AVC when configuring printer.....

Ivan Gyurdiev ivg2 at cornell.edu
Fri Mar 3 10:29:10 UTC 2006


> So these are all printconf pipes.
Printconf runs in unconfined_t, and printconf-backend runs in 
cupsd_config_t (not sure if they should be setup like that, I suspect 
this might have been done to restrict what can acccess the cupsd 
domains). It seems they need to communicate via pipes. Looking at the 
current policy, rules are already in place [ for targeted ] to allow 
reading unconfined pipes from cupsd_config_t, but no rules exist for 
writing data back to unconfined pipes (communication in the other 
direction).

Either printconf should be moved into cupsd_config_t too.... or 
cupsd_config_t should be allowed to write as well as read from 
unconfined pipes.

> Trivial test of just 'applying' the existing config appears not to
> break anything. So, this could be harmless....
>   
That usually means we haven't found out what the problem is yet, and 
it's non-fatal (which doesn't necessarily mean harmless).




More information about the fedora-selinux-list mailing list