From: pebenito@ieee.org (Chris PeBenito)
Date: Sun, 12 Feb 2017 13:35:45 -0500
Subject: [refpolicy] [PATCH 2/2] cups: read permission for
 cupsd_var_run_t socket files in cups_read_pid_files()
In-Reply-To: <2374176.zg5KFxEMAR@russell.coker.com.au>
References: <1486657515.28070.9.camel@trentalancia.net>
	<339abd26-09c2-fdea-ae9b-53e01ab5cbef@ieee.org>
	<DE9DB2A3-1630-4B66-AE0D-9EA5AB4E8FCA@trentalancia.net>
	<2374176.zg5KFxEMAR@russell.coker.com.au>
Message-ID: <44677276-bb6e-6938-6936-5807ab4991c9@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 02/12/17 01:59, Russell Coker via refpolicy wrote:
> On Saturday, 11 February 2017 9:00:44 PM AEDT Guido Trentalancia via refpolicy
> wrote:
>> Yes, I confirm, sock_file read permissions are needed to print.
>
> I've seen that too.  I have something similar in the Debian policy.
>
> It's not needed to print, it's needed in some configurations which are the
> default for some situations.  It should be possible to configure cups to not
> need that if you don't need lpr/lpq type functionality - but that may not be
> possible for all clients.

It's interesting.  Years ago when I put together the socket pattern 
macros I couldn't trigger a sock_file:read, though I didn't try every 
single UNIX stream socket function.  I'll have to look at the kernel 
code again in case it warrants an update to one of the patterns.

-- 
Chris PeBenito