,10 @@ struct cupsd_job_s /**** Job request *
+ int progress; /* Printing progress */
+ int num_keywords; /* Number of PPD keywords */
+ cups_option_t *keywords; /* PPD keywords */
++#ifdef WITH_LSPP
++ security_context_t scon; /* Security context of job */
++ uid_t auid; /* Audit loginuid for this job */
++#endif /* WITH_LSPP */
+ };
+
+ typedef struct cupsd_joblog_s /**** Job log message ****/
+diff -up cups-2.3.0/scheduler/main.c.lspp cups-2.3.0/scheduler/main.c
+--- cups-2.3.0/scheduler/main.c.lspp 2019-10-07 12:24:43.037597616 +0200
++++ cups-2.3.0/scheduler/main.c 2019-10-07 12:24:43.119597037 +0200
+@@ -57,6 +57,9 @@
+ # include
+ #endif /* HAVE_SYS_PARAM_H */
+
++#ifdef WITH_LSPP
++# include
++#endif /* WITH_LSPP */
+
+ /*
+ * Local functions...
+@@ -123,6 +126,9 @@ main(int argc, /* I - Number of comm
+ #if defined(HAVE_SIGACTION) && !defined(HAVE_SIGSET)
+ struct sigaction action; /* Actions for POSIX signals */
+ #endif /* HAVE_SIGACTION && !HAVE_SIGSET */
++#if WITH_LSPP
++ auditfail_t failmode; /* Action for audit_open failure */
++#endif /* WITH_LSPP */
+ #ifdef __APPLE__
+ int use_sysman = 1; /* Use system management functions? */
+ #else
+@@ -495,6 +501,25 @@ main(int argc, /* I - Number of comm
+ exit(errno);
+ }
+
++#ifdef WITH_LSPP
++ if ((AuditLog = audit_open()) < 0 )
++ {
++ if (get_auditfail_action(&failmode) == 0)
++ {
++ if (failmode == FAIL_LOG)
++ {
++ cupsdLogMessage(CUPSD_LOG_ERROR, "Unable to connect to audit subsystem.");
++ AuditLog = -1;
++ }
++ else if (failmode == FAIL_TERMINATE)
++ {
++ fprintf(stderr, "cupsd: unable to start auditing, terminating");
++ return -1;
++ }
++ }
++ }
++#endif /* WITH_LSPP */
++
+ /*
+ * Let the system know we are busy while we bring up cupsd...
+ */
+@@ -1201,6 +1226,11 @@ main(int argc, /* I - Number of comm
+
+ cupsdStopSelect();
+
++#ifdef WITH_LSPP
++ if (AuditLog != -1)
++ audit_close(AuditLog);
++#endif /* WITH_LSPP */
++
+ return (!stop_scheduler);
+ }
+
+diff -up cups-2.3.0/scheduler/printers.c.lspp cups-2.3.0/scheduler/printers.c
+--- cups-2.3.0/scheduler/printers.c.lspp 2019-08-23 17:19:38.000000000 +0200
++++ cups-2.3.0/scheduler/printers.c 2019-10-07 12:29:17.956658129 +0200
+@@ -8,6 +8,8 @@
+ * information.
+ */
+
++/* (c) Copyright 2005-2006 Hewlett-Packard Development Company, L.P. */
++
+ /*
+ * Include necessary headers...
+ */
+@@ -32,6 +34,10 @@
+ # include
+ #endif /* __APPLE__ */
+
++#ifdef WITH_LSPP
++# include
++# include
++#endif /* WITH_LSPP */
+
+ /*
+ * Local functions...
+@@ -2252,6 +2258,13 @@ cupsdSetPrinterAttrs(cupsd_printer_t *p)
+ ipp_attribute_t *attr; /* Attribute data */
+ char *name, /* Current user/group name */
+ *filter; /* Current filter */
++#ifdef WITH_LSPP
++ char *audit_message; /* Audit message string */
++ char *printerfile; /* Path to a local printer dev */
++ char *rangestr; /* Printer's range if its available */
++ security_context_t devcon; /* Printer SELinux context */
++ context_t printercon; /* context_t for the printer */
++#endif /* WITH_LSPP */
+
+
+ /*
+@@ -2378,6 +2391,45 @@ cupsdSetPrinterAttrs(cupsd_printer_t *p)
+ attr->values[1].string.text = _cupsStrAlloc(Classification ?
+ Classification : p->job_sheets[1]);
+ }
++#ifdef WITH_LSPP
++ if (AuditLog != -1)
++ {
++ audit_message = NULL;
++ rangestr = NULL;
++ printercon = 0;
++ printerfile = strstr(p->device_uri, "/dev/");
++ if (printerfile == NULL && (strncmp(p->device_uri, "file:/", 6) == 0))
++ printerfile = p->device_uri + strlen("file:");
++
++ if (printerfile != NULL)
++ {
++ if (getfilecon(printerfile, &devcon) == -1)
++ {
++ if(is_selinux_enabled())
++ cupsdLogMessage(CUPSD_LOG_DEBUG, "cupsdSetPrinterAttrs: Unable to get printer context");
++ }
++ else
++ {
++ printercon = context_new(devcon);
++ freecon(devcon);
++ }
++ }
++
++ if (printercon && context_range_get(printercon))
++ rangestr = strdup(context_range_get(printercon));
++ else
++ rangestr = strdup("unknown");
++
++ cupsdSetStringf(&audit_message, "printer=%s uri=%s banners=%s,%s range=%s",
++ p->name, p->sanitized_device_uri, p->job_sheets[0], p->job_sheets[1], rangestr);
++ audit_log_user_message(AuditLog, AUDIT_LABEL_LEVEL_CHANGE, audit_message,
++ ServerName, NULL, NULL, 1);
++ if (printercon)
++ context_free(printercon);
++ free(rangestr);
++ cupsdClearString(&audit_message);
++ }
++#endif /* WITH_LSPP */
+ }
+
+ p->raw = 0;
diff --git a/SOURCES/cups-multilib.patch b/SOURCES/cups-multilib.patch
new file mode 100644
index 0000000..c8d5686
--- /dev/null
+++ b/SOURCES/cups-multilib.patch
@@ -0,0 +1,14 @@
+diff -up cups-2.3.0/cups-config.in.multilib cups-2.3.0/cups-config.in
+--- cups-2.3.0/cups-config.in.multilib 2019-10-07 12:10:09.508859587 +0200
++++ cups-2.3.0/cups-config.in 2019-10-07 12:11:56.614025934 +0200
+@@ -17,7 +17,9 @@ prefix=@prefix@
+ exec_prefix=@exec_prefix@
+ bindir=@bindir@
+ includedir=@includedir@
+-libdir=@libdir@
++# Fetch libdir from gnutls's pkg-config script. This is a bit
++# of a cheat, but the cups-devel package requires gnutls-devel anyway.
++libdir=`pkg-config --variable=libdir gnutls`
+ datarootdir=@datadir@
+ datadir=@datadir@
+ sysconfdir=@sysconfdir@
diff --git a/SOURCES/cups-no-export-ssllibs.patch b/SOURCES/cups-no-export-ssllibs.patch
new file mode 100644
index 0000000..14b4426
--- /dev/null
+++ b/SOURCES/cups-no-export-ssllibs.patch
@@ -0,0 +1,10 @@
+diff -up cups-2.2b2/config-scripts/cups-ssl.m4.no-export-ssllibs cups-2.2b2/config-scripts/cups-ssl.m4
+--- cups-2.2b2/config-scripts/cups-ssl.m4.no-export-ssllibs 2016-06-27 15:06:22.299980753 +0200
++++ cups-2.2b2/config-scripts/cups-ssl.m4 2016-06-27 15:08:00.953154042 +0200
+@@ -102,5 +102,5 @@ AC_SUBST(IPPALIASES)
+ AC_SUBST(SSLFLAGS)
+ AC_SUBST(SSLLIBS)
+
+-EXPORT_SSLLIBS="$SSLLIBS"
++EXPORT_SSLLIBS=""
+ AC_SUBST(EXPORT_SSLLIBS)
diff --git a/SOURCES/cups-nssuserlookup-target.patch b/SOURCES/cups-nssuserlookup-target.patch
new file mode 100644
index 0000000..35eff69
--- /dev/null
+++ b/SOURCES/cups-nssuserlookup-target.patch
@@ -0,0 +1,13 @@
+diff --git a/scheduler/cups.service.in b/scheduler/cups.service.in
+index a3fa0e8..baff51b 100644
+--- a/scheduler/cups.service.in
++++ b/scheduler/cups.service.in
+@@ -1,7 +1,7 @@
+ [Unit]
+ Description=CUPS Scheduler
+ Documentation=man:cupsd(8)
+-After=network.target sssd.service ypbind.service nslcd.service
++After=network.target nss-user-lookup.target nslcd.service
+ Requires=cups.socket
+
+ [Service]
diff --git a/SOURCES/cups-restart-job-hold-until.patch b/SOURCES/cups-restart-job-hold-until.patch
new file mode 100644
index 0000000..d235518
--- /dev/null
+++ b/SOURCES/cups-restart-job-hold-until.patch
@@ -0,0 +1,20 @@
+diff --git a/scheduler/ipp.c b/scheduler/ipp.c
+index e0dbc4a..5e9a985 100644
+--- a/scheduler/ipp.c
++++ b/scheduler/ipp.c
+@@ -9891,11 +9891,10 @@ restart_job(cupsd_client_t *con, /* I - Client connection */
+ cupsdLogJob(job, CUPSD_LOG_DEBUG,
+ "Restarted by \"%s\" with job-hold-until=%s.",
+ username, attr->values[0].string.text);
+- cupsdSetJobHoldUntil(job, attr->values[0].string.text, 0);
+-
+- cupsdAddEvent(CUPSD_EVENT_JOB_CONFIG_CHANGED | CUPSD_EVENT_JOB_STATE,
+- NULL, job, "Job restarted by user with job-hold-until=%s",
+- attr->values[0].string.text);
++ cupsdSetJobHoldUntil(job, attr->values[0].string.text, 1);
++ cupsdSetJobState(job, IPP_JOB_HELD, CUPSD_JOB_DEFAULT,
++ "Job restarted by user with job-hold-until=%s",
++ attr->values[0].string.text);
+ }
+ else
+ {
diff --git a/SOURCES/cups-system-auth.patch b/SOURCES/cups-system-auth.patch
new file mode 100644
index 0000000..60117a9
--- /dev/null
+++ b/SOURCES/cups-system-auth.patch
@@ -0,0 +1,38 @@
+diff -up cups-1.5b1/conf/cups.password-auth.system-auth cups-1.5b1/conf/cups.password-auth
+--- cups-1.5b1/conf/cups.password-auth.system-auth 2011-05-23 17:27:27.000000000 +0200
++++ cups-1.5b1/conf/cups.password-auth 2011-05-23 17:27:27.000000000 +0200
+@@ -0,0 +1,4 @@
++#%PAM-1.0
++# Use password-auth common PAM configuration for the daemon
++auth include password-auth
++account include password-auth
+diff -up cups-1.5b1/conf/cups.system-auth.system-auth cups-1.5b1/conf/cups.system-auth
+--- cups-1.5b1/conf/cups.system-auth.system-auth 2011-05-23 17:27:27.000000000 +0200
++++ cups-1.5b1/conf/cups.system-auth 2011-05-23 17:27:27.000000000 +0200
+@@ -0,0 +1,3 @@
++#%PAM-1.0
++auth include system-auth
++account include system-auth
+diff -up cups-1.5b1/conf/Makefile.system-auth cups-1.5b1/conf/Makefile
+--- cups-1.5b1/conf/Makefile.system-auth 2011-05-12 07:21:56.000000000 +0200
++++ cups-1.5b1/conf/Makefile 2011-05-23 17:27:27.000000000 +0200
+@@ -90,10 +90,16 @@ install-data:
+ done
+ -if test x$(PAMDIR) != x; then \
+ $(INSTALL_DIR) -m 755 $(BUILDROOT)$(PAMDIR); \
+- if test -r $(BUILDROOT)$(PAMDIR)/cups ; then \
+- $(INSTALL_DATA) $(PAMFILE) $(BUILDROOT)$(PAMDIR)/cups.N ; \
++ if test -f /etc/pam.d/password-auth; then \
++ $(INSTALL_DATA) cups.password-auth $(BUILDROOT)$(PAMDIR)/cups; \
++ elif test -f /etc/pam.d/system-auth; then \
++ $(INSTALL_DATA) cups.system-auth $(BUILDROOT)$(PAMDIR)/cups; \
+ else \
+- $(INSTALL_DATA) $(PAMFILE) $(BUILDROOT)$(PAMDIR)/cups ; \
++ if test -r $(BUILDROOT)$(PAMDIR)/cups ; then \
++ $(INSTALL_DATA) $(PAMFILE) $(BUILDROOT)$(PAMDIR)/cups.N ; \
++ else \
++ $(INSTALL_DATA) $(PAMFILE) $(BUILDROOT)$(PAMDIR)/cups ; \
++ fi ; \
+ fi ; \
+ fi
+
diff --git a/SOURCES/cups-uri-compat.patch b/SOURCES/cups-uri-compat.patch
new file mode 100644
index 0000000..2520a5b
--- /dev/null
+++ b/SOURCES/cups-uri-compat.patch
@@ -0,0 +1,51 @@
+diff -up cups-1.5b1/backend/usb-unix.c.uri-compat cups-1.5b1/backend/usb-unix.c
+--- cups-1.5b1/backend/usb-unix.c.uri-compat 2011-05-24 15:59:05.000000000 +0200
++++ cups-1.5b1/backend/usb-unix.c 2011-05-24 16:02:03.000000000 +0200
+@@ -63,11 +63,34 @@ print_device(const char *uri, /* I - De
+ int device_fd; /* USB device */
+ ssize_t tbytes; /* Total number of bytes written */
+ struct termios opts; /* Parallel port options */
++ char *fixed_uri = strdup (uri);
++ char *p;
+
+
+ (void)argc;
+ (void)argv;
+
++ p = strchr (fixed_uri, ':');
++ if (p++ != NULL)
++ {
++ char *e;
++ p += strspn (p, "/");
++ e = strchr (p, '/');
++ if (e > p)
++ {
++ size_t mfrlen = e - p;
++ e++;
++ if (!strncasecmp (e, p, mfrlen))
++ {
++ char *x = e + mfrlen;
++ if (!strncmp (x, "%20", 3))
++ /* Take mfr name out of mdl name for compatibility with
++ * Fedora 11 before bug #507244 was fixed. */
++ strcpy (e, x + 3); puts(fixed_uri);
++ }
++ }
++ }
++
+ /*
+ * Open the USB port device...
+ */
+@@ -107,10 +130,10 @@ print_device(const char *uri, /* I - De
+ _cups_strncasecmp(hostname, "Minolta", 7);
+ #endif /* __FreeBSD__ || __NetBSD__ || __OpenBSD__ || __DragonFly__ */
+
+- if (use_bc && !strncmp(uri, "usb:/dev/", 9))
++ if (use_bc && !strncmp(fixed_uri, "usb:/dev/", 9))
+ use_bc = 0;
+
+- if ((device_fd = open_device(uri, &use_bc)) == -1)
++ if ((device_fd = open_device(fixed_uri, &use_bc)) == -1)
+ {
+ if (getenv("CLASS") != NULL)
+ {
diff --git a/SOURCES/cups-usb-paperout.patch b/SOURCES/cups-usb-paperout.patch
new file mode 100644
index 0000000..f1f73f0
--- /dev/null
+++ b/SOURCES/cups-usb-paperout.patch
@@ -0,0 +1,52 @@
+diff -up cups-1.5b1/backend/usb-unix.c.usb-paperout cups-1.5b1/backend/usb-unix.c
+--- cups-1.5b1/backend/usb-unix.c.usb-paperout 2011-05-24 15:51:39.000000000 +0200
++++ cups-1.5b1/backend/usb-unix.c 2011-05-24 15:51:39.000000000 +0200
+@@ -30,6 +30,11 @@
+
+ #include
+
++#ifdef __linux
++#include
++#include
++#endif /* __linux */
++
+
+ /*
+ * Local functions...
+@@ -334,7 +339,19 @@ open_device(const char *uri, /* I - Dev
+ if (!strncmp(uri, "usb:/dev/", 9))
+ #ifdef __linux
+ {
+- return (open(uri + 4, O_RDWR | O_EXCL));
++ fd = open(uri + 4, O_RDWR | O_EXCL);
++
++ if (fd != -1)
++ {
++ /*
++ * Tell the driver to return from write() with errno==ENOSPACE
++ * on paper-out.
++ */
++ unsigned int t = 1;
++ ioctl (fd, LPABORT, &t);
++ }
++
++ return fd;
+ }
+ else if (!strncmp(uri, "usb://", 6))
+ {
+@@ -400,7 +417,14 @@ open_device(const char *uri, /* I - Dev
+ if (!strcmp(uri, device_uri))
+ {
+ /*
+- * Yes, return this file descriptor...
++ * Yes, tell the driver to return from write() with
++ * errno==ENOSPACE on paper-out.
++ */
++ unsigned int t = 1;
++ ioctl (fd, LPABORT, &t);
++
++ /*
++ * Return this file descriptor...
+ */
+
+ fprintf(stderr, "DEBUG: Printer using device file \"%s\"...\n",
diff --git a/SOURCES/cups-validate-1st.patch b/SOURCES/cups-validate-1st.patch
new file mode 100644
index 0000000..36ca30c
--- /dev/null
+++ b/SOURCES/cups-validate-1st.patch
@@ -0,0 +1,27 @@
+diff -up cups-2.3.3op2/backend/ipp.c.validate-retry cups-2.3.3op2/backend/ipp.c
+--- cups-2.3.3op2/backend/ipp.c.validate-retry 2021-03-11 12:55:46.461135739 +0100
++++ cups-2.3.3op2/backend/ipp.c 2021-03-11 13:29:09.312859343 +0100
+@@ -256,6 +256,7 @@ main(int argc, /* I - Number of comm
+ get_job_attrs = 0, /* Does printer support Get-Job-Attributes? */
+ send_document = 0, /* Does printer support Send-Document? */
+ validate_job = 0, /* Does printer support Validate-Job? */
++ validation_retried = 0, /* Indicate whether Validate-Job was retried */
+ copies, /* Number of copies for job */
+ copies_remaining; /* Number of copies remaining */
+ const char *content_type, /* CONTENT_TYPE environment variable */
+@@ -1559,7 +1560,15 @@ main(int argc, /* I - Number of comm
+ ipp_status == IPP_STATUS_ERROR_BAD_REQUEST)
+ break;
+ else if (job_auth == NULL && ipp_status > IPP_STATUS_ERROR_BAD_REQUEST)
++ {
++ if (!validation_retried)
++ {
++ validation_retried = 1;
++ sleep(10);
++ continue;
++ }
+ goto cleanup;
++ }
+ }
+
+ /*
diff --git a/SOURCES/cups-web-devices-timeout.patch b/SOURCES/cups-web-devices-timeout.patch
new file mode 100644
index 0000000..fa3a320
--- /dev/null
+++ b/SOURCES/cups-web-devices-timeout.patch
@@ -0,0 +1,19 @@
+diff -up cups-1.7rc1/cgi-bin/admin.c.web-devices-timeout cups-1.7rc1/cgi-bin/admin.c
+--- cups-1.7rc1/cgi-bin/admin.c.web-devices-timeout 2013-05-29 12:51:34.000000000 +0100
++++ cups-1.7rc1/cgi-bin/admin.c 2013-08-16 16:01:17.308264287 +0100
+@@ -1019,13 +1019,13 @@ do_am_printer(http_t *http, /* I - HTTP
+ }
+
+ /*
+- * Scan for devices for up to 30 seconds...
++ * Scan for devices for up to 10 seconds...
+ */
+
+ fputs("DEBUG: Getting list of devices...\n", stderr);
+
+ current_device = 0;
+- if (cupsGetDevices(http, 5, CUPS_INCLUDE_ALL, CUPS_EXCLUDE_NONE,
++ if (cupsGetDevices(http, 10, CUPS_INCLUDE_ALL, CUPS_EXCLUDE_NONE,
+ (cups_device_cb_t)choose_device_cb,
+ (void *)title) == IPP_OK)
+ {
diff --git a/SOURCES/macros.cups b/SOURCES/macros.cups
new file mode 100644
index 0000000..5b560d9
--- /dev/null
+++ b/SOURCES/macros.cups
@@ -0,0 +1 @@
+%_cups_serverbin %(/usr/bin/cups-config --serverbin)
diff --git a/SPECS/cups.spec b/SPECS/cups.spec
new file mode 100644
index 0000000..8b0b442
--- /dev/null
+++ b/SPECS/cups.spec
@@ -0,0 +1,3946 @@
+%global use_alternatives 1
+%global lspp 1
+
+# {_exec_prefix}/lib/cups is correct, even on x86_64.
+# It is not used for shared objects but for executables.
+# It's more of a libexec-style ({_libexecdir}) usage,
+# but we use lib for compatibility with 3rd party drivers (at upstream request).
