On 08/11/2016 10:18 AM, antoine(a)nagafix.co.uk wrote:
xpra printer forwarding works by adding a PDF or PS virtual printer
via a cups backend.
This cups backend then connects to the local xpra server via a unix domain socket and the
server then forwards the PDF or PS file to the xpra client for printing.
The problem is connecting to the xpra server socket, which is currently forbidden by the
core policy.
Here's what we have to add to make it work at the moment with the server socket in
"~/.xpra/":
userdom_manage_user_home_content_files(cupsd_t)
userdom_manage_user_home_content_symlinks(cupsd_t)
userdom_manage_user_home_content_pipes(cupsd_t)
userdom_manage_user_home_content_sockets(cupsd_t)
Alternatively, if that helps, we can also place the server socket in /run/user/$UID/xpra,
but then we still get:
type=AVC msg=audit(1470902846.451:911): avc: denied { write } for pid=9644
comm="xpra" name="desktop-100" dev="tmpfs" ino=74293
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1470902846.451:912): avc: denied { connectto } for pid=9644
comm="xpra" path="/run/user/1000/xpra/desktop-100"
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
permissive=1
What is the preferred way forward to allow users to have both selinux in enforcing mode
and printing to work with xpra by default?
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
We could try to label xpra by a label to get it running in a different
CUPS domain.
What is a path to xpra?
What does
chcon -t cups_pdf_exec_t PATHTO/xpra
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.