Re: cups, /dev/fd

Stephen Smalley <sds@xxxxxxxxxxxxxx> · Fri, 17 Sep 2004 09:19:04 -0400

On Thu, 2004-09-16 at 21:22, Tom London wrote:
> Running strict/enforcing, latest from Dan's tree.
> 
> Printing (say, from openoffice) yields:
> 
> Sep 16 18:01:39 fedora kernel: audit(1095382899.718:0): avc:  denied  { 
> read } for  pid=10941 exe=/usr/bin/perl name=fd dev=tmpfs ino=2794 
> scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:device_t 
> tclass=lnk_file
> Sep 16 18:01:39 fedora kernel: audit(1095382899.718:0): avc:  denied  { 
> read } for  pid=10941 exe=/usr/bin/perl name=fd dev=tmpfs ino=2794 
> scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:device_t 
> tclass=lnk_file
> 
> inode 2794 is /dev/fd.
> 
> Make sense to add?
> dontaudit cupsd_t device_t:lnk_file { read };

I'd allow it.  /dev/fd is just a symlink to /proc/self/fd, and that
should be permitted.

-- 
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency