From: dac.override@gmail.com (Dominick Grift) Date: Sat, 11 Feb 2017 21:22:35 +0100 Subject: [refpolicy] [PATCH 2/2] cups: read permission for cupsd_var_run_t socket files in cups_read_pid_files() In-Reply-To: References: <1486657515.28070.9.camel@trentalancia.net> <1486657583.28070.10.camel@trentalancia.net> <339abd26-09c2-fdea-ae9b-53e01ab5cbef@ieee.org> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/11/2017 09:00 PM, Guido Trentalancia via refpolicy wrote: > Yes, I confirm, sock_file read permissions are needed to print. Just to be clear: So it does not work if you do not allow the read? Sounds to me like this might be a leaked file descriptor issue instead > > On the 11th of February 2017 20:54:00 CET, Chris PeBenito wrote: >> On 02/09/17 11:26, Guido Trentalancia via refpolicy wrote: >>> Modify the cups_read_pid_files() interface so that it allows >>> to read socket files of the cupsd_var_run_t type and not only >>> standard files. >>> >>> Signed-off-by: Guido Trentalancia >>> --- >>> policy/modules/contrib/cups.if | 1 + >>> 1 file changed, 1 insertion(+) >>> >>> diff -pru a/policy/modules/contrib/cups.if >> b/policy/modules/contrib/cups.if >>> --- a/policy/modules/contrib/cups.if 2017-01-24 18:56:19.569106107 >> +0100 >>> +++ b/policy/modules/contrib/cups.if 2017-02-09 16:46:23.649827258 >> +0100 >>> @@ -124,6 +124,7 @@ interface(`cups_read_pid_files',` >>> >>> files_search_pids($1) >>> allow $1 cupsd_var_run_t:file read_file_perms; >>> + allow $1 cupsd_var_run_t:sock_file read_sock_file_perms; >>> ') >>> >>> ######################################## >> >> You really saw sock_file read? I don't think I've ever seen that. >> Regardless, this should be a separate interface. > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170211/90a4cd9d/attachment.bin