+%global cups_serverbin %{_exec_prefix}/lib/cups
+
+#%%global prever rc1
+#%%global VERSION %%{version}%%{prever}
+%global VERSION %{version}
+# Openprinting version
+%global OP_VER op2
+
+Summary: CUPS printing system
+Name: cups
+Epoch: 1
+Version: 2.3.3%{OP_VER}
+Release: 13%{?dist}
+License: ASL 2.0
+Url: http://www.cups.org/
+# Apple stopped uploading the new versions into github, use OpenPrinting fork
+Source0: https://github.com/OpenPrinting/cups/releases/download/v%{VERSION}/cups-%{VERSION}-source.tar.gz
+# Pixmap for desktop file
+Source1: cupsprinter.png
+# cups_serverbin macro definition for use during builds
+Source2: macros.cups
+
+# PAM enablement, very old patch, not even git can track when or why
+# the patch was added.
+Patch1: cups-system-auth.patch
+# cups-config from devel package conflicted on multilib arches,
+# fixed hack with pkg-config calling for gnutls' libdir variable
+Patch2: cups-multilib.patch
+# if someone makes a change to banner files, then there will .rpmnew
+# with next update of cups-filters - this patch makes sure the banner file
+# changed by user is used and .rpmnew or .rpmsave is ignored
+# Note: This could be rewrite with use a kind of #define and send to upstream
+Patch3: cups-banners.patch
+# don't export ssl libs to cups-config - can't find the reason.
+Patch4: cups-no-export-ssllibs.patch
+# enables old uri usb:/dev/usb/lp0 - leave it here for users of old printers
+Patch5: cups-direct-usb.patch
+# when system workload is high, timeout for cups-driverd can be reached -
+# increase the timeout
+Patch6: cups-driverd-timeout.patch
+# usb backend didn't get any notification about out-of-paper because of kernel
+Patch7: cups-usb-paperout.patch
+# uri compatibility with old Fedoras
+Patch8: cups-uri-compat.patch
+# use IP_FREEBIND, because cupsd cannot bind to not yet existing IP address
+# by default
+Patch9: cups-freebind.patch
+# add support of multifile
+Patch10: cups-ipp-multifile.patch
+# prolongs web ui timeout
+Patch11: cups-web-devices-timeout.patch
+# failover backend for implementing failover functionality
+# TODO: move it to the cups-filters upstream
+Patch12: cups-failover-backend.patch
+# add device id for dymo printer
+Patch13: cups-dymo-deviceid.patch
+# add [Job N] in logs
+Patch14: cups-logs.patch
+
+%if %{lspp}
+# selinux and audit enablement for CUPS - needs work and CUPS upstream wants
+# to have these features implemented their way in the future
+Patch100: cups-lspp.patch
+%endif
+
+#### UPSTREAM PATCHES (starts with 1000) ####
+# 1949053 - CUPS doesn't start if sssd starts after cupsd
+Patch15: cups-nssuserlookup-target.patch
+# 1960160 - PreserveJobHistory/JobFiles aren't applied after
+# the first cupsd restart right after successful print
+Patch16: cups-cleanfiles.patch
+# 1949067 - Print queue is paused after ipp backend ends with CUPS_BACKEND_STOP
+Patch17: cups-validate-1st.patch
+# 2018948 - Unauthenticated users can't move print jobs in Web UI
+Patch18: 0001-cgi-bin-ipp-var.c-Use-guest-user-for-Move-Job-when-n.patch
+# 1999955 - Printing of banner before PCL file only prints banner
+Patch19: 0001-scheduler-job.c-use-gziptoany-for-raw-files-not-just.patch
+# 2006713 - Trying to restart and hold a job doesn't work
+Patch20: cups-restart-job-hold-until.patch
+# 2022365 - Annocheck fails due incorrect flags during compilation/linking
+Patch21: cups-fstack-strong.patch
+# 2019842 - Add more warning messages about drivers going deprecated
+Patch22: cups-deprecate-drivers.patch
+# 2018955 - RFE: Implement IdleExitTimeout configuration during build
+Patch23: 0001-Add-with-idle-exit-timeout-configure-option.patch
+# 2018951 - RFE: Implement TimeoutStartSec configuration during build
+Patch24: 0001-Add-with-systemd-timeoutstartsec-configure-option.patch
+# 1935051 - [FIPS] cups library can use sha-1 and uses internal MD5
+Patch25: cups-fips-restrict-md5.patch
+# Memory leak fixes (bug #1964975)
+# https://github.com/OpenPrinting/cups/pull/322
+Patch26: 0001-cups-http-encode-memleaks-fixes-issue-322.patch
+
+
+##### Patches removed because IMHO they aren't no longer needed
+##### but still I'll leave them in git in case their removal
+##### breaks something.
+
+
+BuildRequires: automake
+# gcc and gcc-c++ is no longer in buildroot by default
+# gcc for most of files
+BuildRequires: gcc
+# gcc-c++ for ppdc and cups-driverd
+Buildrequires: gcc-c++
+BuildRequires: krb5-devel
+BuildRequires: libacl-devel
+# make is used for compilation
+BuildRequires: make
+BuildRequires: openldap-devel
+BuildRequires: pam-devel
+BuildRequires: pkgconf-pkg-config
+BuildRequires: pkgconfig(avahi-client)
+BuildRequires: pkgconfig(dbus-1)
+BuildRequires: pkgconfig(gnutls)
+BuildRequires: pkgconfig(libsystemd)
+BuildRequires: pkgconfig(libusb-1.0)
+# Make sure we get postscriptdriver tags.
+BuildRequires: python3-cups
+BuildRequires: systemd
+# needed for systemd rpm macros according FPG
+BuildRequires: systemd-rpm-macros
+# needed for decompressing functions when reading from gzipped ppds
+BuildRequires: zlib-devel
+
+%if %{lspp}
+BuildRequires: libselinux-devel
+BuildRequires: audit-libs-devel
+%endif
+
+# getaddrinfo from glibc needs nss-mdns or systemd-resolved for resolving
+# mdns .local addresses. Don't require a specific package for now and let
+# the user to decide what to use
+# just recommend nss-mdns for Fedora for now to have working default, but
+# don't hardwire it for resolved users
+%if 0%{?fedora}
+Recommends: nss-mdns
+%endif
+# avahi is needed for mDNS discovery and sharing queues
+Recommends: avahi
+
+# We ship udev rules which use setfacl.
+Requires: acl
+Requires: %{name}-client%{?_isa} = %{epoch}:%{version}-%{release}
+Requires: %{name}-filesystem = %{epoch}:%{version}-%{release}
+# Make sure we have some filters for converting to raster format.
+Requires: cups-filters
+Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
+Requires: dbus
+Requires: systemd
+
+# Requires working PrivateTmp (bug #807672)
+Requires(pre): systemd
+Requires(post): systemd
+Requires(post): grep, sed
+Requires(preun): systemd
+Requires(postun): systemd
+
+
+%package client
+Summary: CUPS printing system - client programs
+License: GPLv2
+Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
+%if %{use_alternatives}
+Provides: /usr/bin/lpq /usr/bin/lpr /usr/bin/lp /usr/bin/cancel /usr/bin/lprm /usr/bin/lpstat
+Requires: /usr/sbin/alternatives
+%endif
+Provides: lpr
+
+%package devel
+Summary: CUPS printing system - development environment
+License: LGPLv2
+Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
+Requires: gnutls-devel
+Requires: krb5-devel
+Requires: zlib-devel
+
+%package libs
+Summary: CUPS printing system - libraries
+License: LGPLv2 and zlib
+
+%package filesystem
+Summary: CUPS printing system - directory layout
+BuildArch: noarch
+
+%package lpd
+Summary: CUPS printing system - lpd emulation
+Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
+Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
+Provides: lpd
+
+%package ipptool
+Summary: CUPS printing system - tool for performing IPP requests
+Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
+# ippfind needs avahi for printer discovery
+Requires: avahi
+# mdns address resolver (nss-mdns or systemd-resolved) is needed too,
+# but don't require a specific package for now and let the user to choose
+# what to use
+# just recommend nss-mdns for Fedora for now to have working default, but
+# don't hardwire it for resolved users
+%if 0%{?fedora}
+Recommends: nss-mdns
+%endif
+
+%package printerapp
+Summary: CUPS printing system - tools for printer application
+Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
+# ippeveprinter needs avahi for registering and sharing printer
+Requires: avahi
+# mdns address resolver (nss-mdns or systemd-resolved) is needed too,
+# but don't require a specific package for now and let the user to choose
+# what to use
+# just recommend nss-mdns for Fedora for now to have working default, but
+# don't hardwire it for resolved users
+%if 0%{?fedora}
+Recommends: nss-mdns
+%endif
+
+%description
+CUPS printing system provides a portable printing layer for
+UNIX® operating systems. It has been developed by Apple Inc.
+to promote a standard printing solution for all UNIX vendors and users.
+CUPS provides the System V and Berkeley command-line interfaces.
+
+%description client
+CUPS printing system provides a portable printing layer for
+UNIX® operating systems. This package contains command-line client
+programs.
+
+%description devel
+CUPS printing system provides a portable printing layer for
+UNIX® operating systems. This is the development package for creating
+additional printer drivers, and other CUPS services.
+
+%description libs
+CUPS printing system provides a portable printing layer for
+UNIX® operating systems. It has been developed by Apple Inc.
+to promote a standard printing solution for all UNIX vendors and users.
+CUPS provides the System V and Berkeley command-line interfaces.
+The cups-libs package provides libraries used by applications to use CUPS
+natively, without needing the lp/lpr commands.
+
+%description filesystem
+CUPS printing system provides a portable printing layer for
+UNIX® operating systems. This package provides some directories which are
+required by other packages that add CUPS drivers (i.e. filters, backends etc.).
+
+%description lpd
+CUPS printing system provides a portable printing layer for
+UNIX® operating systems. This is the package that provides standard
+lpd emulation.
+
+%description ipptool
+Sends IPP requests to the specified URI and tests and/or displays the results.
+
+%description printerapp
+Provides IPP everywhere printer application ippeveprinter and tools for printing
+PostScript and HP PCL document formats - ippevepcl and ippeveps. The printer
+application enables older printers for IPP everywhere standard - so if older printer
+is installed with a printer application, its print queue acts as IPP everywhere printer
+to CUPS daemon. This solution will substitute printer drivers and raw queues in the future.
+
+%prep
+%setup -q -n cups-%{VERSION}
+# Use the system pam configuration.
+%patch1 -p1 -b .system-auth
+# Prevent multilib conflict in cups-config script.
+%patch2 -p1 -b .multilib
+# Ignore rpm save/new files in the banners directory.
+%patch3 -p1 -b .banners
+# Don't export SSLLIBS to cups-config.
+%patch4 -p1 -b .no-export-ssllibs
+# Allow file-based usb device URIs.
+%patch5 -p1 -b .direct-usb
+# Increase driverd timeout to 70s to accommodate foomatic (bug #744715).
+%patch6 -p1 -b .driverd-timeout
+# Support for errno==ENOSPACE-based USB paper-out reporting.
+%patch7 -p1 -b .usb-paperout
+# Allow the usb backend to understand old-style URI formats.
