On 3/3/06, Ivan Gyurdiev <ivg2@xxxxxxxxxxx> wrote: > > > So these are all printconf pipes. > Printconf runs in unconfined_t, and printconf-backend runs in > cupsd_config_t (not sure if they should be setup like that, I suspect > this might have been done to restrict what can acccess the cupsd > domains). It seems they need to communicate via pipes. Looking at the > current policy, rules are already in place [ for targeted ] to allow > reading unconfined pipes from cupsd_config_t, but no rules exist for > writing data back to unconfined pipes (communication in the other > direction). > > Either printconf should be moved into cupsd_config_t too.... or > cupsd_config_t should be allowed to write as well as read from > unconfined pipes. > > > Trivial test of just 'applying' the existing config appears not to > > break anything. So, this could be harmless.... > > > That usually means we haven't found out what the problem is yet, and > it's non-fatal (which doesn't necessarily mean harmless). > Ivan, I agree: non-fatal is not the same as harmless. Thanks for taking the time to analyze this. tom -- Tom London -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
