[patch] CUPS 1.2 SELinux policy changes...

Michael Sweet mike at easysw.com
Sat Nov 12 14:44:08 UTC 2005

Russell Coker wrote:
> On Sunday 13 November 2005 00:18, Michael Sweet <mike at easysw.com> wrote:
>>> Please don't remove comments such as "this is not ideal, and allowing
>>> setattr access to cupsd_etc_t is wrong".  That's a design flaw in cupsd,
>>> eventually we want to fix it.  Removing the comment decreases the chance
>>> of such a design flaw ever being corrected.
>> Well, given that the comment does not describe the "design flaw" in
>> enough detail to be useful, and that no one has posted this "design
>> flaw" to any of the CUPS forums or the STR page on the CUPS site, it
>> seemed like I was removing a comment that was confusing and
>> uninformative.
>> What is the design flaw?
> The fact that cups requires write access to it's config directory and all 
> config files.

I know some people would prefer to hand-edit all files and place printer
state data in 5 different places, however no one has proposed an
alternate location for these files that makes sense WRT to the FHS.

We are absolutely committed to making CUPS easy-to-use, which means
allowing programs (in particular cupsd, which can provide finer-grained
authorization/access control to the configuration data than selinux) to
edit those files.  CUPS also updates the printers.conf, classes.conf,
and subscriptions.conf files based on (persistent) state changes.

Anyways, I will update the comment to reflect this discussion.


On a related note, you have comments on a few other rules I'm not
clear on:

     # temporary solution, we need something better
     allow cupsd_t serial_device:chr_file rw_file_perms;

I'm guessing this refers to allowing write access to all serial ports?
Any thoughts/wishes on this end?  We've looked at a variety of schemes
to identifying serial printer ports - providing separate device links
would seem to be the simplest solution - but there would need to be
some standardization (i.e. Linux distributors need to use it) for it to
be effective.

     # for /var/lib/defoma
     allow cupsd_t var_lib_t:dir search;
     r_dir_file(cupsd_t, readable_t)

This appears to provide read/search access to files in /var/lib, but
I'm confused by the "defoma" bit?

     # lots of errors generated requiring the following
     allow cupsd_t self:netlink_audit_socket { 
create_netlink_socket_perms nlmsg_relay };
     allow cupsd_t self:netlink_route_socket { r_netlink_socket_perms };

What errors are generated?  What programs are involved?  Why are we
allowing rather than fixing?

Thanks again for your feedback - I hope my next patch will be both
less invasive and more accurate... :)

Michael Sweet, Easy Software Products           mike at easysw dot com
Internet Printing and Publishing Software        http://www.easysw.com

More information about the selinux mailing list