[patch] CUPS 1.2 SELinux policy changes...

Russell Coker russell at coker.com.au
Sat Nov 12 07:21:38 UTC 2005


On Saturday 12 November 2005 02:47, Michael Sweet <mike at easysw.com> wrote:
> I removed the non-CUPS rules because the mix of software makes
> debugging and validating the CUPS policies that much harder, and it
> makes sense to maintain the policies for separate projects
> separately...

Firstly, please test your patches first.  There is no name_connect access in 
the unix_stream_socket class or a seteuid capability.

Please don't remove comments such as "this is not ideal, and allowing setattr 
access to cupsd_etc_t is wrong".  That's a design flaw in cupsd, eventually 
we want to fix it.  Removing the comment decreases the chance of such a 
design flaw ever being corrected.

The hplip and ptal policies are OK in the same file as cups.  They are 
printer-specific programs.  Having separate lpd and cups files is more of a 
problem.  As we seem to be moving away from the traditional lpd we will 
probably change things in this regard.

When there is policy involving access between initrc_t and the domains/types 
defined in a daemon policy file then this belongs in the policy file for the 
daemon.  Important files such as initrc.te should not have sections for all 
the many daemons that need to interact with them.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page




More information about the fedora-selinux-list mailing list