So these are all printconf pipes.
Printconf runs in unconfined_t, and printconf-backend runs in
cupsd_config_t (not sure if they should be setup like that, I suspect
this might have been done to restrict what can acccess the cupsd
domains). It seems they need to communicate via pipes. Looking at the
current policy, rules are already in place [ for targeted ] to allow
reading unconfined pipes from cupsd_config_t, but no rules exist for
writing data back to unconfined pipes (communication in the other
direction).
Either printconf should be moved into cupsd_config_t too.... or
cupsd_config_t should be allowed to write as well as read from
unconfined pipes.
Trivial test of just 'applying' the existing config appears not to
break anything. So, this could be harmless....
That usually means we haven't found out what the problem is yet, and
it's non-fatal (which doesn't necessarily mean harmless).
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
