Running strict/enforcing, latest rawhide.
Previous suggested mods to cups.te for ptal-photod are insufficient.
The following appears needed to allow gimp to connect up to the scanner;
--- cups.te.save 2005-05-28 09:56:03.000000000 -0700
+++ cups.te 2005-05-29 11:30:10.000000000 -0700
@@ -150,6 +150,11 @@
allow ptal_t self:capability { chown sys_rawio };
allow ptal_t self:{ unix_dgram_socket unix_stream_socket }
create_socket_perms; allow ptal_t self:unix_stream_socket { listen
accept };
+can_network_tcp(ptal_t, self)
+allow ptal_t port_t:tcp_socket name_bind;
+allow userdomain ptal_t:unix_stream_socket connectto;
+allow userdomain ptal_var_run_t:sock_file write;
+allow userdomain ptal_var_run_t:dir search;
allow ptal_t self:fifo_file rw_file_perms;
allow ptal_t device_t:dir read;
allow ptal_t printer_device_t:chr_file rw_file_perms;
With these changes, gimp can acquire scanned image.
A few comments: ptal-photod seems to only use 127.0.0.1 for tcp
networking, and the allow for search on ptal_var_run_t:dir required
'enableaudit' to find. Is there an easier/better way to express this?
Sorry for the incomplete update last time....
tom
--
Tom London
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-selinux-list
