From: russell@coker.com.au (Russell Coker) Date: Tue, 14 Feb 2017 15:08:28 +1100 Subject: [refpolicy] [PATCH 2/2] cups: read permission for cupsd_var_run_t socket files in cups_read_pid_files() In-Reply-To: <2374176.zg5KFxEMAR@russell.coker.com.au> References: <1486657515.28070.9.camel@trentalancia.net> <2374176.zg5KFxEMAR@russell.coker.com.au> Message-ID: <7343131.vSoRdTGYPz@russell.coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sunday, 12 February 2017 5:59:21 PM AEDT Russell Coker via refpolicy wrote: > On Saturday, 11 February 2017 9:00:44 PM AEDT Guido Trentalancia via > refpolicy > wrote: > > Yes, I confirm, sock_file read permissions are needed to print. > > I've seen that too. I have something similar in the Debian policy. > > It's not needed to print, it's needed in some configurations which are the > default for some situations. It should be possible to configure cups to not > need that if you don't need lpr/lpq type functionality - but that may not > be possible for all clients. Does it make sense to have a cups_read_sock_files when the cups clients need read/write access? Why not just have a single interface granting read-write? In Debian I used the below patch to make cups_stream_connect do what is necessary. Otherwise you will just have to add cups_read_sock_files after every call to cups_stream_connect. Index: refpolicy-2.20170212/policy/modules/contrib/cups.if =================================================================== --- refpolicy-2.20170212.orig/policy/modules/contrib/cups.if +++ refpolicy-2.20170212/policy/modules/contrib/cups.if @@ -69,7 +69,9 @@ interface(`cups_stream_connect',` ') files_search_pids($1) - stream_connect_pattern($1, cupsd_var_run_t, cupsd_var_run_t, cupsd_t) + allow $1 cupsd_var_run_t:dir search_dir_perms; + allow $1 cupsd_var_run_t:sock_file { read write_sock_file_perms }; + allow $1 cupsd_t:unix_stream_socket connectto; ') ######################################## -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/