On Saturday 30 September 2006 13:54, Matt Anderson <[EMAIL PROTECTED]> wrote: > I've been playing around with the printing portion of the policy a bit > and would like to suggest some changes. Looking at the source for > lpd.if it seems the the policy was originally written with a lpr/lpd in > mind that is not CUPS.
Correct. The lpr/lpd policy was written a long time before the cups policy. My recollection is that I wrote the cups policy to support mixed-mode systems with lpr/lpd emulation in CUPS and easy conversion between cups and lpd. For today's use it's probably best to just dump support for lpd. In Fedora cups is the only supported option, for LSPP you have the same but no option of getting lprng from extras, in Debian things are tending towards cups (and with Debian having more support for modules we can probably switch between cups and lpd modules). > There are comments referencing a lightweight > mode, and $1_lpr_t is allowed to read and write to the spool directly. > CUPS does not do these things. Attached is a patch I've applied to my > systems that allows CUPS to work just fine in Targeted and MLS mode with > 13 less allow rules. That seems fine to me. > Does the addition of this rule seem reasonable? > > allow sysadm_lpr_t print_spool_t:file read; Yes. > Lastly in order to determine if a user is authorized to print to a given > printer based on a comparison of their level to that of the printer I'd > like to propose this rule: > > allow $1_lpr_t printer_device_t:file write That's fine, but it will need a clear comment to avoid the risk of having it copied inappropriately in future. -- [EMAIL PROTECTED] http://etbe.blogspot.com/ My Blog http://www.coker.com.au/sponsorship.html Sponsoring Free Software development -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
