From: guido@trentalancia.net (Guido Trentalancia)
Date: Sat, 11 Feb 2017 21:00:44 +0100
Subject: [refpolicy] [PATCH 2/2] cups: read permission for
	cupsd_var_run_t socket files in cups_read_pid_files()
In-Reply-To: <339abd26-09c2-fdea-ae9b-53e01ab5cbef@ieee.org>
References: <1486657515.28070.9.camel@trentalancia.net>
	<1486657583.28070.10.camel@trentalancia.net>
	<339abd26-09c2-fdea-ae9b-53e01ab5cbef@ieee.org>
Message-ID: <DE9DB2A3-1630-4B66-AE0D-9EA5AB4E8FCA@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Yes, I confirm, sock_file read permissions are needed to print.

On the 11th of February 2017 20:54:00 CET, Chris PeBenito <pebenito@ieee.org> wrote:
>On 02/09/17 11:26, Guido Trentalancia via refpolicy wrote:
>> Modify the cups_read_pid_files() interface so that it allows
>> to read socket files of the cupsd_var_run_t type and not only
>> standard files.
>>
>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>> ---
>>  policy/modules/contrib/cups.if |    1 +
>>  1 file changed, 1 insertion(+)
>>
>> diff -pru a/policy/modules/contrib/cups.if
>b/policy/modules/contrib/cups.if
>> --- a/policy/modules/contrib/cups.if	2017-01-24 18:56:19.569106107
>+0100
>> +++ b/policy/modules/contrib/cups.if	2017-02-09 16:46:23.649827258
>+0100
>> @@ -124,6 +124,7 @@ interface(`cups_read_pid_files',`
>>
>>  	files_search_pids($1)
>>  	allow $1 cupsd_var_run_t:file read_file_perms;
>> +	allow $1 cupsd_var_run_t:sock_file read_sock_file_perms;
>>  ')
>>
>>  ########################################
>
>You really saw sock_file read?  I don't think I've ever seen that. 
>Regardless, this should be a separate interface.