From: pebenito@ieee.org (Chris PeBenito) Date: Sun, 12 Feb 2017 13:35:12 -0500 Subject: [refpolicy] [PATCH 2/2 v2] cups/lpd: read permission for cupsd_var_run_t socket files In-Reply-To: <1486844020.9069.1.camel@trentalancia.net> References: <1486657515.28070.9.camel@trentalancia.net> <1486657583.28070.10.camel@trentalancia.net> <339abd26-09c2-fdea-ae9b-53e01ab5cbef@ieee.org> <1486844020.9069.1.camel@trentalancia.net> Message-ID: <3e688c0f-a02c-b9fb-fd40-e70b533e9ef4@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/11/17 15:13, Guido Trentalancia via refpolicy wrote: > Introduce a new interface in the cups module to read cups socket > files and call such interface from the lpd module. > > Thanks to Christpher PeBenito for revising this patch. > > Signed-off-by: Guido Trentalancia > --- > policy/modules/contrib/cups.if | 19 +++++++++++++++++++ > policy/modules/contrib/lpd.te | 1 + > 2 files changed, 20 insertions(+) > > diff -pru a/policy/modules/contrib/cups.if b/policy/modules/contrib/cups.if > --- a/policy/modules/contrib/cups.if 2017-01-24 18:56:19.569106107 +0100 > +++ b/policy/modules/contrib/cups.if 2017-02-11 21:04:00.346144792 +0100 > @@ -128,6 +128,25 @@ interface(`cups_read_pid_files',` > > ######################################## > ## > +## Read cups socket files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`cups_read_sock_files',` > + gen_require(` > + type cupsd_var_run_t; > + ') > + > + files_search_pids($1) > + allow $1 cupsd_var_run_t:sock_file read_sock_file_perms; > +') > + > +######################################## > +## > ## Execute cups_config in the > ## cups config domain. > ## > diff -pru a/policy/modules/contrib/lpd.te b/policy/modules/contrib/lpd.te > --- a/policy/modules/contrib/lpd.te 2016-12-22 23:12:59.385081782 +0100 > +++ b/policy/modules/contrib/lpd.te 2017-02-11 21:04:28.457255575 +0100 > @@ -295,6 +295,7 @@ optional_policy(` > cups_read_config(lpr_t) > cups_stream_connect(lpr_t) > cups_read_pid_files(lpr_t) > + cups_read_sock_files(lpr_t) > ') > > optional_policy(` Merged. -- Chris PeBenito