cups, /dev/fd
Stephen Smalley
sds at epoch.ncsc.mil
Fri Sep 17 13:19:04 UTC 2004
On Thu, 2004-09-16 at 21:22, Tom London wrote:
> Running strict/enforcing, latest from Dan's tree.
>
> Printing (say, from openoffice) yields:
>
> Sep 16 18:01:39 fedora kernel: audit(1095382899.718:0): avc: denied {
> read } for pid=10941 exe=/usr/bin/perl name=fd dev=tmpfs ino=2794
> scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:device_t
> tclass=lnk_file
> Sep 16 18:01:39 fedora kernel: audit(1095382899.718:0): avc: denied {
> read } for pid=10941 exe=/usr/bin/perl name=fd dev=tmpfs ino=2794
> scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:device_t
> tclass=lnk_file
>
> inode 2794 is /dev/fd.
>
> Make sense to add?
> dontaudit cupsd_t device_t:lnk_file { read };
I'd allow it. /dev/fd is just a symlink to /proc/self/fd, and that
should be permitted.
--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency
More information about the fedora-selinux-list
mailing list