From: pebenito@ieee.org (Chris PeBenito) Date: Sun, 12 Feb 2017 13:35:45 -0500 Subject: [refpolicy] [PATCH 2/2] cups: read permission for cupsd_var_run_t socket files in cups_read_pid_files() In-Reply-To: <2374176.zg5KFxEMAR@russell.coker.com.au> References: <1486657515.28070.9.camel@trentalancia.net> <339abd26-09c2-fdea-ae9b-53e01ab5cbef@ieee.org> <2374176.zg5KFxEMAR@russell.coker.com.au> Message-ID: <44677276-bb6e-6938-6936-5807ab4991c9@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/12/17 01:59, Russell Coker via refpolicy wrote: > On Saturday, 11 February 2017 9:00:44 PM AEDT Guido Trentalancia via refpolicy > wrote: >> Yes, I confirm, sock_file read permissions are needed to print. > > I've seen that too. I have something similar in the Debian policy. > > It's not needed to print, it's needed in some configurations which are the > default for some situations. It should be possible to configure cups to not > need that if you don't need lpr/lpq type functionality - but that may not be > possible for all clients. It's interesting. Years ago when I put together the socket pattern macros I couldn't trigger a sock_file:read, though I didn't try every single UNIX stream socket function. I'll have to look at the kernel code again in case it warrants an update to one of the patterns. -- Chris PeBenito