[patch] CUPS 1.2 SELinux policy changes...
Russell Coker
russell at coker.com.au
Sat Nov 12 13:46:12 UTC 2005
On Sunday 13 November 2005 00:18, Michael Sweet <mike at easysw.com> wrote:
> > Please don't remove comments such as "this is not ideal, and allowing
> > setattr access to cupsd_etc_t is wrong". That's a design flaw in cupsd,
> > eventually we want to fix it. Removing the comment decreases the chance
> > of such a design flaw ever being corrected.
>
> Well, given that the comment does not describe the "design flaw" in
> enough detail to be useful, and that no one has posted this "design
> flaw" to any of the CUPS forums or the STR page on the CUPS site, it
> seemed like I was removing a comment that was confusing and
> uninformative.
>
> What is the design flaw?
The fact that cups requires write access to it's config directory and all
config files.
> > The hplip and ptal policies are OK in the same file as cups. They are
> > printer-specific programs. Having separate lpd and cups files is more of
> > a problem. As we seem to be moving away from the traditional lpd we will
> > probably change things in this regard.
> >
> > When there is policy involving access between initrc_t and the
> > domains/types defined in a daemon policy file then this belongs in the
> > policy file for the daemon. Important files such as initrc.te should not
> > have sections for all the many daemons that need to interact with them.
>
> Fair enough. Can we at least segment the rules in each of the files
> so that it is clear which rules apply to which sub-programs?
Sure.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
More information about the fedora-selinux-list
mailing list