On Fri, 5 Mar 2004 22:18, Tim Waugh <twaugh@xxxxxxxxxx> wrote: > I'm trying to fix some problems with SELinux policy and > system-config-printer. This tool needs to modify > /etc/cups/cupsd.conf, and several other files in /etc/cups, but it > looks like the policy is preventing it (in enforcing mode). What context is system-config-printer running in? This will be in the AVC message from the unlink denial. > The configuration tool writes a new file (cupsd.conf.new) in the same > directory, with the content it wants (derived from cupsd.conf), and > tried to rename(cupsd.conf.new,cupsd.conf) -- this fails. > > I suspect that just writing cupsd.conf directly would work, but I > don't want to end up in a situation where a failure half-way through > writing causes a broken configuration file in-situ. > > Probably writing a new file is creating the wrong security context on > that file anyway: > > -rw-r----- 1 root:object_r:cupsd_etc_t root sys 21350 Mar 4 18:17 > /etc/cups/cupsd.conf -rw------- 1 system_u:object_r:cupsd_rw_etc_t lp > sys 21350 Mar 5 09:39 /etc/cups/cupsd.conf.new > > but I want to understand what this config tool *should* be doing, and > how to make the policy let it do that. Sounds like system-config-printer is running as cupsd_t, I'm not sure that's what we want. We may have to make all CUPS config files re-writable by cupsd to solve this. I've just started fiddling with cups on one of my machines, I'm not sure that I have a printer that's in working order so I can't test that CUPS works right now, but I can test the policy. My current policy tree works well for system-config-printer. For me system-config-printer runs as sysadm_t and I don't think that there is any difference between my policy tree and Dan's latest one which could account for such a difference. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
