[redhat-lspp] New MLS constraint?
Matt Anderson
mra at hp.com
Mon Oct 16 16:40:46 UTC 2006
With the removal of TCS's dev-allocator the solution for multi-level
printers that came out of the LSPP calls was to set a range on the
printer device, using chcon, and use SELinux to verify that the print
job was inside that range.
I've since added checking code to the server which does not allow jobs
to be enqueued into the spool or queued and printed unless an
avc_has_perm() check passes. The current check uses SECCLASS_FILE, and
checks FILE__WRITE;
The subject is something like user_u:user_r:user_lpr_t:s2:A
The object is: system_u:object_r:printer_device_t:s2-s15:c0.c1023
When I do this check however, I get denied whenever the user's context
does not equal the lower level. Is there a constraint that I can apply,
preferably to the object's type (printer_device_t as opposed to *_lpr_t,
) that would allow the above check to succeed?
-matt
More information about the redhat-lspp
mailing list