With the removal of TCS's dev-allocator the solution for multi-level printers that came out of the LSPP calls was to set a range on the printer device, using chcon, and use SELinux to verify that the print job was inside that range.
I've since added checking code to the server which does not allow jobs to be enqueued into the spool or queued and printed unless an avc_has_perm() check passes. The current check uses SECCLASS_FILE, and checks FILE__WRITE; The subject is something like user_u:user_r:user_lpr_t:s2:A The object is: system_u:object_r:printer_device_t:s2-s15:c0.c1023 When I do this check however, I get denied whenever the user's context does not equal the lower level. Is there a constraint that I can apply, preferably to the object's type (printer_device_t as opposed to *_lpr_t, ) that would allow the above check to succeed? -matt -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
