diff --git a/cups-0003-systemd-secure-cups.service-unit-file.patch b/cups-0003-systemd-secure-cups.service-unit-file.patch
new file mode 100644
index 0000000..d860ef5
--- /dev/null
+++ b/cups-0003-systemd-secure-cups.service-unit-file.patch
@@ -0,0 +1,16 @@
+--- data/cups.service.in.orig 2014-01-29 13:57:17.000000000 +0100
++++ data/cups.service.in 2014-01-29 14:14:54.000000000 +0100
+@@ -1,10 +1,10 @@
+ [Unit]
+ Description=CUPS Printing Service
++After=network.target
+
+ [Service]
+ ExecStart=@sbindir@/cupsd -f
+
+ [Install]
+-Alias=cupsd.service
+-Also=cups.socket cups.path
+-WantedBy=printer.target
++WantedBy=multi-user.target
++
diff --git a/cups-1.5-additional_policies.patch b/cups-1.5-additional_policies.patch
index 9123c68..a9365b2 100644
--- a/cups-1.5-additional_policies.patch
+++ b/cups-1.5-additional_policies.patch
@@ -1,10 +1,9 @@
---- conf/cupsd.conf.in.orig 2010-12-09 22:24:51.000000000 +0100
-+++ conf/cupsd.conf.in 2011-10-05 13:51:39.000000000 +0200
-@@ -138,3 +138,25 @@ WebInterface @CUPS_WEBIF@
- #
- # End of "$Id: cupsd.conf.in 9407 2010-12-09 21:24:51Z mike $".
- #
-+
+--- conf/cupsd.conf.in.orig 2014-01-29 14:31:32.000000000 +0100
++++ conf/cupsd.conf.in 2014-01-29 15:20:30.000000000 +0100
+@@ -136,6 +136,39 @@ WebInterface @CUPS_WEBIF@
+
+
+
+# The policy below is added by SUSE during build of our cups package.
+# The policy 'allowallforanybody' is totally open and insecure and therefore
+# it can only be used within an internal network where only trused users exist
@@ -17,12 +16,27 @@
+# For documentation regarding 'Managing Operation Policies' see
+# http://www.cups.org/documentation.php/doc-1.5/policies.html
+
-+
++ # Allow anybody to access job's private values:
++ JobPrivateAccess all
++ # Make none of the job values to be private:
++ JobPrivateValues none
++ # Allow anybody to access subscription's private values:
++ SubscriptionPrivateAccess all
++ # Make none of the subscription values to be private:
++ SubscriptionPrivateValues none
++ # Allow anybody to do all IPP operations:
++ # Currently the IPP operations Validate-Job Cancel-Jobs Cancel-My-Jobs Close-Job CUPS-Get-Document
++ # must be additionally exlicitly specified because those IPP operations are not included
++ # in the "All" wildcard value - otherwise cupsd prints error messages of the form
++ # "No limit for Validate-Job defined in policy allowallforanybody and no suitable template found."
++
+ Order deny,allow
+ Allow from all
+
+
+# Explicitly set the CUPS 'default' policy to be used by default:
+DefaultPolicy default
-+# End of additions by SUSE.
+
+ #
+ # End of "$Id: cupsd.conf.in 9407 2010-12-09 21:24:51Z mike $".
+ #
diff --git a/cups.changes b/cups.changes
index 92a9f7e..d129f37 100644
--- a/cups.changes
+++ b/cups.changes
@@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Wed Jan 29 14:27:52 CET 2014 - jsmeix@suse.de
+
+- cups-0003-systemd-secure-cups.service-unit-file.patch changes
+ the cups.service systemd unit file to be more secure and
+ to let the cupsd again work as it did all the time for printing
+ in a network (bnc#857372 in particular comment #61 therein).
+- cups-1.5-additional_policies.patch was updated to avoid
+ cupsd warning messages of the form "No limit for ... defined
+ in policy allowallforanybody and no suitable template found"
+ (bnc#857372 in particular comment #48 therein).
