On Sun, 26 Sep 2004 12:01, Tom London selinux@gmail.com wrote:
Running strict/enforcing, w/USB printer.
Reconnecting printer (after pulling the plug) yields the following:
allow hald_t urandom_device_t:chr_file { read };
The above line should go unconditionally in hald.te not in cups.te. The reason is that hald might access urandom_device_t for many things other than printer configuration, and we don't want the other things to suddenly stop working if we remove the cups policy.
Also for neat policy I think it's best not to put {} around a single item.
I've attached a diff between the policy in my tree for hal and cups and that of the CVS. Please note that removing the dontaudit from cups.te is deliberate, there is a matching allow rule later in the same file.