From: joropo@pioneerwireless.net (JOhn ROss POrter)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] AVC denials from cups
Date: Wed, 27 Aug 2008 15:01:13 -0400 [thread overview]
Message-ID: <48B5A479.7040904@pioneerwireless.net> (raw)
In-Reply-To: <20080827151643.GA30786@ldl.fc.hp.com>
Matt Anderson wrote:
> JOhn ROss POrter wrote:
>
>
> You had mentioned that the hplip driver allows you to get more
> functionality than just printing. I was wondering if the AVCs were
> generated from those requests, or the printing requests, or what was
> seemingly random from the driver.
>
The AVC warnings occur only as a result of print activity. I get no such
warnings from the scanner interface.
>
>
> It could be interesting to see how the system behaves in enforcing mode.
> You could remove your policy additions and see if you're still able to
> print and access the scanning and printer display feedback
> functionality, then add your policy module back in, and see what works.
>
I suppose I could follow this path. However, I'm less willing to put in
the effort. I've gotten warnings in the past *only* when I print. I've
never heard from SELinux while playing with the scanner interface.
>
>
> I don't recall you posting the rules in your policy module here. It
> might be good to do that so that its all archived in the same place.
>
follows: /usr/share/selinux/locals/local.te
as generated by assist2allow(?) - unedited, not really understood.
--begin copy--
module local 1.0;
require {
type system_dbusd_var_run_t;
type hplip_t;
type xdm_t;
type system_dbusd_t;
class process { execstack execmem };
class sock_file write;
class dbus send_msg;
class dir search;
class unix_stream_socket connectto;
}
require {
type system_dbusd_var_run_t;
type hplip_t;
type xdm_t;
type system_dbusd_t;
class process { execstack execmem };
class sock_file write;
class dbus send_msg;
class dir search;
class unix_stream_socket connectto;
}
require {
type system_dbusd_var_run_t;
type hplip_t;
type xdm_t;
type system_dbusd_t;
class process { execstack execmem };
class sock_file write;
class dbus send_msg;
class dir search;
class unix_stream_socket connectto;
}
#============= hplip_t ==============
allow hplip_t system_dbusd_t:dbus send_msg;
allow hplip_t system_dbusd_t:unix_stream_socket connectto;
allow hplip_t system_dbusd_var_run_t:dir search;
allow hplip_t system_dbusd_var_run_t:sock_file write;
#============= xdm_t ==============
allow xdm_t self:process { execstack execmem };
---end copy---
>
>
> Thanks for bringing it up.
> -matt
>
>
Joropo
next prev parent reply other threads:[~2008-08-27 19:01 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-08-27 15:16 [refpolicy] AVC denials from cups Matt Anderson
2008-08-27 19:01 ` JOhn ROss POrter [this message]
2008-08-29 14:33 ` Christopher J. PeBenito
-- strict thread matches above, loose matches on Subject: below --
2008-08-27 14:54 JOhn ROss POrter
2008-08-25 14:21 JOhn ROss POrter
2008-08-26 12:08 ` Matt Anderson
2008-08-26 18:10 ` JOhn ROss POrter
2008-08-27 12:23 ` Matt Anderson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48B5A479.7040904@pioneerwireless.net \
--to=joropo@pioneerwireless.net \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.