+
-------------------------------------------------------------------
Fri Jan 10 11:51:41 CET 2014 - jsmeix@suse.de
diff --git a/cups.spec b/cups.spec
index 94e6f46..f7fa0af 100644
--- a/cups.spec
+++ b/cups.spec
@@ -182,9 +182,16 @@ Patch109: str4190.patch
# Patch110 avoids any possible busy loop in cups-polld in case of unusual issues
# by sleeping interval seconds see https://bugzilla.novell.com/show_bug.cgi?id=828228
Patch110: cups-polld_avoid_busy_loop.patch
-# Patch111 fixes the systemd cups.socket file so that systemd listens only on localhost
-# (i.e. where the cupsd itself listens by default). Patch111 must be applied on top of Patch105.
+# Patch111 fixes the cups.socket systemd unit file from Patch105 to be more secure
+# so that systemd listens only on localhost (i.e. where the cupsd itself listens by default)
+# see https://bugzilla.novell.com/show_bug.cgi?id=857372#c24
+# Patch111 must be applied on top of Patch105.
Patch111: cups-0002-systemd-listen-only-on-localhost-for-socket-activation.patch
+# Patch112 changes the cups.service systemd unit file from Patch105 to be more secure
+# and to let the cupsd again work as it did all the time for printing in a network
+# see https://bugzilla.novell.com/show_bug.cgi?id=857372#c61
+# Patch111 must be applied on top of Patch105.
+Patch112: cups-0003-systemd-secure-cups.service-unit-file.patch
# Install into this non-root directory (required when norootforbuild is used):
BuildRoot: %{_tmppath}/%{name}-%{version}-build
@@ -331,9 +338,16 @@ printer drivers for CUPS.
%patch109
# Patch110 avoids any possible busy loop in cups-polld
%patch110
-# Patch111 fixes the systemd cups.socket file so that systemd listens only on localhost
-# (i.e. where the cupsd itself listens by default). Patch111 must be applied on top of Patch105.
+# Patch111 fixes the cups.socket systemd unit file from Patch105 to be more secure
+# so that systemd listens only on localhost (i.e. where the cupsd itself listens by default)
+# see https://bugzilla.novell.com/show_bug.cgi?id=857372#c24
+# Patch111 must be applied on top of Patch105.
%patch111
+# Patch112 changes the cups.service systemd unit file from Patch105 to be more secure
+# and to let the cupsd again work as it did all the time for printing in a network
+# see https://bugzilla.novell.com/show_bug.cgi?id=857372#c61
+# Patch111 must be applied on top of Patch105.
+%patch112
%build
# Disable SILENT run of make so that make runs verbose as usual:
@@ -473,8 +487,15 @@ grep -q '^# Sample configuration ' $RPM_BUILD_ROOT/%{_sysconfdir}/cups/cupsd.con
sed -i -e 's/^# Sample configuration /# Configuration /' $RPM_BUILD_ROOT/%{_sysconfdir}/cups/cupsd.conf
grep -q '^# Sample configuration ' $RPM_BUILD_ROOT/%{_sysconfdir}/cups/cupsd.conf.default
sed -i -e 's/^# Sample configuration /# Default configuration /' $RPM_BUILD_ROOT/%{_sysconfdir}/cups/cupsd.conf.default
-
+# systemd stuff:
%if 0%{?have_systemd}
+# move the installed cups.socket and cups.path into a documentation directory
+# so that experienced admins can make their own individual systemd unit files
+# for socket activation and/or path activation as they need it for their particular cases
+# see https://bugzilla.novell.com/show_bug.cgi?id=857372#c61
+mkdir $RPM_BUILD_ROOT/%{_defaultdocdir}/cups/systemd
+mv $RPM_BUILD_ROOT/%{_unitdir}/cups.path $RPM_BUILD_ROOT/%{_defaultdocdir}/cups/systemd/cups.path
+mv $RPM_BUILD_ROOT/%{_unitdir}/cups.socket $RPM_BUILD_ROOT/%{_defaultdocdir}/cups/systemd/cups.socket
# install /usr/lib/tmpfiles.d/cups.conf
mkdir -p ${RPM_BUILD_ROOT}%{_tmpfilesdir}
cat > ${RPM_BUILD_ROOT}%{_tmpfilesdir}/cups.conf </dev/null || :
@@ -631,9 +662,7 @@ exit 0
%{_datadir}/cups/
%exclude %{_datadir}/cups/ppdc/
%if 0%{?have_systemd}
-%{_unitdir}/cups.path
%{_unitdir}/cups.service
-%{_unitdir}/cups.socket
%{_tmpfilesdir}/cups.conf
%endif