cups... new avcs?
Russell Coker
russell at coker.com.au
Mon Aug 2 08:06:57 UTC 2004
On Mon, 2 Aug 2004 07:00, Tom London <selinux at comcast.net> wrote:
> I noticed what I think are new avcs coming from starting cups:
>
> Aug 1 13:49:59 fedora kernel: audit(1091393399.153:0): avc: denied {
> write }
> for pid=2117 exe=/usr/bin/python name=util dev=hda2 ino=4309019
> scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:usr_t
> tclass=dir
>
> ino#4309019 is /usr/share/printconf/util
> (not sure why cups wants to write there ....)
What is under that directory tree?
What does cups do in this situation if you put the machine in permissive mode
and do the same print operation?
Naturally we can't give cups access to usr_t. We could use a different label
for the directory in question as an interim measure. But I think that this
is really a bug in cups. I don't think that there's any good reason for cups
to be writing there. I think that systems with a /usr file system mounted
read-only should work fine as print servers!
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-selinux-list
mailing list