[patch] CUPS 1.2 SELinux policy changes...
Michael Sweet
mike at easysw.com
Sat Nov 12 14:44:08 UTC 2005
Russell Coker wrote:
> On Sunday 13 November 2005 00:18, Michael Sweet <mike at easysw.com> wrote:
>>> Please don't remove comments such as "this is not ideal, and allowing
>>> setattr access to cupsd_etc_t is wrong". That's a design flaw in cupsd,
>>> eventually we want to fix it. Removing the comment decreases the chance
>>> of such a design flaw ever being corrected.
>> Well, given that the comment does not describe the "design flaw" in
>> enough detail to be useful, and that no one has posted this "design
>> flaw" to any of the CUPS forums or the STR page on the CUPS site, it
>> seemed like I was removing a comment that was confusing and
>> uninformative.
>>
>> What is the design flaw?
>
> The fact that cups requires write access to it's config directory and all
> config files.
I know some people would prefer to hand-edit all files and place printer
state data in 5 different places, however no one has proposed an
alternate location for these files that makes sense WRT to the FHS.
We are absolutely committed to making CUPS easy-to-use, which means
allowing programs (in particular cupsd, which can provide finer-grained
authorization/access control to the configuration data than selinux) to
edit those files. CUPS also updates the printers.conf, classes.conf,
and subscriptions.conf files based on (persistent) state changes.
Anyways, I will update the comment to reflect this discussion.
........
On a related note, you have comments on a few other rules I'm not
clear on:
# temporary solution, we need something better
allow cupsd_t serial_device:chr_file rw_file_perms;
I'm guessing this refers to allowing write access to all serial ports?
Any thoughts/wishes on this end? We've looked at a variety of schemes
to identifying serial printer ports - providing separate device links
would seem to be the simplest solution - but there would need to be
some standardization (i.e. Linux distributors need to use it) for it to
be effective.
# for /var/lib/defoma
allow cupsd_t var_lib_t:dir search;
r_dir_file(cupsd_t, readable_t)
This appears to provide read/search access to files in /var/lib, but
I'm confused by the "defoma" bit?
# lots of errors generated requiring the following
allow cupsd_t self:netlink_audit_socket {
create_netlink_socket_perms nlmsg_relay };
allow cupsd_t self:netlink_route_socket { r_netlink_socket_perms };
What errors are generated? What programs are involved? Why are we
allowing rather than fixing?
Thanks again for your feedback - I hope my next patch will be both
less invasive and more accurate... :)
--
______________________________________________________________________
Michael Sweet, Easy Software Products mike at easysw dot com
Internet Printing and Publishing Software http://www.easysw.com
More information about the fedora-selinux-list
mailing list