Antoine Martin wrote: >>>> We could try to label xpra by a label to get it running in a different >>>> CUPS domain. >>>> > (snip) >>> >>> So maybe do something similar to cups_pdf_exec_t for xpraforwarder, >>> with the extra privileges needed for accessing the socket? >> >> Yes, I was looking for the backend. Could you try to label the backend >> by cups_pdf_exec_t to see how it works? > That didn't work, but this does: > chcon -t cups_pdf_exec_t /usr/lib/cups/backend/xpraforwarder <snip> PLEASE be aware that's not permanent. To make it go through reboots, you need to do: semanage fcontext -a -t cups_pdf_exec_t /usr/lib/cups/backend/xpraforwarder AND THEN follow that with restorecon -v /usr/lib/cups/backend/ mark -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
