Re: Bug#254153: cupsys: SE/Linux required to give user permission to read /var/spool/cups/certs/0

Re: Bug#254153: cupsys: SE/Linux required to give user permission to read /var/spool/cups/certs/0

[Luke Kenneth Casson Leighton]

On Sat, Jul 03, 2004 at 11:09:43AM +0900, Kenshi Muto wrote:
> Hi,
> 
> Sorry for my late response,
> 
> At Sun, 13 Jun 2004 10:19:47 +0000,
> Luke Kenneth Casson Leighton wrote:
> > the permissions on SE/Linux are starting from scratch
> > "everything-is-banned".
> > 
> > therefore, a quite thorough audit is underway as applications are
> > run and users of Debian / SE/Linux find that they "can't do X".
> > 
> > in this instance, "i can't add a printer from KDE's print manager
> > because ordinary users are not given permission to do ANY kind of
> > access to /var/spool/cups."
> > 
> > therefore, please could you consider moving the /var/spool/cups/certs
> > to somewhere more appropriate where ordinary can be given read access
> > to it?
> 
> Hmm, upstream source uses '/etc/cups/certs', but previous cups
> maintainer changed this by:
>   * Moved /etc/cups/certs to /var/spool/cups/certs.  Closes: #144887.
> 
> I don't know what's best location for this cert file, but how about
> '/var/lib/cups/certs'?
 
 given that cups writes to the certs file every 5 mins, as #144887
 says, it's inappropriate for it to be in /etc.

 /var/spool/cups is not accessible except by sysadmin.

 /var/lib/cups can be created and made user-read-accessible so
 that /var/lib/cups/certs can be accessed.

 yep, i reckon that's a more appropriate location.

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Bug#254153 acknowledged by developer (Bug#254153: fixed in cupsys 1.1.20final+rc1-1)

[Luke Kenneth Casson Leighton]

thank you!

On Tue, Jul 13, 2004 at 06:18:10AM -0700, Debian Bug Tracking System wrote:

> Source: cupsys
> Source-Version: 1.1.20final+rc1-1
> 
> We believe that the bug you reported is fixed in the latest version of
> cupsys, which is due to be installed in the Debian FTP archive:
> 
> cupsys-bsd_1.1.20final+rc1-1_i386.deb
>   to pool/main/c/cupsys/cupsys-bsd_1.1.20final+rc1-1_i386.deb
> cupsys-client_1.1.20final+rc1-1_i386.deb
>   to pool/main/c/cupsys/cupsys-client_1.1.20final+rc1-1_i386.deb
> cupsys_1.1.20final+rc1-1.diff.gz
>   to pool/main/c/cupsys/cupsys_1.1.20final+rc1-1.diff.gz
> cupsys_1.1.20final+rc1-1.dsc
>   to pool/main/c/cupsys/cupsys_1.1.20final+rc1-1.dsc
> cupsys_1.1.20final+rc1-1_i386.deb
>   to pool/main/c/cupsys/cupsys_1.1.20final+rc1-1_i386.deb
> cupsys_1.1.20final+rc1.orig.tar.gz
>   to pool/main/c/cupsys/cupsys_1.1.20final+rc1.orig.tar.gz
> libcupsimage2-dev_1.1.20final+rc1-1_i386.deb
>   to pool/main/c/cupsys/libcupsimage2-dev_1.1.20final+rc1-1_i386.deb
> libcupsimage2_1.1.20final+rc1-1_i386.deb
>   to pool/main/c/cupsys/libcupsimage2_1.1.20final+rc1-1_i386.deb
> libcupsys2-dev_1.1.20final+rc1-1_i386.deb
>   to pool/main/c/cupsys/libcupsys2-dev_1.1.20final+rc1-1_i386.deb
> libcupsys2-gnutls10_1.1.20final+rc1-1_i386.deb
>   to pool/main/c/cupsys/libcupsys2-gnutls10_1.1.20final+rc1-1_i386.deb

> Closes: 250883 254153
> Changes: 
>  cupsys (1.1.20final+rc1-1) unstable; urgency=low
>  .
>    * Apply a patch for fixing typo in DE templates. (Closes: Bug#250883)
>    * New upstream source, 2004-07-03 CVS.
>    * Add netbase dependency for cupsys-bsd.
>    * Move certs files to /var/lib/cups/certs. (Closes: Bug#254153)

                            ^^^^^^^^^^^^^^^^^^
	modification will be required to debian selinux package to take
	into account new directory, which will require user-read permission
	to access files in that directory (Certifications for printer
	access).

	l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.