On 10/5/2024 5:26 AM, Russell Coker wrote:
allow cupsd_t self:capability { chown dac_override dac_read_search fowner
fsetid ipc_lock kill setgid setuid sys_admin sys_rawio sys_resource
sys_tty_config };
From the refpolicy the above is the capabilities line for cupsd_t. Why does
it have sys_admin? I don't think it has a legitimate need to do anything that
Nothing I can tell you beyond what is in the commit history. The cap
has been there since it was added to refpolicy, so it probably was in
the old NSA example policy. See
ef5ca0fb79191e6af897c58d97977e919b34ec17 back in 2005.
needs that access. Also sys_rawio seems dubious.
This came in from Dan in 2009, 8f3bddfbfdedf84838c0232a7f30b510ca673fa3.
virt_rw_all_image_chr_files(cupsd_t)
Also what is the above about?
This came while cups was in the contrib git submodule in 2012,
ba518eba315d79afb9df2f19300dc2d18005e5f8.
If you share a printer device, libvirt relabels it to the image file type.
--
Chris PeBenito
