Samuel Díaz García wrote:
Using your help, I had done this:
audit2why < /var/log/audit/audit.log | audit2allow
Whith this result:
allow auditd_t var_log_t:file { append getattr };
allow cardmgr_t apmd_t:file { getattr read };
allow cardmgr_t apmd_t:lnk_file read;
allow cardmgr_t crond_t:file { getattr read };
allow cardmgr_t crond_t:lnk_file read;
allow cardmgr_t inetd_t:file { getattr read };
allow cardmgr_t inetd_t:lnk_file read;
allow cardmgr_t init_t:file { getattr read };
allow cardmgr_t init_t:lnk_file read;
allow cardmgr_t initrc_t:file { getattr read };
allow cardmgr_t initrc_t:lnk_file read;
allow cardmgr_t kernel_t:file { getattr read };
allow cardmgr_t kernel_t:lnk_file read;
allow cardmgr_t src_t:dir search;
allow cardmgr_t udev_t:file { getattr read };
allow cardmgr_t udev_t:lnk_file read;
allow cardmgr_t unconfined_t:file { getattr read };
allow cardmgr_t unconfined_t:lnk_file read;
allow cardmgr_t xserver_log_t:dir search;
allow consoletype_t tmp_t:chr_file read;
allow cupsd_config_t unconfined_t:fifo_file write;
allow cupsd_t home_root_t:dir search;
allow cupsd_t urandom_device_t:chr_file ioctl;
allow cupsd_t user_home_dir_t:dir { add_name write };
allow cupsd_t user_home_dir_t:file { create getattr setattr write };
allow cupsd_t var_spool_t:dir { add_name remove_name write };
allow cupsd_t var_spool_t:file { create getattr read setattr unlink
write };
allow dhcpc_t tmp_t:chr_file read;
allow fsadm_t dosfs_t:file getattr;
allow getty_t var_log_t:file { lock write };
allow hald_t mnt_t:dir { getattr read };
allow hald_t tty_device_t:chr_file ioctl;
allow hald_t usr_t:file { execute execute_no_trans ioctl };
allow hald_t var_lib_nfs_t:dir search;
allow httpd_t crond_t:fifo_file read;
allow ifconfig_t tmp_t:chr_file read;
allow ifconfig_t unconfined_t:fifo_file { read write };
allow updfstab_t dosfs_t:dir search;
allow updfstab_t dosfs_t:file getattr;
Could you attach your audit.log? Looks like you might have some
labeling problem.
Also what version of policy are you running?
What platform?
The question now is:
¿Where need I put all this?
Thanks
Daniel J Walsh wrote:
Paul Howarth wrote:
Samuel Díaz García wrote:
Yes, cups-pdf is a "virtual printer" thar prints the ouput into pdf
files. That pdf files are saved by cups-pdf into user's home
directory.
As you said fine, I need to allow cups to write into that
directories (including /root) or into a $HOME/cups-pdf-docs
directory to disallow cups all control over $HOME directory.
If I remember well, cups is launched as root user (where a test I
had done some days ago because were a "cups-pdf" prerrequisite -
don't remember now).
How can I solve the issue with home directories?
If anybody knows how to, I would like to solve the problem in this
form:
1) Allowing cups writing into home directories or especific
subdirectory into $HOME.
2) Enablilng SELinux as restrictive I can (is my laptop and I
want to learn a more about SELinux and apps issues.
As a start you might try:
# setsebool -P cupsd_disable_trans 1
This would turn off SELinux protection for the cups daemon, whilst
leaving you able to have SELinux turned on for everything else.
An alternative that might be worth trying would be to change the
context of any directories you want cups to be able to write to,
something like:
# chcon -t print_spool_t $HOME/cups-pdf-doc
Not sure if that'll work though.
I kind of like that solution. See what avc messages you get and we
could maybe add a boolean to allow searching of the users homedirs
for this directory.
Paul.