Re: cups, /dev/fd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hmm.

Then should /dev/fd (the link) be unlabeled, defaulting
to the general DAC?  Or labeled, say, self_fd_t,
with a general rule allowing accesses to it?

Could do the same for /dev/stdin, /dev/stdout, and
/dev/stderr.

tom


On Fri, 17 Sep 2004 09:19:04 -0400, Stephen Smalley <sds@xxxxxxxxxxxxxx> wrote:
> On Thu, 2004-09-16 at 21:22, Tom London wrote:
> > Running strict/enforcing, latest from Dan's tree.
> >
> > Printing (say, from openoffice) yields:
> >
> > Sep 16 18:01:39 fedora kernel: audit(1095382899.718:0): avc:  denied  {
> > read } for  pid=10941 exe=/usr/bin/perl name=fd dev=tmpfs ino=2794
> > scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:device_t
> > tclass=lnk_file
> > Sep 16 18:01:39 fedora kernel: audit(1095382899.718:0): avc:  denied  {
> > read } for  pid=10941 exe=/usr/bin/perl name=fd dev=tmpfs ino=2794
> > scontext=system_u:system_r:cupsd_t tcontext=system_u:object_r:device_t
> > tclass=lnk_file
> >
> > inode 2794 is /dev/fd.
> >
> > Make sense to add?
> > dontaudit cupsd_t device_t:lnk_file { read };
> 
> I'd allow it.  /dev/fd is just a symlink to /proc/self/fd, and that
> should be permitted.
> 
> --
> Stephen Smalley <sds@xxxxxxxxxxxxxx>
> National Security Agency
> 
> 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 



-- 
Tom London

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux