From: joropo@pioneerwireless.net (JOhn ROss POrter) Date: Wed, 27 Aug 2008 15:01:13 -0400 Subject: [refpolicy] AVC denials from cups In-Reply-To: <20080827151643.GA30786@ldl.fc.hp.com> References: <20080827151643.GA30786@ldl.fc.hp.com> Message-ID: <48B5A479.7040904@pioneerwireless.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Matt Anderson wrote: > JOhn ROss POrter wrote: > > > You had mentioned that the hplip driver allows you to get more > functionality than just printing. I was wondering if the AVCs were > generated from those requests, or the printing requests, or what was > seemingly random from the driver. > The AVC warnings occur only as a result of print activity. I get no such warnings from the scanner interface. > > > It could be interesting to see how the system behaves in enforcing mode. > You could remove your policy additions and see if you're still able to > print and access the scanning and printer display feedback > functionality, then add your policy module back in, and see what works. > I suppose I could follow this path. However, I'm less willing to put in the effort. I've gotten warnings in the past *only* when I print. I've never heard from SELinux while playing with the scanner interface. > > > I don't recall you posting the rules in your policy module here. It > might be good to do that so that its all archived in the same place. > follows: /usr/share/selinux/locals/local.te as generated by assist2allow(?) - unedited, not really understood. --begin copy-- module local 1.0; require { type system_dbusd_var_run_t; type hplip_t; type xdm_t; type system_dbusd_t; class process { execstack execmem }; class sock_file write; class dbus send_msg; class dir search; class unix_stream_socket connectto; } require { type system_dbusd_var_run_t; type hplip_t; type xdm_t; type system_dbusd_t; class process { execstack execmem }; class sock_file write; class dbus send_msg; class dir search; class unix_stream_socket connectto; } require { type system_dbusd_var_run_t; type hplip_t; type xdm_t; type system_dbusd_t; class process { execstack execmem }; class sock_file write; class dbus send_msg; class dir search; class unix_stream_socket connectto; } #============= hplip_t ============== allow hplip_t system_dbusd_t:dbus send_msg; allow hplip_t system_dbusd_t:unix_stream_socket connectto; allow hplip_t system_dbusd_var_run_t:dir search; allow hplip_t system_dbusd_var_run_t:sock_file write; #============= xdm_t ============== allow xdm_t self:process { execstack execmem }; ---end copy--- > > > Thanks for bringing it up. > -matt > > Joropo