cups-pdf && SELinux problem running
Daniel J Walsh
dwalsh at redhat.com
Wed Feb 1 17:17:01 UTC 2006
Samuel Díaz García wrote:
> Using your help, I had done this:
>
> audit2why < /var/log/audit/audit.log | audit2allow
>
> Whith this result:
>
> allow auditd_t var_log_t:file { append getattr };
> allow cardmgr_t apmd_t:file { getattr read };
> allow cardmgr_t apmd_t:lnk_file read;
> allow cardmgr_t crond_t:file { getattr read };
> allow cardmgr_t crond_t:lnk_file read;
> allow cardmgr_t inetd_t:file { getattr read };
> allow cardmgr_t inetd_t:lnk_file read;
> allow cardmgr_t init_t:file { getattr read };
> allow cardmgr_t init_t:lnk_file read;
> allow cardmgr_t initrc_t:file { getattr read };
> allow cardmgr_t initrc_t:lnk_file read;
> allow cardmgr_t kernel_t:file { getattr read };
> allow cardmgr_t kernel_t:lnk_file read;
> allow cardmgr_t src_t:dir search;
> allow cardmgr_t udev_t:file { getattr read };
> allow cardmgr_t udev_t:lnk_file read;
> allow cardmgr_t unconfined_t:file { getattr read };
> allow cardmgr_t unconfined_t:lnk_file read;
> allow cardmgr_t xserver_log_t:dir search;
> allow consoletype_t tmp_t:chr_file read;
> allow cupsd_config_t unconfined_t:fifo_file write;
> allow cupsd_t home_root_t:dir search;
> allow cupsd_t urandom_device_t:chr_file ioctl;
> allow cupsd_t user_home_dir_t:dir { add_name write };
> allow cupsd_t user_home_dir_t:file { create getattr setattr write };
> allow cupsd_t var_spool_t:dir { add_name remove_name write };
> allow cupsd_t var_spool_t:file { create getattr read setattr unlink
> write };
> allow dhcpc_t tmp_t:chr_file read;
> allow fsadm_t dosfs_t:file getattr;
> allow getty_t var_log_t:file { lock write };
> allow hald_t mnt_t:dir { getattr read };
> allow hald_t tty_device_t:chr_file ioctl;
> allow hald_t usr_t:file { execute execute_no_trans ioctl };
> allow hald_t var_lib_nfs_t:dir search;
> allow httpd_t crond_t:fifo_file read;
> allow ifconfig_t tmp_t:chr_file read;
> allow ifconfig_t unconfined_t:fifo_file { read write };
> allow updfstab_t dosfs_t:dir search;
> allow updfstab_t dosfs_t:file getattr;
Could you attach your audit.log? Looks like you might have some
labeling problem.
Also what version of policy are you running?
What platform?
>
> The question now is:
>
> ¿Where need I put all this?
>
>
> Thanks
>
>
> Daniel J Walsh wrote:
>> Paul Howarth wrote:
>>> Samuel Díaz García wrote:
>>>> Yes, cups-pdf is a "virtual printer" thar prints the ouput into pdf
>>>> files. That pdf files are saved by cups-pdf into user's home
>>>> directory.
>>>>
>>>> As you said fine, I need to allow cups to write into that
>>>> directories (including /root) or into a $HOME/cups-pdf-docs
>>>> directory to disallow cups all control over $HOME directory.
>>>>
>>>> If I remember well, cups is launched as root user (where a test I
>>>> had done some days ago because were a "cups-pdf" prerrequisite -
>>>> don't remember now).
>>>>
>>>> How can I solve the issue with home directories?
>>>>
>>>> If anybody knows how to, I would like to solve the problem in this
>>>> form:
>>>> 1) Allowing cups writing into home directories or especific
>>>> subdirectory into $HOME.
>>>> 2) Enablilng SELinux as restrictive I can (is my laptop and I
>>>> want to learn a more about SELinux and apps issues.
>>>
>>> As a start you might try:
>>>
>>> # setsebool -P cupsd_disable_trans 1
>>>
>>> This would turn off SELinux protection for the cups daemon, whilst
>>> leaving you able to have SELinux turned on for everything else.
>>>
>>> An alternative that might be worth trying would be to change the
>>> context of any directories you want cups to be able to write to,
>>> something like:
>>>
>>> # chcon -t print_spool_t $HOME/cups-pdf-doc
>>>
>>> Not sure if that'll work though.
>>>
>> I kind of like that solution. See what avc messages you get and we
>> could maybe add a boolean to allow searching of the users homedirs
>> for this directory.
>>> Paul.
>>>
>>
>>
>>
>
More information about the users
mailing list