more ptal_t (strict)

Tom London selinux at
Sun May 29 18:47:58 UTC 2005

Running strict/enforcing, latest rawhide.

Previous suggested mods to cups.te for ptal-photod are insufficient.

The following appears needed to allow gimp to connect up to the scanner;

---        2005-05-28 09:56:03.000000000 -0700
+++ cups.te     2005-05-29 11:30:10.000000000 -0700
@@ -150,6 +150,11 @@
 allow ptal_t self:capability { chown sys_rawio };
 allow ptal_t self:{ unix_dgram_socket unix_stream_socket }
create_socket_perms; allow ptal_t self:unix_stream_socket { listen
accept };
+can_network_tcp(ptal_t, self)
+allow ptal_t port_t:tcp_socket name_bind;
+allow userdomain ptal_t:unix_stream_socket connectto;
+allow userdomain ptal_var_run_t:sock_file write;
+allow userdomain ptal_var_run_t:dir search;
 allow ptal_t self:fifo_file rw_file_perms;
 allow ptal_t device_t:dir read;
 allow ptal_t printer_device_t:chr_file rw_file_perms;

With these changes, gimp can acquire scanned image.  

A few comments: ptal-photod seems to only use for tcp
networking, and the allow for search on ptal_var_run_t:dir required
'enableaudit' to find.  Is there an easier/better way to express this?

Sorry for the incomplete update last time....

Tom London

More information about the fedora-selinux-list mailing list