Using your help, I had done this:
audit2why < /var/log/audit/audit.log | audit2allow
Whith this result:
allow auditd_t var_log_t:file { append getattr };
allow cardmgr_t apmd_t:file { getattr read };
allow cardmgr_t apmd_t:lnk_file read;
allow cardmgr_t crond_t:file { getattr read };
allow cardmgr_t crond_t:lnk_file read;
allow cardmgr_t inetd_t:file { getattr read };
allow cardmgr_t inetd_t:lnk_file read;
allow cardmgr_t init_t:file { getattr read };
allow cardmgr_t init_t:lnk_file read;
allow cardmgr_t initrc_t:file { getattr read };
allow cardmgr_t initrc_t:lnk_file read;
allow cardmgr_t kernel_t:file { getattr read };
allow cardmgr_t kernel_t:lnk_file read;
allow cardmgr_t src_t:dir search;
allow cardmgr_t udev_t:file { getattr read };
allow cardmgr_t udev_t:lnk_file read;
allow cardmgr_t unconfined_t:file { getattr read };
allow cardmgr_t unconfined_t:lnk_file read;
allow cardmgr_t xserver_log_t:dir search;
allow consoletype_t tmp_t:chr_file read;
allow cupsd_config_t unconfined_t:fifo_file write;
allow cupsd_t home_root_t:dir search;
allow cupsd_t urandom_device_t:chr_file ioctl;
allow cupsd_t user_home_dir_t:dir { add_name write };
allow cupsd_t user_home_dir_t:file { create getattr setattr write };
allow cupsd_t var_spool_t:dir { add_name remove_name write };
allow cupsd_t var_spool_t:file { create getattr read setattr unlink write };
allow dhcpc_t tmp_t:chr_file read;
allow fsadm_t dosfs_t:file getattr;
allow getty_t var_log_t:file { lock write };
allow hald_t mnt_t:dir { getattr read };
allow hald_t tty_device_t:chr_file ioctl;
allow hald_t usr_t:file { execute execute_no_trans ioctl };
allow hald_t var_lib_nfs_t:dir search;
allow httpd_t crond_t:fifo_file read;
allow ifconfig_t tmp_t:chr_file read;
allow ifconfig_t unconfined_t:fifo_file { read write };
allow updfstab_t dosfs_t:dir search;
allow updfstab_t dosfs_t:file getattr;
The question now is:
¿Where need I put all this?
Thanks
Daniel J Walsh wrote:
Paul Howarth wrote:
Samuel Díaz García wrote:
Yes, cups-pdf is a "virtual printer" thar prints the ouput into pdf
files. That pdf files are saved by cups-pdf into user's home directory.
As you said fine, I need to allow cups to write into that directories
(including /root) or into a $HOME/cups-pdf-docs directory to disallow
cups all control over $HOME directory.
If I remember well, cups is launched as root user (where a test I had
done some days ago because were a "cups-pdf" prerrequisite - don't
remember now).
How can I solve the issue with home directories?
If anybody knows how to, I would like to solve the problem in this form:
1) Allowing cups writing into home directories or especific
subdirectory into $HOME.
2) Enablilng SELinux as restrictive I can (is my laptop and I want
to learn a more about SELinux and apps issues.
As a start you might try:
# setsebool -P cupsd_disable_trans 1
This would turn off SELinux protection for the cups daemon, whilst
leaving you able to have SELinux turned on for everything else.
An alternative that might be worth trying would be to change the
context of any directories you want cups to be able to write to,
something like:
# chcon -t print_spool_t $HOME/cups-pdf-doc
Not sure if that'll work though.
I kind of like that solution. See what avc messages you get and we
could maybe add a boolean to allow searching of the users homedirs for
this directory.
Paul.
--
Samuel Díaz García
Director Gerente
ArcosCom Wireless, S.L.L.
CIF: B11828068
c/ Romero Gago, 19
Arcos de la Frontera
11630 - Cadiz
http://www.arcoscom.com
mailto:samueldg@xxxxxxxxxxxx
msn: samueldg@xxxxxxxxxxxx
Móvil: 651 93 72 48
Tlfn.: 956 70 13 15
Fax: 956 70 34 83