I'm not very happy about giving cupsd_t access to write to home directories. 
Couldn't cups-pdf have its own security context for that sort of thing?

@Tom London : which version of cups-pdf ? 

@Tim Waugh : you're right. I'm not a SElinux expert but i will look for a better
solution ASAP.

Running cups-pdf-2.4.6-6.fc9.2.i386;  should be rawhide....

Suppose one "approach" would be to define a directory in ~, say, ~/cups-pdf, and
give that some label, say cups_pdf_t, and give cupsd_t (reasonably) general
access to that type.

The default target directory is "~/Desktop" (user-friendly), but this is
"localized" (~/.config/user-dirs.dirs)...

So i don't find another solution than to apply a global access to the home dir.

I still searching...

Please explain what cups-pdf is doing?  

cups-pdf allows you to "print to a pdf file" as an option from the usual "print
menu" from apps.  

I'm guessing it is really just a specialized "printer" that tells cupsd to just
"route" the pdf to a file instead of a printer.

How about something like giving ~/Desktop its own type, say user_desktop_t, and
 giving cupsd access to that?  Could enable/disable with a boolean?

cups-pdf looks like it is shipping with its own policy.

/usr/share/doc/cups-pdf-2.4.6/contrib/SELinux-HOWTO/cups_pdf.te

I would prefer not to allow the access they are giving.  It would be better to
only allow cups_pdf access to the homedir, not all of cups.

Cups-pdf is a cups backend which convert the PostScript output to PDF using
ghostscript and move the result to the desktop folder (path detected at run-time
for localized name).


@Tom London : as i said in #4 ~/Desktop is localized : for me ~/Bureau.
So i cannot apply Selinux context on all possible "desktop" name.

@dwalsh : Yes. As i said in #2 i will work on a better solution. But help on
this will be welcome (i'm not a real SELinux expert).

Remi.

Created attachment 297492 [details]
Cups_pdf.fc

Created attachment 297493 [details]
Cups interface file

Created attachment 297494 [details]
Cups pdf te file

I have added a new interface to cups call cups_backend.  Using this interface we
can create new backends which can be confined differently.  I can suck these
files into the mainline policy or you can ship them with your package.  They
seem to work well on my machine.

You will need selinux-policy-3.3.1-13.fc9 to be able to compile these.

@Daniel : Great thanks for this.

I've just try it (my rawhide was broken until today).
All seems OK for users

Yes I think it's a good idea to have it shipped with the main policy (I don't
feel capable enough to maintain it in the package).

But of course I'm still OK to work on it.

I give you the final decision, just tell me.

Regards

Added in selinux-policy-3.3.1-18.fc9

YOu should remove the policy files from your documentation.

@Daniel.

Can you add (probably in policy/modules/services/cups.fc)

/var/spool/cups-pdf(/.*)?  gen_context(system_u:object_r:print_spool_t,s0)



Various directories are used for output :
/var/spool/cups-pdf/SPOOL : temporary gs files
/var/spool/cups-pdf/ANONYMOUS : unkown users output (lpr, smb)
/var/spool/cups-pdf/<username> : default "not-user-friendly" cups-pdf output

I apologize, I forget to mention after my first tests.

I've just add it to a test build from selinux-policy-3.3.1-19.fc9.
All work well with it.

Thanks.

Fixed in selinux-policy-3.3.21.fc9