+%patch8 -p1 -b .uri-compat
+# Use IP_FREEBIND socket option when binding listening sockets (bug #970809).
+%patch9 -p1 -b .freebind
+# Fixes for jobs with multiple files and multiple formats.
+%patch10 -p1 -b .ipp-multifile
+# Increase web interface get-devices timeout to 10s (bug #996664).
+%patch11 -p1 -b .web-devices-timeout
+# Add failover backend (bug #1689209)
+%patch12 -p1 -b .failover
+# Added IEEE 1284 Device ID for a Dymo device (bug #747866).
+%patch13 -p1 -b .dymo-deviceid
+
+# UPSTREAM PATCHES
+# add [Job N] to logs
+%patch14 -p1 -b .logs
+# 1949053 - CUPS doesn't start if sssd starts after cupsd
+%patch15 -p1 -b .nsslookup
+# 1960160 - PreserveJobHistory/JobFiles aren't applied after
+# the first cupsd restart right after successful print
+%patch16 -p1 -b .cleanfiles
+# 1949067 - Print queue is paused after ipp backend ends with CUPS_BACKEND_STOP
+%patch17 -p1 -b .validate-retry
+# 2018948 - Unauthenticated users can't move print jobs in Web UI
+%patch18 -p1 -b .move-job
+# 1999955 - Printing of banner before PCL file only prints banner
+%patch19 -p1 -b .banner-rawfiles
+# 2006713 - Trying to restart and hold a job doesn't work
+%patch20 -p1 -b .restart-hold-job
+# 2022365 - Annocheck fails due incorrect flags during compilation/linking
+%patch21 -p1 -b .fstack-strong
+# 2019842 - Add more warning messages about drivers going deprecated
+%patch22 -p1 -b .deprecate-warnings
+# 2018955 - RFE: Implement IdleExitTimeout configuration during build
+%patch23 -p1 -b .idleexittimeout
+# 2018951 - RFE: Implement TimeoutStartSec configuration during build
+%patch24 -p1 -b .conf-timeoutstartsec
+# 1935051 - [FIPS] cups library can use sha-1 and uses internal MD5
+%patch25 -p1 -b .restrict-md5
+# 1964975 - Memory leak fixes
+%patch26 -p1 -b .memleak-fixes
+
+
+%if %{lspp}
+# LSPP support.
+%patch100 -p1 -b .lspp
+%endif
+
+
+# Log to the system journal by default (bug #1078781, bug #1519331).
+sed -i -e 's,^ErrorLog .*$,ErrorLog syslog,' conf/cups-files.conf.in
+sed -i -e 's,^AccessLog .*$,AccessLog syslog,' conf/cups-files.conf.in
+sed -i -e 's,^PageLog .*,PageLog syslog,' conf/cups-files.conf.in
+
+# Let's look at the compilation command lines.
+perl -pi -e "s,^.SILENT:,," Makedefs.in
+
+# remove this once we don't have any patches changing configure stuff
+aclocal -I config-scripts
+autoconf -f -I config-scripts
+
+%build
+# cups can use different compiler if it is installed, so set to GCC for to be sure
+export CC=%{__cc}
+export CXX=%{__cxx}
+# add Fedora specific flags to DSOFLAGS
+export DSOFLAGS="$DSOFLAGS $RPM_LD_FLAGS"
+export CFLAGS="$CFLAGS $RPM_OPT_FLAGS -DLDAP_DEPRECATED=1"
+export CXXFLAGS="$CXXFLAGS $RPM_OPT_FLAGS -DLDAP_DEPRECATED=1"
+export LDFLAGS="$LDFLAGS $RPM_LD_FLAGS -Wall -fstack-clash-protection -D_FORTIFY_SOURCE=2"
+# --enable-debug to avoid stripping binaries
+%configure --with-docdir=%{_datadir}/%{name}/www --enable-debug \
+%if %{lspp}
+ --enable-lspp \
+%endif
+ --with-exe-file-perm=0755 \
+ --with-cupsd-file-perm=0755 \
+ --with-log-file-perm=0600 \
+ --enable-relro \
+ --with-dbusdir=%{_sysconfdir}/dbus-1 \
+ --with-php=/usr/bin/php-cgi \
+ --enable-avahi \
+ --enable-threads \
+ --enable-gnutls \
+ --enable-webif \
+ --with-xinetd=no \
+ --with-access-log-level=actions \
+ --enable-page-logging \
+ --with-rundir=%{_rundir}/cups \
+ --enable-sync-on-close \
+%if 0%{?rhel}
+ --without-idle-exit-timeout \
+ --without-systemd-timeoutstartsec \
+%endif
+ localedir=%{_datadir}/locale
+
+# If we got this far, all prerequisite libraries must be here.
+%make_build
+
+%install
+# %%make_install macro results into permission error during install phase,
+# because it sets INSTALL env to 'install -p'.
+# use the old make invocation for now, fix this upstream when upstream will
+# have a time for github issues
+make install DESTDIR=%{buildroot}
+
+rm -rf %{buildroot}%{_initddir} \
+ %{buildroot}%{_sysconfdir}/init.d \
+ %{buildroot}%{_sysconfdir}/rc?.d
+mkdir -p %{buildroot}%{_unitdir}
+
+find %{buildroot}%{_datadir}/cups/model -name "*.ppd" |xargs gzip -n9f
+
+%if %{use_alternatives}
+pushd %{buildroot}%{_bindir}
+for i in cancel lp lpq lpr lprm lpstat; do
+ mv $i $i.cups
+done
+cd %{buildroot}%{_sbindir}
+mv lpc lpc.cups
+cd %{buildroot}%{_mandir}/man1
+for i in cancel lp lpq lpr lprm lpstat; do
+ mv $i.1 $i-cups.1
+done
+cd %{buildroot}%{_mandir}/man8
+mv lpc.8 lpc-cups.8
+popd
+%endif
+
+mkdir -p %{buildroot}%{_datadir}/pixmaps %{buildroot}%{_sysconfdir}/X11/sysconfig %{buildroot}%{_sysconfdir}/X11/applnk/System
+install -p -m 644 %{SOURCE1} %{buildroot}%{_datadir}/pixmaps
+
+# Ship an rpm macro for where to put driver executables.
+mkdir -p %{buildroot}%{_rpmconfigdir}/macros.d
+install -m 0644 %{SOURCE2} %{buildroot}%{_rpmconfigdir}/macros.d
+
+# Ship a printers.conf file, and a client.conf file. That way, they get
+# their SELinux file contexts set correctly.
+touch %{buildroot}%{_sysconfdir}/cups/printers.conf
+touch %{buildroot}%{_sysconfdir}/cups/classes.conf
+touch %{buildroot}%{_sysconfdir}/cups/client.conf
+touch %{buildroot}%{_sysconfdir}/cups/subscriptions.conf
+touch %{buildroot}%{_sysconfdir}/cups/lpoptions
+
+# deny MD5 digest authentication by default in client.conf
+cat > %{buildroot}%{_sysconfdir}/cups/client.conf < %{buildroot}%{_tmpfilesdir}/cups.conf < %{buildroot}%{_tmpfilesdir}/cups-lp.conf < %{buildroot}%{_unitdir}/cups.service.d/server.conf < %{name}.lang
+
+%post
+%systemd_post %{name}.path %{name}.socket %{name}.service
+
+# remove this after F36 is EOL
+# - previously the file was empty by default, so check whether the directive exists
+# and if not, add the directive+value
+# - we don't check for directive value in case some users already know they need MD5
+# Digest authentication, so we won't break their setup with every update
+# - ^\s* prevents matching comments and ignores whitespaces at the beginning
+grep '^\s*DigestOptions' %{_sysconfdir}/cups/client.conf &> /dev/null || echo 'DigestOptions DenyMD5' \
+>> %{_sysconfdir}/cups/client.conf
+
+# Because of moving logs to journal, we need to create placeholder files
+# at /var/log/cups for users, whose are going to install CUPS on new OS
+# machine with info message
+%if 0%{?rhel} > 7 || 0%{?fedora} > 27
+confignames=( "ErrorLog" "AccessLog" "PageLog" )
+lognames=( "error_log" "access_log" "page_log" )
+message="This CUPS log has been moved into journal by default unless changes have been made in /etc/cups/cups-files.conf. Log messages can be got by \"$ journalctl -u cups -e\""
+for ((i=0;i<${#confignames[@]};i++));
+do
+ found=`%{_bindir}/grep -i "${confignames[i]} syslog" /etc/cups/cups-files.conf`
+ if [ ! -z "$found" ]
+ then
+ if [ ! -f %{_localstatedir}/log/cups/${lognames[i]} ]
+ then
+ %{_bindir}/touch %{_localstatedir}/log/cups/${lognames[i]} || :
+ fi
+ perms=`%{_bindir}/ls -lah %{_localstatedir}/log/cups/${lognames[i]} | %{_bindir}/grep -v -e "\-rw-------" -e "root lp"`
+ if [ ! -z "$perms" ]
+ then
+ # we need to set correct permissions and ownership because of possible
+ # security issues
+ # we need to have it here, because previous CUPS releases had the bug.
+ # Checking permissions and ownership here fixes it.
