SELinux policy -- config tools
Russell Coker
russell at coker.com.au
Fri Mar 5 14:04:05 UTC 2004
On Fri, 5 Mar 2004 22:18, Tim Waugh <twaugh at redhat.com> wrote:
> I'm trying to fix some problems with SELinux policy and
> system-config-printer. This tool needs to modify
> /etc/cups/cupsd.conf, and several other files in /etc/cups, but it
> looks like the policy is preventing it (in enforcing mode).
What context is system-config-printer running in? This will be in the AVC
message from the unlink denial.
> The configuration tool writes a new file (cupsd.conf.new) in the same
> directory, with the content it wants (derived from cupsd.conf), and
> tried to rename(cupsd.conf.new,cupsd.conf) -- this fails.
>
> I suspect that just writing cupsd.conf directly would work, but I
> don't want to end up in a situation where a failure half-way through
> writing causes a broken configuration file in-situ.
>
> Probably writing a new file is creating the wrong security context on
> that file anyway:
>
> -rw-r----- 1 root:object_r:cupsd_etc_t root sys 21350 Mar 4 18:17
> /etc/cups/cupsd.conf -rw------- 1 system_u:object_r:cupsd_rw_etc_t lp
> sys 21350 Mar 5 09:39 /etc/cups/cupsd.conf.new
>
> but I want to understand what this config tool *should* be doing, and
> how to make the policy let it do that.
Sounds like system-config-printer is running as cupsd_t, I'm not sure that's
what we want. We may have to make all CUPS config files re-writable by cupsd
to solve this.
I've just started fiddling with cups on one of my machines, I'm not sure that
I have a printer that's in working order so I can't test that CUPS works
right now, but I can test the policy.
My current policy tree works well for system-config-printer. For me
system-config-printer runs as sysadm_t and I don't think that there is any
difference between my policy tree and Dan's latest one which could account
for such a difference.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-devel-list
mailing list