From: guido@trentalancia.net (Guido Trentalancia) Date: Sat, 11 Feb 2017 21:00:44 +0100 Subject: [refpolicy] [PATCH 2/2] cups: read permission for cupsd_var_run_t socket files in cups_read_pid_files() In-Reply-To: <339abd26-09c2-fdea-ae9b-53e01ab5cbef@ieee.org> References: <1486657515.28070.9.camel@trentalancia.net> <1486657583.28070.10.camel@trentalancia.net> <339abd26-09c2-fdea-ae9b-53e01ab5cbef@ieee.org> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Yes, I confirm, sock_file read permissions are needed to print. On the 11th of February 2017 20:54:00 CET, Chris PeBenito wrote: >On 02/09/17 11:26, Guido Trentalancia via refpolicy wrote: >> Modify the cups_read_pid_files() interface so that it allows >> to read socket files of the cupsd_var_run_t type and not only >> standard files. >> >> Signed-off-by: Guido Trentalancia >> --- >> policy/modules/contrib/cups.if | 1 + >> 1 file changed, 1 insertion(+) >> >> diff -pru a/policy/modules/contrib/cups.if >b/policy/modules/contrib/cups.if >> --- a/policy/modules/contrib/cups.if 2017-01-24 18:56:19.569106107 >+0100 >> +++ b/policy/modules/contrib/cups.if 2017-02-09 16:46:23.649827258 >+0100 >> @@ -124,6 +124,7 @@ interface(`cups_read_pid_files',` >> >> files_search_pids($1) >> allow $1 cupsd_var_run_t:file read_file_perms; >> + allow $1 cupsd_var_run_t:sock_file read_sock_file_perms; >> ') >> >> ######################################## > >You really saw sock_file read? I don't think I've ever seen that. >Regardless, this should be a separate interface.