On 2007-04-20, Ben Russo <ben at muppethouse.com> wrote: > > I checked in /usr/share/docs/selinux-policy-2.4.6/html > and find no references (using grub) for "cupsd_disable_trans" > I google on "cupsd_disable_trans" and find no references either. All the *_disable_trans booleans means that the service will no transition from the selinux unconfined domain, to a restricted selinux domain (in cups's case cupsd_t). So your system will not be protected from this service if you set the *disable_trans. > > How do I find out what this boolean object is or does? > Is there a description of it somewhere? > Is it dangerous to just run the command that sealert tells me to run? I find that the advices sealert gives are quite often bad advice. They will fix your problem, but you should really evaluate if you're not opening up too much by following the advice. Here sealert is suggesting turning off selinux-protection of cups.. > avc: denied { read, write } for comm="cupsd" dev=dm-0 egid=0 euid=0 > exe="/usr/sbin/cupsd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="__db.000" > path="socket:[15083]" pid=5515 > scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 > sgid=0 subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 suid=0 tclass=file > tcontext=system_u:object_r:rpm_var_lib_t:s0 tty=tty1 uid=0 This seems very strange.. All the labels above seems correct to me, but why would cupsd need to access (/var/lib/rpm/) "__db.000" ?? -jf