On Sunday 13 November 2005 00:18, Michael Sweet <mike@xxxxxxxxxx> wrote: > > Please don't remove comments such as "this is not ideal, and allowing > > setattr access to cupsd_etc_t is wrong". That's a design flaw in cupsd, > > eventually we want to fix it. Removing the comment decreases the chance > > of such a design flaw ever being corrected. > > Well, given that the comment does not describe the "design flaw" in > enough detail to be useful, and that no one has posted this "design > flaw" to any of the CUPS forums or the STR page on the CUPS site, it > seemed like I was removing a comment that was confusing and > uninformative. > > What is the design flaw? The fact that cups requires write access to it's config directory and all config files. > > The hplip and ptal policies are OK in the same file as cups. They are > > printer-specific programs. Having separate lpd and cups files is more of > > a problem. As we seem to be moving away from the traditional lpd we will > > probably change things in this regard. > > > > When there is policy involving access between initrc_t and the > > domains/types defined in a daemon policy file then this belongs in the > > policy file for the daemon. Important files such as initrc.te should not > > have sections for all the many daemons that need to interact with them. > > Fair enough. Can we at least segment the rules in each of the files > so that it is clear which rules apply to which sub-programs? Sure. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
