Re: Learning SELINUX management, help?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 2007-04-20, Ben Russo <ben@xxxxxxxxxxxxxxx> wrote:
>
> I checked in /usr/share/docs/selinux-policy-2.4.6/html
> and find no references (using grub) for "cupsd_disable_trans"
> I google on "cupsd_disable_trans" and find no references either.

All the *_disable_trans booleans means that the service will
no transition from the selinux unconfined domain, to a restricted
selinux domain (in cups's case cupsd_t). So your system will not
be protected from this service if you set the *disable_trans.

>
> How do I find out what this boolean object is or does?
> Is there a description of it somewhere?
> Is it dangerous to just run the command that sealert tells me to run?

I find that the advices sealert gives are quite often bad advice.
They will fix your problem, but you should really evaluate if you're
not opening up too much by following the advice. Here sealert is
suggesting turning off selinux-protection of cups.. 


> avc: denied { read, write } for comm="cupsd" dev=dm-0 egid=0 euid=0
> exe="/usr/sbin/cupsd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="__db.000"
> path="socket:[15083]" pid=5515 
> scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
> sgid=0 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=0 tclass=file
> tcontext=system_u:object_r:rpm_var_lib_t:s0 tty=tty1 uid=0

This seems very strange.. All the labels above seems correct to me, but why
would cupsd need to access (/var/lib/rpm/) "__db.000" ?? 



   -jf

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux