[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: cups, /dev/fd

From: Stephen Smalley <sds epoch ncsc mil>
To: "Fedora SELinux support list for users & developers." <fedora-selinux-list redhat com>
Subject: Re: cups, /dev/fd
Date: Fri, 17 Sep 2004 09:19:04 -0400

On Thu, 2004-09-16 at 21:22, Tom London wrote:
> Running strict/enforcing, latest from Dan's tree.
> 
> Printing (say, from openoffice) yields:
> 
> Sep 16 18:01:39 fedora kernel: audit(1095382899.718:0): avc:  denied  { 
> read } for  pid=10941 exe=/usr/bin/perl name=fd dev=tmpfs ino=2794 
> scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:device_t 
> tclass=lnk_file
> Sep 16 18:01:39 fedora kernel: audit(1095382899.718:0): avc:  denied  { 
> read } for  pid=10941 exe=/usr/bin/perl name=fd dev=tmpfs ino=2794 
> scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:device_t 
> tclass=lnk_file
> 
> inode 2794 is /dev/fd.
> 
> Make sense to add?
> dontaudit cupsd_t device_t:lnk_file { read };

I'd allow it.  /dev/fd is just a symlink to /proc/self/fd, and that
should be permitted.

-- 
Stephen Smalley <sds epoch ncsc mil>
National Security Agency

Follow-Ups:
- Re: cups, /dev/fd
  - From: Tom London

References:
- cups, /dev/fd
  - From: Tom London

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]