+ %{_bindir}/chown root:lp %{_localstatedir}/log/cups/${lognames[i]} || :
+ %{_bindir}/chmod 600 %{_localstatedir}/log/cups/${lognames[i]} || :
+ fi
+ lastmessage=`%{_bindir}/tail -n 1 %{_localstatedir}/log/cups/${lognames[i]} | %{_bindir}/grep "$message"`
+ if [ -z "$lastmessage" ]
+ then
+ %{_bindir}/echo $message >> %{_localstatedir}/log/cups/${lognames[i]} || :
+ fi
+ fi
+done
+%endif
+
+exit 0
+
+%post client
+%if %{use_alternatives}
+/usr/sbin/alternatives --install %{_bindir}/lpr print %{_bindir}/lpr.cups 40 \
+ --slave %{_bindir}/lp print-lp %{_bindir}/lp.cups \
+ --slave %{_bindir}/lpq print-lpq %{_bindir}/lpq.cups \
+ --slave %{_bindir}/lprm print-lprm %{_bindir}/lprm.cups \
+ --slave %{_bindir}/lpstat print-lpstat %{_bindir}/lpstat.cups \
+ --slave %{_bindir}/cancel print-cancel %{_bindir}/cancel.cups \
+ --slave %{_sbindir}/lpc print-lpc %{_sbindir}/lpc.cups \
+ --slave %{_mandir}/man1/cancel.1.gz print-cancelman %{_mandir}/man1/cancel-cups.1.gz \
+ --slave %{_mandir}/man1/lp.1.gz print-lpman %{_mandir}/man1/lp-cups.1.gz \
+ --slave %{_mandir}/man8/lpc.8.gz print-lpcman %{_mandir}/man8/lpc-cups.8.gz \
+ --slave %{_mandir}/man1/lpq.1.gz print-lpqman %{_mandir}/man1/lpq-cups.1.gz \
+ --slave %{_mandir}/man1/lpr.1.gz print-lprman %{_mandir}/man1/lpr-cups.1.gz \
+ --slave %{_mandir}/man1/lprm.1.gz print-lprmman %{_mandir}/man1/lprm-cups.1.gz \
+ --slave %{_mandir}/man1/lpstat.1.gz print-lpstatman %{_mandir}/man1/lpstat-cups.1.gz || :
+%endif
+
+%post lpd
+%systemd_post cups-lpd.socket
+
+%ldconfig_scriptlets libs
+
+%preun
+%systemd_preun %{name}.path %{name}.socket %{name}.service
+
+%preun client
+%if %{use_alternatives}
+if [ $1 -eq 0 ] ; then
+ /usr/sbin/alternatives --remove print %{_bindir}/lpr.cups || :
+fi
+%endif
+
+%preun lpd
+%systemd_preun cups-lpd.socket
+
+%postun
+%systemd_postun_with_restart %{name}.path %{name}.socket %{name}.service
+
+%postun lpd
+%systemd_postun_with_restart cups-lpd.socket
+
+%triggerin -- samba-client
+ln -sf %{_libexecdir}/samba/cups_backend_smb %{cups_serverbin}/backend/smb || :
+
+%triggerun -- samba-client
+[ $2 = 0 ] || exit 0
+rm -f %{cups_serverbin}/backend/smb
+
+%files -f %{name}.lang
+%doc README.md CREDITS.md CHANGES.md
+%{_bindir}/cupstestppd
+%{_bindir}/ppd*
+%{_sbindir}/*
+# client subpackage
+%exclude %{_sbindir}/lpc.cups
+%dir %{cups_serverbin}/daemon
+%{cups_serverbin}/daemon/cups-deviced
+%{cups_serverbin}/daemon/cups-driverd
+%{cups_serverbin}/daemon/cups-exec
+%{cups_serverbin}/backend/*
+%{cups_serverbin}/cgi-bin
+%{cups_serverbin}/filter/*
+%{cups_serverbin}/monitor
+%{cups_serverbin}/notifier
+%{_datadir}/cups/drv/sample.drv
+%{_datadir}/cups/examples
+%{_datadir}/cups/mime/mime.types
+%{_datadir}/cups/mime/mime.convs
+%{_datadir}/cups/ppdc/*.defs
+%{_datadir}/cups/ppdc/*.h
+%dir %{_datadir}/cups/templates
+%{_datadir}/cups/templates/*.tmpl
+%dir %{_datadir}/cups/templates/de
+%{_datadir}/cups/templates/de/*.tmpl
+%dir %{_datadir}/cups/templates/es
+%{_datadir}/cups/templates/es/*.tmpl
+%dir %{_datadir}/cups/templates/fr
+%{_datadir}/cups/templates/fr/*.tmpl
+%dir %{_datadir}/cups/templates/ja
+%{_datadir}/cups/templates/ja/*.tmpl
+%dir %{_datadir}/cups/templates/pt_BR
+%{_datadir}/cups/templates/pt_BR/*.tmpl
+%dir %{_datadir}/cups/templates/ru
+%{_datadir}/cups/templates/ru/*.tmpl
+%dir %{_datadir}/%{name}/usb
+%{_datadir}/%{name}/usb/org.cups.usb-quirks
+%dir %{_datadir}/%{name}/www
+%{_datadir}/%{name}/www/images
+%{_datadir}/%{name}/www/*.css
+# 1658673 - html files cannot be docs, because CUPS web ui will not have
+# introduction page on Fedora Docker image (because rpms are installed
+# without docs there because of space reasons)
+%{_datadir}/%{name}/www/index.html
+%{_datadir}/%{name}/www/help
+%{_datadir}/%{name}/www/robots.txt
+%{_datadir}/%{name}/www/de/index.html
+%{_datadir}/%{name}/www/es/index.html
+%{_datadir}/%{name}/www/ja/index.html
+%{_datadir}/%{name}/www/ru/index.html
+%{_datadir}/%{name}/www/pt_BR/index.html
+%{_datadir}/%{name}/www/apple-touch-icon.png
+%dir %{_datadir}/%{name}/www/de
+%dir %{_datadir}/%{name}/www/es
+%dir %{_datadir}/%{name}/www/ja
+%dir %{_datadir}/%{name}/www/pt_BR
+%dir %{_datadir}/%{name}/www/ru
+%{_datadir}/pixmaps/cupsprinter.png
+%dir %attr(1770,root,lp) %{_localstatedir}/spool/cups/tmp
+%dir %attr(0710,root,lp) %{_localstatedir}/spool/cups
+%dir %attr(0755,lp,sys) %{_localstatedir}/log/cups
+%{_mandir}/man[1578]/*
+# client subpackage
+%exclude %{_mandir}/man1/lp*.1.gz
+%exclude %{_mandir}/man1/cancel-cups.1.gz
+%exclude %{_mandir}/man8/lpc-cups.8.gz
+# devel subpackage
+%exclude %{_mandir}/man1/cups-config.1.gz
+# ipptool subpackage
+%exclude %{_mandir}/man1/ipptool.1.gz
+%exclude %{_mandir}/man5/ipptoolfile.5.gz
+# lpd subpackage
+%exclude %{_mandir}/man8/cups-lpd.8.gz
+# printerapp
+%exclude %{_mandir}/man1/ippeveprinter.1.gz
+%exclude %{_mandir}/man7/ippevepcl.7.gz
+%exclude %{_mandir}/man7/ippeveps.7.gz
+%dir %attr(0755,root,lp) %{_rundir}/cups
+%dir %attr(0511,lp,sys) %{_rundir}/cups/certs
+%dir %attr(0755,root,lp) %{_sysconfdir}/cups
+%attr(0640,root,lp) %{_sysconfdir}/cups/cupsd.conf.default
+%verify(not md5 size mtime) %config(noreplace) %attr(0640,root,lp) %{_sysconfdir}/cups/cupsd.conf
+%verify(not md5 size mtime) %config(noreplace) %attr(0640,root,lp) %{_sysconfdir}/cups/cups-files.conf
+%attr(0640,root,lp) %{_sysconfdir}/cups/cups-files.conf.default
+%verify(not md5 size mtime) %config(noreplace) %attr(0644,root,lp) %{_sysconfdir}/cups/client.conf
+%verify(not md5 size mtime) %config(noreplace) %attr(0600,root,lp) %{_sysconfdir}/cups/classes.conf
+%verify(not md5 size mtime) %config(noreplace) %attr(0600,root,lp) %{_sysconfdir}/cups/printers.conf
+%verify(not md5 size mtime) %config(noreplace) %attr(0644,root,lp) %{_sysconfdir}/cups/snmp.conf
+%attr(0640,root,lp) %{_sysconfdir}/cups/snmp.conf.default
+%verify(not md5 size mtime) %config(noreplace) %attr(0640,root,lp) %{_sysconfdir}/cups/subscriptions.conf
+%verify(not md5 size mtime) %config(noreplace) %attr(0644,root,lp) %{_sysconfdir}/cups/lpoptions
+%dir %attr(0755,root,lp) %{_sysconfdir}/cups/ppd
+%dir %attr(0700,root,lp) %{_sysconfdir}/cups/ssl
+%config(noreplace) %{_sysconfdir}/dbus-1/system.d/cups.conf
+%config(noreplace) %{_sysconfdir}/pam.d/cups
+%{_tmpfilesdir}/cups.conf
+%{_tmpfilesdir}/cups-lp.conf
+%dir %{_unitdir}/%{name}.service.d
+%attr(0644, root, root)%{_unitdir}/%{name}.service.d/server.conf
+%attr(0644, root, root)%{_unitdir}/%{name}.service
+%attr(0644, root, root)%{_unitdir}/%{name}.socket
+%attr(0644, root, root)%{_unitdir}/%{name}.path
+
+%files client
+%{_bindir}/cancel*
+%{_bindir}/lp*
+%{_sbindir}/lpc.cups
+%{_mandir}/man1/cancel-cups.1.gz
+%{_mandir}/man1/lp*.1.gz
+%{_mandir}/man8/lpc-cups.8.gz
+
+%files libs
+%{license} LICENSE
+%{license} NOTICE
+%{_libdir}/libcups.so.2
+%{_libdir}/libcupsimage.so.2
+
+%files filesystem
+%dir %{cups_serverbin}
+%dir %{cups_serverbin}/backend
+%dir %{cups_serverbin}/driver
+%dir %{cups_serverbin}/filter
+%dir %{_datadir}/cups
+%dir %{_datadir}/cups/data
+%dir %{_datadir}/cups/drv
+%dir %{_datadir}/cups/mime
+%dir %{_datadir}/cups/model
+%dir %{_datadir}/cups/ppdc
+%dir %{_datadir}/ppd
+
+%files devel
+%{_bindir}/cups-config
+%{_includedir}/cups
+%{_libdir}/*.so
+%{_mandir}/man1/cups-config.1.gz
+%{_rpmconfigdir}/macros.d/macros.cups
+
+%files lpd
+%{cups_serverbin}/daemon/cups-lpd
+%{_mandir}/man8/cups-lpd.8.gz
+%attr(0644, root, root)%{_unitdir}/cups-lpd.socket
+%attr(0644, root, root)%{_unitdir}/cups-lpd@.service
+
+%files ipptool
+%{_bindir}/ippfind
+%{_bindir}/ipptool
+%dir %{_datadir}/cups/ipptool
+%{_datadir}/cups/ipptool/*
+%{_mandir}/man1/ipptool.1.gz
+%{_mandir}/man5/ipptoolfile.5.gz
+
+%files printerapp
+%{_bindir}/ippeveprinter
+%dir %{cups_serverbin}/command
+%{cups_serverbin}/command/ippevepcl
+%{cups_serverbin}/command/ippeveps
+%{_mandir}/man1/ippeveprinter.1.gz
+%{_mandir}/man7/ippevepcl.7.gz
+%{_mandir}/man7/ippeveps.7.gz
+
+%changelog
+* Thu Feb 24 2022 Richard Lescak - 1:2.3.3op2-13
+- 1964975 - added fix for uninit jump into the leaks patch
+
+* Wed Jan 12 2022 Richard Lescak - 1:2.3.3op2-12
+- 1964975 - memory leaks in http_tls_upgrade() and _cupsEncodeOption()
+
+* Mon Dec 06 2021 Zdenek Dohnal - 1:2.3.3op2-11
+- 1935051 - [FIPS] cups library can use sha-1 and uses internal MD5
+
+* Wed Dec 01 2021 Zdenek Dohnal - 1:2.3.3op2-11
+- 2018951 - RFE: Implement TimeoutStartSec configuration during build
+
+* Mon Nov 29 2021 Zdenek Dohnal - 1:2.3.3op2-11
+- 2018955 - RFE: Implement IdleExitTimeout configuration during build
+
+* Fri Nov 12 2021 Zdenek Dohnal - 1:2.3.3op2-11
+- 2019842 - Add more warning messages about drivers going deprecated
+
+* Fri Nov 12 2021 Zdenek Dohnal - 1:2.3.3op2-10
+- 2022365 - Annocheck fails due incorrect flags during compilation/linking
+
+* Wed Nov 03 2021 Zdenek Dohnal - 1:2.3.3op2-9
+- 2018948 - Unauthenticated users can't move print jobs in Web UI
+- 1999955 - Printing of banner before PCL file only prints banner
+- 2006713 - Trying to restart and hold a job doesn't work
+
+* Mon Aug 09 2021 Mohan Boddu - 1:2.3.3op2-8
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+ Related: rhbz#1991688
+
+* Fri May 14 2021 Zdenek Dohnal - 1:2.3.3op2-7
+- 1949067 - Print queue is paused after ipp backend ends with CUPS_BACKEND_STOP
+
+* Thu May 13 2021 Zdenek Dohnal - 1:2.3.3op2-6
+- 1960160 - PreserveJobHistory/JobFiles aren't applied after the first cupsd restart right after successful print
+
+* Mon Apr 26 2021 Zdenek Dohnal - 1:2.3.3op2-5
+- 1949053 - CUPS doesn't start if sssd starts after cupsd
+
+* Thu Apr 15 2021 Mohan Boddu - 1:2.3.3op2-4
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Mon Mar 22 2021 Zdenek Dohnal - 1:2.3.3op2-3
+- add [Job N] in logs for better debugging
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 1:2.3.3op2-2
+- Rebuilt for updated systemd-rpm-macros
+ See https://pagure.io/fesco/issue/2583.
