On Saturday 12 November 2005 02:47, Michael Sweet <mike@xxxxxxxxxx> wrote: > I removed the non-CUPS rules because the mix of software makes > debugging and validating the CUPS policies that much harder, and it > makes sense to maintain the policies for separate projects > separately... Firstly, please test your patches first. There is no name_connect access in the unix_stream_socket class or a seteuid capability. Please don't remove comments such as "this is not ideal, and allowing setattr access to cupsd_etc_t is wrong". That's a design flaw in cupsd, eventually we want to fix it. Removing the comment decreases the chance of such a design flaw ever being corrected. The hplip and ptal policies are OK in the same file as cups. They are printer-specific programs. Having separate lpd and cups files is more of a problem. As we seem to be moving away from the traditional lpd we will probably change things in this regard. When there is policy involving access between initrc_t and the domains/types defined in a daemon policy file then this belongs in the policy file for the daemon. Important files such as initrc.te should not have sections for all the many daemons that need to interact with them. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
