From: dac.override@gmail.com (Dominick Grift)
Date: Sat, 11 Feb 2017 21:22:35 +0100
Subject: [refpolicy] [PATCH 2/2] cups: read permission for
 cupsd_var_run_t socket files in cups_read_pid_files()
In-Reply-To: <DE9DB2A3-1630-4B66-AE0D-9EA5AB4E8FCA@trentalancia.net>
References: <1486657515.28070.9.camel@trentalancia.net>
	<1486657583.28070.10.camel@trentalancia.net>
	<339abd26-09c2-fdea-ae9b-53e01ab5cbef@ieee.org>
	<DE9DB2A3-1630-4B66-AE0D-9EA5AB4E8FCA@trentalancia.net>
Message-ID: <b6e92774-8529-e2f1-def8-a2eec213dc99@gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 02/11/2017 09:00 PM, Guido Trentalancia via refpolicy wrote:
> Yes, I confirm, sock_file read permissions are needed to print.

Just to be clear: So it does not work if you do not allow the read?
Sounds to me like this might be a leaked file descriptor issue instead

> 
> On the 11th of February 2017 20:54:00 CET, Chris PeBenito <pebenito@ieee.org> wrote:
>> On 02/09/17 11:26, Guido Trentalancia via refpolicy wrote:
>>> Modify the cups_read_pid_files() interface so that it allows
>>> to read socket files of the cupsd_var_run_t type and not only
>>> standard files.
>>>
>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
>>> ---
>>>  policy/modules/contrib/cups.if |    1 +
>>>  1 file changed, 1 insertion(+)
>>>
>>> diff -pru a/policy/modules/contrib/cups.if
>> b/policy/modules/contrib/cups.if
>>> --- a/policy/modules/contrib/cups.if	2017-01-24 18:56:19.569106107
>> +0100
>>> +++ b/policy/modules/contrib/cups.if	2017-02-09 16:46:23.649827258
>> +0100
>>> @@ -124,6 +124,7 @@ interface(`cups_read_pid_files',`
>>>
>>>  	files_search_pids($1)
>>>  	allow $1 cupsd_var_run_t:file read_file_perms;
>>> +	allow $1 cupsd_var_run_t:sock_file read_sock_file_perms;
>>>  ')
>>>
>>>  ########################################
>>
>> You really saw sock_file read?  I don't think I've ever seen that. 
>> Regardless, this should be a separate interface.
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
> 


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170211/90a4cd9d/attachment.bin