+
+* Tue Feb 02 2021 Zdenek Dohnal - 1:2.3.3op2-1
+- 1923828 - cups-2.3.3op2 is available
+
+* Mon Feb 01 2021 Zdenek Dohnal - 1:2.3.3op1-4
+- fix for CVE-2020-10001
+- recommend nss-mdns for Fedora to have a working default for now
+- 1921881 - [abrt] cups: __strcmp_avx2(): help.cgi killed by SIGSEGV
+- 1909980 - cupsd crashes on parsing malformed Brother PPD
+
+* Thu Jan 28 2021 Zdenek Dohnal - 1:2.3.3op1-3
+- remove nss-mdns dependency - let the user decide whether use resolved or nss-mdns
+- remove cups dependency on cups-ipptool - actually not needed
+
+* Tue Jan 26 2021 Fedora Release Engineering - 1:2.3.3op1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Mon Nov 30 2020 Zdenek Dohnal - 1:2.3.3op1-1
+- 2.3.3op1
+
+* Fri Nov 27 2020 Zdenek Dohnal - 1:2.3.3-20
+- make unit files writeable by root
+- remove %%post scriptlet - it is covered by drop-in now
+- remove cups-filter-debug.patch
+- backport cups-synconclose.patch from upstream
+
+* Thu Nov 26 2020 Zdenek Dohnal - 1:2.3.3-20
+- remove downstream autostart patch - use systemd drop-in
+
+* Tue Nov 24 2020 Zdenek Dohnal - 1:2.3.3-20
+- fix memory leak during device discovery
+- remove logrotate patches and support - journal is now default
+- remove eggcups patch - seems to cause no harm
+- journal is in Fedora for long time - no need to mention it is Fedora syslog
+- fix packaging of printerapp manpages
+- wheel is now in system groups by default
+- remove old scripts for older migrations
+- CREDITS is now in markdown format, so we don't need to convert
+- fix requires on nss-mdns for cups-printerapp
+- take SNMP OID from upstream
+- rename unit files and update their patches
+
+* Thu Nov 12 2020 Zdenek Dohnal - 1:2.3.3-19
+- 1897023 - Cups service restart sequence during upgrade incorrect
+
+* Tue Nov 10 2020 Zdenek Dohnal - 1:2.3.3-18
+- 1892426 - Crash:free(): invalid pointer in cups backend
+
+* Thu Nov 05 2020 Zdenek Dohnal - 1:2.3.3-17
+- make is no longer in buildroot
+
+* Mon Nov 02 2020 Zdenek Dohnal - 1:2.3.3-16
+- backport cups-ipptool-mdns-uri.patch from upstream
+- backport cups-prioritize-print-color-mode.patch from upstream
+
+* Thu Sep 03 2020 Zdenek Dohnal - 1:2.3.3-14
+- revert previous commit - resolved doesn't work with avahi due missing link
+ in NetworkManager
+
+* Mon Aug 31 2020 Zdenek Dohnal - 1:2.3.3-14
+- MDNS resolving should be done by systemd-resolved now
+
+* Mon Aug 10 2020 Zdenek Dohnal - 1:2.3.3-14
+- CUPS exception isn't in spdx database, use only ASL 2.0
+
+* Wed Aug 05 2020 Zdenek Dohnal - 1:2.3.3-13
+- own 'new' directories
+
+* Tue Aug 04 2020 Zdenek Dohnal - 1:2.3.3-12
+- typo in DESTDIR during 'make install'
+
+* Sat Aug 01 2020 Fedora Release Engineering - 1:2.3.3-11
+- Second attempt - Rebuilt for
+ https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon Jul 27 2020 Fedora Release Engineering - 1:2.3.3-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Wed Jul 22 2020 Zdenek Dohnal - 1:2.3.3-9
+- use %%make_build and %%make_install macros
+
+* Mon Jul 20 2020 Zdenek Dohnal - 1:2.3.3-8
+- 1848575 - [cups, cups-filters] PPD generators creates invalid cupsManualCopies entry
+
+* Fri Jul 17 2020 Zdenek Dohnal - 1:2.3.3-7
+- spec cleanup
+
+* Thu Jun 11 2020 Zdenek Dohnal - 1:2.3.3-6
+- fix patch errors in failover patch
+- cgi script creates a bad uri in web ui
+- ipptool doesn't support mdns uris
+
+* Tue Jun 02 2020 Zdenek Dohnal - 1:2.3.3-5
+- remove os ci tests, we use baseos ci
+
+* Fri May 22 2020 Zdenek Dohnal - 1:2.3.3-4
+- fix space errors in failover patch
+
+* Thu May 21 2020 Zdenek Dohnal - 1:2.3.3-3
+- use _rundir instead of hardcode /run
+
+* Wed May 20 2020 Zdenek Dohnal - 1:2.3.3-2
+- 1838455 - ipp/socket backends connect to turned off device for eternity (contimeout is not applied)
+
+* Tue May 19 2020 Zdenek Dohnal - 1:2.3.3-1
+- 2.3.3
+
+* Tue Apr 21 2020 Zdenek Dohnal - 1:2.3.1-9
+- 1826330 - CVE-2020-3898 cups: heap based buffer overflow in libcups's ppdFindOption() in ppd-mark.c
+
+* Wed Apr 08 2020 Zdenek Dohnal - 1:2.3.1-8
+- 1822154 - cups.service doesn't execute automatically on request
+
+* Mon Apr 06 2020 Zdenek Dohnal - 1:2.3.1-7
+- make avahi and nss-mdns recommended in main package - so users with older printers
+ can install cups without it
+
+* Fri Mar 20 2020 Zdenek Dohnal - 1:2.3.1-6
+- add requires on nss-mdns, because getaddrinfo needs it for resolving .local addresses
+
+* Tue Jan 28 2020 Fedora Release Engineering - 1:2.3.1-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Sat Jan 18 2020 Tom Stellard - 1:2.3.1-4
+- Replace hard-coded gcc and g++ with __cc and __cxx macros
+
+* Wed Jan 15 2020 Zdenek Dohnal - 1:2.3.1-3
+- add buildrequires on systemd-rpm-macros
+
+* Thu Jan 02 2020 Zdenek Dohnal - 1:2.3.1-2
+- do not ship ipp backend as 755, breaks kerberized printing
+- https://github.com/apple/cups/pull/5710
+
+* Mon Dec 16 2019 Zdenek Dohnal - 1:2.3.1-1
+- 2.3.1
+
+* Fri Nov 29 2019 Zdenek Dohnal - 1:2.3.0-2
+- 1777921 - cups unit file makes systemd to complain
+
+* Mon Nov 18 2019 Zdenek Dohnal - 1:2.3.0-1
+- 2.3.0 - new printerapp subpackage
+
+* Wed Oct 16 2019 Zdenek Dohnal - 1:2.2.12-3
+- 1720688 - [abrt] cups: __strlen_avx2(): printers.cgi killed by SIGSEGV
+- 1750904 - cups is unable to add ppd with custom/Custom option
+
+* Fri Sep 13 2019 Zdenek Dohnal - 1:2.2.12-2
+- fix cupsctl usage
+
+* Mon Aug 19 2019 Zdenek Dohnal - 1:2.2.12-1
+- 2.2.12
+
+* Wed Jul 24 2019 Fedora Release Engineering - 1:2.2.11-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Fri May 31 2019 Zdenek Dohnal - 1:2.2.11-3
+- 1708988 - Samsung ML-1676P Laser printer fails to print document
+
+* Wed Apr 17 2019 Zdenek Dohnal - 1:2.2.11-2
+- 1700664 - Stop advertising the HTTP methods that are supported
+
+* Tue Mar 26 2019 Zdenek Dohnal - 1:2.2.11-1
+- 2.2.11
+
+* Fri Mar 15 2019 Zdenek Dohnal - 1:2.2.10-5
+- 1689209 - Add failover backend
+
+* Tue Feb 19 2019 Zdenek Dohnal - 1:2.2.10-4
+- automake sometimes fails to generate correct macros - so force it
+
+* Tue Feb 05 2019 Zdenek Dohnal - 1:2.2.10-3
+- 1672715 - cups fails to build if clang is installed
+
+* Thu Jan 31 2019 Fedora Release Engineering - 1:2.2.10-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Dec 14 2018 Zdenek Dohnal - 1:2.2.10-1
+- 2.2.10, libcupsmime, libcupsppdc and libcupscgi libraries were removed
+
+* Fri Dec 14 2018 Zdenek Dohnal - 1:2.2.8-10
+- previous commit - fix for previous releases
+
+* Thu Dec 13 2018 Zdenek Dohnal - 1:2.2.8-9
+- logs need to have correct permissions
+
+* Wed Dec 12 2018 Zdenek Dohnal - 1:2.2.8-8
+- 1658673 - Main index.html of web interface doesn't get installed when not installing documentation
+
+* Mon Dec 10 2018 Zdenek Dohnal - 1:2.2.8-7
+- 1657750 - CVE-2018-4700 cups: Predictable session cookie breaks CSRF protection [fedora-all]
+
+* Fri Nov 09 2018 Zdenek Dohnal - 1:2.2.8-6
+- 1622432 - Jobs with multiple files don't complete when backend fails
+- 1648396 - 'cupsd[998]: [CGI] Unable to execute ippfind utility: No such file or directory' in journal
+
+* Fri Sep 21 2018 Zdenek Dohnal - 1:2.2.8-5
+- fixed coverity issues
+
+* Wed Sep 19 2018 Zdenek Dohnal - 1:2.2.8-4
