[refpolicy] AVC denials from cups

All of lore.kernel.org
 help / color / mirror / Atom feed

From: joropo@pioneerwireless.net (JOhn ROss POrter)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] AVC denials from cups
Date: Wed, 27 Aug 2008 10:54:50 -0400	[thread overview]
Message-ID: <48B56ABA.8050301@pioneerwireless.net> (raw)

I don't know how to distinguish between "to get extra functionality", 
and "driver is requesting."  I submit a print job to the device which 
uses the hp:/net/Office... URI and I get AVC denial pop-ups.

My current status is that I've generated allow rules which, 
successfully, permit the printer interface to function without warnings.
I would mention that the FAQ which setroubleshoot directed be to was 
*very* helpful with respect to generating and applying the necessary 
rules.  Thanks for the assist!

I should also mention, again(?), that I run SELinux in "permissive" 
mode.  The AVC warnings are just an annoyance and to not prohibit 
further activities.

My reason for filing this bug report derived from following suggestions 
received from the #selinux channel on the freenode IRC Network.
 From my own point of view, this issue may be dropped.  The thread may 
prove helpful, however, to anyone else installing the 2.8.7 level of hplip.

Thanks for your attention,
Joropo
-------- Original Message --------

On Tue, Aug 26, 2008 at 02:10:02PM -0400, JOhn ROss POrter wrote:
> Matt Anderson wrote:
>> same device URI and PPD file?  
> different URI's
> no AVC -- socket://192.168.1.105:9100
> w/AVC -- hp:/net/OfficeJet_G85?ip=192.168.1.105 (was created  
> auto-magically by hplip install procedure. Additionally, extra  
> functionality enabled with this device [scanning and printer display  
> feedback])

Okay, it sounds like you've got a patch for the hplip policy then.  Do
you need these additional allow rules to get the extra functionality or
are they permissions the driver is requesting?  If it works, but
generates AVCs as is, you might consider using dontaudit rules.

-matt

next             reply	other threads:[~2008-08-27 14:54 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-08-27 14:54 JOhn ROss POrter [this message]
  -- strict thread matches above, loose matches on Subject: below --
2008-08-27 15:16 [refpolicy] AVC denials from cups Matt Anderson
2008-08-27 19:01 ` JOhn ROss POrter
2008-08-29 14:33   ` Christopher J. PeBenito
2008-08-25 14:21 JOhn ROss POrter
2008-08-26 12:08 ` Matt Anderson
2008-08-26 18:10   ` JOhn ROss POrter
2008-08-27 12:23     ` Matt Anderson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=48B56ABA.8050301@pioneerwireless.net \
    --to=joropo@pioneerwireless.net \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.