On 3/2/06, Ivan Gyurdiev <ivg2@xxxxxxxxxxx> wrote: > > > type=AVC msg=audit(02/27/2006 08:04:15.126:101) : avc: denied { read > > } for pid=5773 comm=printconf-backe name=.fonts.cache-2 dev=dm-0 > > ino=555510 scontext=system_u:system_r:cupsd_config_t:s0 > > tcontext=system_u:object_r:user_home_t:s0 tclass=file > > > Does it work? This is likely harmless. > However, we should be making use of the fact that this file > (.fonts.cache-2) is now in its own directory. I specifically filed a bug > to get it moved, and now we should write policy to take advantage of > that, by: > > - prelabeling this folder with the correct type in our profile script, > or any future solution, so that the cache can be created with the > correct type by libfontconfig > > - allowing programs that need to read fonts to read that type > (moving font-related macros from the old strict policy into the new > refpol). > > It's unfortunate all those problems were solved in the old strict > policy, and now they all have to be re-solved for refpol. > > > type=AVC msg=audit(02/27/2006 08:04:15.126:101) : avc: denied { > > write } for pid=5773 comm=printconf-backe name=[21844] dev=pipefs > > ino=21844 scontext=system_u:system_r:cupsd_config_t:s0 > > tcontext=system_u:system_r:unconfined_t:s0 tclass=fifo_file > > > This isn't very helpful - what is it trying to write to - grep for 21844. > (Does lsof show that number?) > > Sorry for the lack of specifics here, but it was all I could get at the time. Didn't think about 'grep XX | lsof'. Recreating yields: type=AVC msg=audit(1141332960.725:64): avc: denied { write } for pid=8214 comm="printconf-backe" name="[48007]" dev=pipefs ino=48007 scontext=system_u:system_r:cupsd_config_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=fifo_filetype=AVC msg=audit(1141332960.725:64): avc: denied { write } for pid=8214 comm="printconf-backe" name="[48008]" dev=pipefs ino=48008 scontext=system_u:system_r:cupsd_config_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=fifo_filetype=AVC msg=audit(1141332960.725:64): avc: denied { write } for pid=8214 comm="printconf-backe" name="[48009]" dev=pipefs ino=48009 scontext=system_u:system_r:cupsd_config_t:s0 tcontext=system_u:system_r:unconfined_t:s0 tclass=fifo_filetype=AVC msg=audit(1141332960.725:64): avc: denied { read } for pid=8214 comm="printconf-backe" name=".fonts.cache-2" dev=dm-0 ino=555510 scontext=system_u:system_r:cupsd_config_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file type=SYSCALL msg=audit(1141332960.725:64): arch=40000003 syscall=11 success=yes exit=0 a0=9029dc8 a1=9029e18 a2=9029f20 a3=9026d70 items=3 pid=8214 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="printconf-backe" exe="/usr/bin/python" type=AVC_PATH msg=audit(1141332960.725:64): path="/root/.rh-fontconfig/.fonts.cache-2" type=AVC_PATH msg=audit(1141332960.725:64): path="pipe:[48009]" type=AVC_PATH msg=audit(1141332960.725:64): path="pipe:[48008]" type=AVC_PATH msg=audit(1141332960.725:64): path="pipe:[48007]" type=CWD msg=audit(1141332960.725:64): cwd="/" type=PATH msg=audit(1141332960.725:64): item=0 name="/usr/sbin/printconf-backend" flags=101 inode=5790576 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1141332960.725:64): item=1 flags=101 inode=5786615 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1141332960.725:64): item=2 flags=101 inode=1045697 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 'lsof | grep 4800' yields: [root@localhost ~]# lsof | grep 4800 Xorg 2494 root 35u unix 0xf6e48004 48012 /tmp/.X11-unix/X0 gnome-scr 2770 tbl 14u unix 0xf0b48004 23919 socket firefox-b 2822 tbl 34u REG 253,0 2048000 6928883 /home/tbl/.mozilla/firefox/bdyi67iu.default/Cache/_CACHE_003_ printconf 8186 root 6r FIFO 0,5 48007 pipe printconf 8186 root 7w FIFO 0,5 48007 pipe printconf 8186 root 8r FIFO 0,5 48008 pipe printconf 8186 root 9w FIFO 0,5 48008 pipe printconf 8186 root 10r FIFO 0,5 48009 pipe printconf 8186 root 11w FIFO 0,5 48009 pipe [root@localhost ~]# So these are all printconf pipes. What other info can I provide? Trivial test of just 'applying' the existing config appears not to break anything. So, this could be harmless.... tom -- Tom London -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list