+- 1618018 - Make cups systemd unit files more upstream-like
+
+* Tue Jul 24 2018 Zdenek Dohnal - 1:2.2.8-3
+- correcting license
+
+* Thu Jul 12 2018 Fedora Release Engineering - 1:2.2.8-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Wed Jun 27 2018 Zdenek Dohnal - 1:2.2.8-1
+- 2.2.8, removing several downstream patches, adding some upstream patches
+
+* Tue Jun 12 2018 Zdenek Dohnal - 1:2.2.7-2
+- 1589593 - cupsd LogLevel ignored when logging to journald (syslog)
+- 1590123 - cups-driverd doesn't recognize static gzipped ppds
+
+* Tue Apr 03 2018 Zdenek Dohnal - 1:2.2.7-1
+- rebase to 2.2.7
+- substitute default values for invalid job attributes (upstream issues #5229 and #5186)
+
+* Thu Mar 29 2018 Pavel Zhukov - 1:2.2.6-13
+- Use dbus fix instead of general attr delete (upstream)
+
+* Wed Mar 28 2018 Pavel Zhukov - 1:2.2.6-12
+- Fix for CVE-2017-18248
+
+* Wed Feb 28 2018 Zdenek Dohnal - 1:2.2.6-11
+- remake of 1499261
+
+* Wed Feb 28 2018 Zdenek Dohnal - 1:2.2.6-10
+- mention library names explicitly to warn about soname change
+
+* Tue Feb 27 2018 Zdenek Dohnal - 1:2.2.6-9
+- 1548120 - cups: Partial injection of Fedora build flags
+
+* Mon Feb 26 2018 Zdenek Dohnal - 1:2.2.6-8
+- pkgconfig is now shipped in pkgconf-pkg-config package
+
+* Tue Feb 20 2018 Zdenek Dohnal - 1:2.2.6-7
+- 1499261 - Move log files into journal
+
+* Mon Feb 19 2018 Zdenek Dohnal - 1:2.2.6-6
+- gcc and gcc-c++ is not in buildroot by default now
+
+* Wed Feb 07 2018 Fedora Release Engineering - 1:2.2.6-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Fri Feb 02 2018 Igor Gnatenko - 1:2.2.6-4
+- Switch to %%ldconfig_scriptlets
+
+* Sat Jan 20 2018 Björn Esser - 1:2.2.6-3
+- Rebuilt for switch to libxcrypt
+
+* Fri Jan 12 2018 Zdenek Dohnal - 1:2.2.6-2
+- 1437345 - Remove cups-resolv_reload.patch
+
+* Fri Nov 03 2017 Zdenek Dohnal - 1:2.2.6-1
+- rebase to 2.2.6
+
+* Tue Oct 17 2017 Zdenek Dohnal - 1:2.2.5-1
+- rebase to 2.2.5
+
+* Mon Oct 09 2017 Zdenek Dohnal - 1:2.2.4-7
+- removing ghostscript-cups dependency - cups-filters ships it
+
+* Wed Oct 04 2017 Zdenek Dohnal - 1:2.2.4-6
+- 1498091 - Cannot browse CUPS servers in GNOME Control Panel Printers
+
+* Mon Oct 02 2017 Zdenek Dohnal - 1:2.2.4-5
+- 1484916 - Can not get destinations from CUPS server
+
+* Fri Sep 22 2017 Zdenek Dohnal - 1:2.2.4-4
+- 1494558 - CUPS may fail to start if NIS groups are used
+
+* Wed Aug 02 2017 Fedora Release Engineering - 1:2.2.4-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering - 1:2.2.4-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Fri Jun 30 2017 Zdenek Dohnal - 1:2.2.4-1
+- rebase to 2.2.4
+
+* Thu Jun 29 2017 Zdenek Dohnal - 1:2.2.3-6
+- update python dependencies accordingly Fedora Guideline for Python (python-cups -> python3-cups)
+
+* Thu Apr 27 2017 Zdenek Dohnal - 1:2.2.3-5
+- copying cups-resolv_reload.patch from RHEL
+
+* Wed Apr 05 2017 Zdenek Dohnal - 1:2.2.3-4
+- fixing issue with #1437065 - makes res_init() call to local resolver and keeps error message, but no hard exit for cupsd
+
+* Tue Apr 04 2017 Zdenek Dohnal - 1:2.2.3-3
+- disable patch for #1437065 for now until issue with stat is solved
+
+* Thu Mar 30 2017 Zdenek Dohnal - 1:2.2.3-2
+- 1437065 - CUPS does not recognize changes to /etc/resolv.conf until CUPS restart
+
+* Wed Mar 29 2017 Zdenek Dohnal - 1:2.2.3-1
+- rebase to 2.2.3
+
+* Fri Feb 10 2017 Fedora Release Engineering - 1:2.2.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Thu Jan 19 2017 Zdenek Dohnal - 1:2.2.2-1
+- rebase to 2.2.2
+
+* Wed Jan 11 2017 Zdenek Dohnal - 1:2.2.1-4
+- bug 1405669 - adding group wheel to SystemGroup
+
+* Fri Nov 11 2016 Zdenek Dohnal - 1:2.2.1-3
+- Unable to print from Windows (7) on a Cups-Server(2.2.1-1) with german umlauts in the filename (bug #1386751)
+
+* Mon Nov 07 2016 Zdenek Dohnal - 1:2.2.1-2
+- #873123 - (cups-usb-quirks) usb printer doesn't print (usblp0: USB Bidirectional printer dev)
+
+* Tue Oct 04 2016 Zdenek Dohnal - 1:2.2.1-1
+- rebase to 2.2.1
+
+* Thu Sep 22 2016 Zdenek Dohnal - 1:2.2.0-2
+- fixing looping in partial failing service (bug #1366775)
+
+* Thu Sep 15 2016 Jiri Popelka - 1:2.2.0-1
+- 2.2.0
+
+* Fri Aug 12 2016 Zdenek Dohnal - 1:2.2-0.4rc1
+- fixing release number
+
+* Tue Aug 09 2016 Zdenek Dohnal - 1:2.2-0.2rc1
+- rebase to cups-2.2rc1
+
+* Wed Aug 03 2016 Zdenek Dohnal - 1:2.2-0.2b2
+- bug 1358589 - added information about syslog means systemd journal by default
+
+* Mon Jun 27 2016 Zdenek Dohnal - 1:2.2-0.1b2
+- Rebase to 2.2b2, editing patches and spec (no need for /etc/cups/interfaces)
+
+* Mon Jun 27 2016 Zdenek Dohnal - 1:2.1.4-1
+- substitution BuildRequires: pkgconfig(libsystemd-*) for BuildRequires: pkgconfig(libsystemd)
+
+* Wed Jun 15 2016 Zdenek Dohnal - 1:2.1.4-1
+- 2.1.4, 1346668 - Change symlink for smb backend to /usr/libexec/samba/cups_backend_smb
+
+* Mon Feb 08 2016 Jiri Popelka - 1:2.1.3-1
+- 2.1.3
+
+* Wed Feb 03 2016 Fedora Release Engineering - 1:2.1.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Wed Dec 02 2015 Jiri Popelka - 1:2.1.2-1
+- 2.1.2 - interface scripts support is back (until 2.2)
+
+* Tue Dec 01 2015 Jiri Popelka - 1:2.1.1-1
+- 2.1.1 - interface scripts no longer supported.
+
+* Mon Nov 02 2015 Jiri Popelka - 1:2.1.0-2
+- Change mode of subscriptions.conf from 644 to 640 (bug #1259770).
+
+* Tue Sep 01 2015 Jiri Popelka - 1:2.1.0-1
+- 2.1.0
+
+* Thu Aug 13 2015 Jiri Popelka - 1:2.1-0.3rc1
+- fix crash in scheduler (#1253135)
+
+* Mon Aug 10 2015 Jiri Popelka - 1:2.1-0.2rc1
+- better fix for STR#4687
+
+* Mon Aug 10 2015 Jiri Popelka - 1:2.1-0.1rc1
+- 2.1rc1
+
+* Mon Aug 10 2015 Jiri Popelka - 1:2.0.4-1
+- 2.0.4
+
+* Tue Jul 28 2015 Jiri Popelka - 1:2.0.3-5
+- BuildRequires: gnutls-devel -> pkgconfig(gnutls)
+
+* Tue Jul 07 2015 Jiri Popelka - 1:2.0.3-4
+- RPM_BUILD_ROOT -> %%{buildroot}, put braces around lspp and use_alternatives
+
+* Thu Jun 25 2015 Tim Waugh - 1:2.0.3-3
+- Fix slow resume of jobs after restart (STR #4646).
+- Fix redirection from CGI scripts (bug #1232030, STR #4538).
+
+* Wed Jun 17 2015 Fedora Release Engineering - 1:2.0.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Tue Jun 09 2015 Jiri Popelka - 1:2.0.3-1
+- 2.0.3
+
+* Sat May 02 2015 Kalev Lember - 1:2.0.2-6
+- Rebuilt for GCC 5 C++11 ABI change
+
+* Mon Mar 16 2015 Tim Waugh - 1:2.0.2-5
+- Avoid busy loop in cupsd when connection is closed after request
+ sent (bug #1179596).
+
+* Mon Feb 16 2015 Jiri Popelka - 1:2.0.2-2
+- Fixed multilib.patch to check for gnutls instead of openssl.
+
+* Tue Feb 10 2015 Jiri Popelka - 1:2.0.2-1
+- 2.0.2
+
+* Tue Jan 27 2015 Tim Waugh - 1:2.0.1-2
+- Fixed systemd notify support (bug #1184453).
+
+* Sat Nov 15 2014 Jiri Popelka - 1:2.0.1-1
+- 2.0.1
+
+* Fri Nov 7 2014 Tim Waugh - 1:2.0.0-12
+- Re-introduce SSLOptions configuration directive, disable SSL3 by
+ default (STR #4476).
+- Enable SSL again via GnuTLS (bug #1161235).
+
+* Thu Nov 6 2014 Tim Waugh - 1:2.0.0-11
+- Removed openssl requirements from spec file as it is no longer
+ supported upstream (see bug #1161235).
+
+* Thu Nov 6 2014 Tim Waugh - 1:2.0.0-10
+- cups-lspp.patch: use cupsdLogJob() when appropriate.
