Antoine Martin wrote:
>>> We could try to label xpra by a label to get it running
in a different
>>> CUPS domain.
>>>
(snip)
>>
>> So maybe do something similar to cups_pdf_exec_t for xpraforwarder,
>> with the extra privileges needed for accessing the socket?
>
> Yes, I was looking for the backend. Could you try to label the backend
> by cups_pdf_exec_t to see how it works?
That didn't work, but this does:
chcon -t cups_pdf_exec_t /usr/lib/cups/backend/xpraforwarder
<snip>
PLEASE be aware that's not permanent. To make it go through reboots, you
need to do:
semanage fcontext -a -t cups_pdf_exec_t /usr/lib/cups/backend/xpraforwarder
AND THEN follow that with
restorecon -v /usr/lib/cups/backend/
mark