+- Fixed some warnings in cups-lspp.patch.
+- New systemd journal fields CUPS_DEST and CUPS_PRINTER, as well as
+ accurate code location fields.
+
+* Wed Oct 22 2014 Tim Waugh - 1:2.0.0-9
+- Upstream fix for cupsd crash on restart when colord not available
+- (STR #4496).
+
+* Sat Oct 18 2014 Tim Waugh - 1:2.0.0-7
+- Fix for last fix (bug #1153660, bug #1154284).
+
+* Thu Oct 16 2014 Tim Waugh - 1:2.0.0-6
+- Start cupsd systemd service after network.target (bug #1153660).
+
+* Wed Oct 15 2014 Tim Waugh - 1:2.0.0-5
+- Fix cupsGetPPD3() so it doesn't give the caller an unreadable file
+ (bug #1150917, STR #4500).
+
+* Wed Oct 15 2014 Tim Waugh - 1:2.0.0-4
+- Can no longer reproduce bug #1010580 so removing final-content-type
+ patch as it causes issues for some backends (bug #1149244).
+
+* Fri Oct 03 2014 Jiri Popelka - 1:2.0.0-3
+- comment out unnecessary PageLogFormat from cups-files.conf (#1148995)
+
+* Fri Oct 03 2014 Jiri Popelka - 1:2.0.0-2
+- s/org.cups.cupsd/cups/ cups.service
+
+* Wed Oct 01 2014 Jiri Popelka - 1:2.0.0-1
+- 2.0.0
+
+* Fri Sep 12 2014 Jiri Popelka - 1:2.0-0.1.rc1
+- 2.0rc1
+
+* Mon Sep 1 2014 Tim Waugh - 1:1.7.5-7
+- Fix icon display in web interface during server restart (STR #4475).
+
+* Mon Sep 1 2014 Tim Waugh - 1:1.7.5-6
+- More STR #4461 fixes from upstream.
+
+* Tue Aug 26 2014 Tim Waugh - 1:1.7.5-5
+- Use upstream patch for STR #4461.
+
+* Wed Aug 20 2014 Tim Waugh - 1:1.7.5-4
+- Removed old one-off trigger now it's no longer needed.
+- Run systemd postun script for path and socket unit files as well as
+ the main service unit file.
+- Upstream patch for STR #4396, pre-requisite for STR #2913 patch.
+- Upstream patch for STR #2913 to limit Get-Jobs replies to 500 jobs
+ (bug #421671).
+
+* Sat Aug 16 2014 Fedora Release Engineering - 1:1.7.5-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Mon Aug 11 2014 Tim Waugh - 1:1.7.5-2
+- Fix conf/log file reading for authenticated users (STR #4461).
+
+* Fri Aug 01 2014 Jiri Popelka - 1:1.7.5-1
+- 1.7.5
+
+* Wed Jul 23 2014 Jiri Popelka - 1:1.7.4-3
+- CVE-2014-5029, CVE-2014-5030, CVE-2014-5031 (#1122601)
+
+* Wed Jul 23 2014 Tim Waugh - 1:1.7.4-2
+- Fix CGI handling (STR #4454).
+
+* Mon Jul 14 2014 Jiri Popelka - 1:1.7.4-1
+- 1.7.4: CVE-2014-3537
+
+* Sat Jun 07 2014 Fedora Release Engineering - 1:1.7.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Wed May 28 2014 Jiri Popelka - 1:1.7.3-1
+- 1.7.3
+- str4386.patch merged upstream in STR #4403
+
+* Fri May 9 2014 Tim Waugh - 1:1.7.2-3
+- Another attempt at avoiding race condition when sending IPP requests
+ (STR #4386, bug #1072952).
+
+* Thu Apr 17 2014 Jiri Popelka - 1:1.7.2-2
+- Make cups.service Type=notify (bug #1088918).
+
+* Mon Apr 14 2014 Jiri Popelka - 1:1.7.2-1
+- 1.7.2
+
+* Fri Apr 4 2014 Tim Waugh - 1:1.7.1-11
+- Log to the system journal by default (bug #1078781).
+
+* Thu Apr 3 2014 Tim Waugh - 1:1.7.1-10
+- libcups: avoid race condition when sending IPP requests (STR #4386,
+ bug #1072952).
+
+* Wed Apr 02 2014 Jiri Popelka - 1:1.7.1-9
+- New client subpackage containing command line client tools (bug #1002342).
+- Removed unneeded Group tags.
+- Removed 'Requires: /sbin/chkconfig'.
+- Moved 'Provides: lpd' to lpd subpackage.
+
+* Tue Mar 18 2014 Tim Waugh - 1:1.7.1-8
+- Removed patch for STR #4386 as it does not work and causes problems
+ instead (bug #1077239).
+
+* Mon Mar 10 2014 Jiri Popelka - 1:1.7.1-7
+- BuildRequires: pkgconfig(foo) instead of foo-devel
+
+* Thu Mar 6 2014 Tim Waugh - 1:1.7.1-6
+- Track local default in cupsEnumDests() (STR #4332).
+- libcups: avoid race condition when sending IPP requests (STR #4386).
+- Prevent feedback loop when fetching error_log over HTTP (STR #4366).
+
+* Wed Mar 5 2014 Tim Waugh - 1:1.7.1-5
+- Fix for cupsEnumDest() 'removed' callbacks (bug #1054312, STR #4380).
+
+* Mon Feb 17 2014 Tim Waugh - 1:1.7.1-4
+- Document 'journal' logging target.
+
+* Tue Feb 11 2014 Tim Waugh - 1:1.7.1-3
+- Prevent dnssd backend exiting too early (bug #1026940, STR #4365).
+
+* Mon Feb 03 2014 Jiri Popelka - 1:1.7.1-2
+- move macros.cups from /etc/rpm/ to /usr/lib/rpm/macros.d
+
+* Wed Jan 08 2014 Jiri Popelka - 1:1.7.1-1
+- 1.7.1
+
+* Wed Jan 8 2014 Tim Waugh - 1:1.7.0-11
+- Apply upstream patch to improve cupsUser() (STR #4327).
+
+* Tue Jan 7 2014 Tim Waugh - 1:1.7.0-10
+- Removed cups-dbus-utf8.patch as no longer needed (see STR #4314).
+- Return jobs in rank order when handling IPP-Get-Jobs (STR #4326).
+
+* Thu Jan 2 2014 Tim Waugh - 1:1.7.0-9
+- dbus notifier: call _exit when handling SIGTERM (STR #4314).
+- Use '-f' when using rm in %%setup section.
+- Fixed avahi-no-threaded patch so it removes a call to
+ avahi_threaded_poll_stop() (bug #1044602).
+
+* Fri Dec 13 2013 Tim Waugh - 1:1.7.0-8
+- Use string literal for format string in sd_journal_print call.
+
+* Thu Nov 28 2013 Tim Waugh - 1:1.7.0-7
+- Prevent USB timeouts causing incorrect print output (bug #1026914).
+
+* Thu Nov 14 2013 Tim Waugh - 1:1.7.0-6
+- Avoid stale lockfile in dbus notifier (bug #1026949).
+
+* Thu Nov 7 2013 Tim Waugh - 1:1.7.0-5
+- Use upstream patch for stringpool corruption issue (bug #974048).
+
+* Mon Nov 4 2013 Tim Waugh - 1:1.7.0-4
+- Adjusted commented out default for SyncOnClose in cups-files.conf.
+
+* Thu Oct 31 2013 Tim Waugh - 1:1.7.0-3
+- Set the default for SyncOnClose to Yes.
+
+* Mon Oct 28 2013 Tim Waugh - 1:1.7.0-2
+- Use upstream patch to fix job history.
+
+* Thu Oct 24 2013 Tim Waugh - 1:1.7.0-1
+- 1.7.0.
+
+* Thu Oct 24 2013 Tim Waugh
+- Fix job history logging.
+
+* Mon Oct 21 2013 Tim Waugh - 1:1.7-0.27.rc1
+- Allow "journal" log type for log output to system journal.
+
+* Fri Sep 27 2013 Tim Waugh - 1:1.7-0.26.rc1
+- Reverted upstream change to FINAL_CONTENT_TYPE in order to fix
+ printing to remote CUPS servers (bug #1010580).
+
+* Wed Aug 21 2013 Jaromír Končický
+- Add SyncOnClose option (bug #984883).
+
+* Fri Aug 16 2013 Tim Waugh - 1:1.7-0.25.rc1
+- Increase web interface get-devices timeout to 10s (bug #996664).
+
+* Thu Aug 15 2013 Tim Waugh - 1:1.7-0.24.rc1
+- Build with full read-only relocations (bug #996740).
+
+* Tue Aug 6 2013 Tim Waugh - 1:1.7-0.23.rc1
+- Fixes for jobs with multiple files and multiple formats.
+
+* Sat Aug 03 2013 Fedora Release Engineering - 1:1.7-0.22.rc1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Wed Jul 24 2013 Tim Waugh - 1:1.7-0.21.rc1
+- Fixed cups-config, broken by last change (bug #987660).
+
+* Mon Jul 22 2013 Tim Waugh - 1:1.7-0.20.rc1
+- Removed stale comment in spec file.
+- Link against OpenSSL instead of GnuTLS.
+
+* Mon Jul 22 2013 Tim Waugh - 1:1.7-0.19.rc1
+- Fixed avahi-no-threaded patch (was missing part of cupsd.h). Thanks
+ to Joseph Wang for spotting it.
+
+* Thu Jul 18 2013 Tim Waugh - 1:1.7-0.18.rc1
+- Fixed downoad URL to point to the actual source, not a download
+ page.
+
+* Fri Jul 12 2013 Jiri Popelka - 1:1.7-0.17.rc1
+- 1.7rc1
+
+* Thu Jul 11 2013 Tim Waugh 1:1.7-0.16.b1
+- Avoid sign-extending CRCs for gz decompression (bug #983486).
+
+* Wed Jul 10 2013 Tim Waugh 1:1.7-0.15.b1
+- Fixed download URL.
+
+* Wed Jul 10 2013 Jiri Popelka - 1:1.7-0.14.b1
+- Remove pstops cost factor tweak from conf/mime.convs.in
+
+* Mon Jul 1 2013 Tim Waugh 1:1.7-0.13.b1
+- Don't use D-Bus from two threads (bug #979748).
+
+* Fri Jun 28 2013 Tim Waugh 1:1.7-0.12.b1
+- Fix for DNSSD name resolution.
+
+* Wed Jun 26 2013 Tim Waugh 1:1.7-0.11.b1
+- Default to IPP/1.1 for now (bug #977813).
+
+* Tue Jun 25 2013 Tim Waugh 1:1.7-0.10.b1
+- Added libusb quirk for Canon PIXMA MP540 (bug #967873).
+
+* Mon Jun 24 2013 Tim Waugh