Re: cups-pdf && SELinux problem running

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Samuel Díaz García wrote:
Using your help, I had done this:

audit2why < /var/log/audit/audit.log | audit2allow

Whith this result:

allow auditd_t var_log_t:file { append getattr };
allow cardmgr_t apmd_t:file { getattr read };
allow cardmgr_t apmd_t:lnk_file read;
allow cardmgr_t crond_t:file { getattr read };
allow cardmgr_t crond_t:lnk_file read;
allow cardmgr_t inetd_t:file { getattr read };
allow cardmgr_t inetd_t:lnk_file read;
allow cardmgr_t init_t:file { getattr read };
allow cardmgr_t init_t:lnk_file read;
allow cardmgr_t initrc_t:file { getattr read };
allow cardmgr_t initrc_t:lnk_file read;
allow cardmgr_t kernel_t:file { getattr read };
allow cardmgr_t kernel_t:lnk_file read;
allow cardmgr_t src_t:dir search;
allow cardmgr_t udev_t:file { getattr read };
allow cardmgr_t udev_t:lnk_file read;
allow cardmgr_t unconfined_t:file { getattr read };
allow cardmgr_t unconfined_t:lnk_file read;
allow cardmgr_t xserver_log_t:dir search;
allow consoletype_t tmp_t:chr_file read;
allow cupsd_config_t unconfined_t:fifo_file write;
allow cupsd_t home_root_t:dir search;
allow cupsd_t urandom_device_t:chr_file ioctl;
allow cupsd_t user_home_dir_t:dir { add_name write };
allow cupsd_t user_home_dir_t:file { create getattr setattr write };
allow cupsd_t var_spool_t:dir { add_name remove_name write };
allow cupsd_t var_spool_t:file { create getattr read setattr unlink write };
allow dhcpc_t tmp_t:chr_file read;
allow fsadm_t dosfs_t:file getattr;
allow getty_t var_log_t:file { lock write };
allow hald_t mnt_t:dir { getattr read };
allow hald_t tty_device_t:chr_file ioctl;
allow hald_t usr_t:file { execute execute_no_trans ioctl };
allow hald_t var_lib_nfs_t:dir search;
allow httpd_t crond_t:fifo_file read;
allow ifconfig_t tmp_t:chr_file read;
allow ifconfig_t unconfined_t:fifo_file { read write };
allow updfstab_t dosfs_t:dir search;
allow updfstab_t dosfs_t:file getattr;
Could you attach your audit.log? Looks like you might have some labeling problem. Also what version of policy are you running?
What platform?


The question now is:

¿Where need I put all this?


Thanks


Daniel J Walsh wrote:
Paul Howarth wrote:
Samuel Díaz García wrote:
Yes, cups-pdf is a "virtual printer" thar prints the ouput into pdf files. That pdf files are saved by cups-pdf into user's home directory.

As you said fine, I need to allow cups to write into that directories (including /root) or into a $HOME/cups-pdf-docs directory to disallow cups all control over $HOME directory.

If I remember well, cups is launched as root user (where a test I had done some days ago because were a "cups-pdf" prerrequisite - don't remember now).

How can I solve the issue with home directories?

If anybody knows how to, I would like to solve the problem in this form: 1) Allowing cups writing into home directories or especific subdirectory into $HOME. 2) Enablilng SELinux as restrictive I can (is my laptop and I want to learn a more about SELinux and apps issues.

As a start you might try:

# setsebool -P cupsd_disable_trans 1

This would turn off SELinux protection for the cups daemon, whilst leaving you able to have SELinux turned on for everything else.

An alternative that might be worth trying would be to change the context of any directories you want cups to be able to write to, something like:

# chcon -t print_spool_t $HOME/cups-pdf-doc

Not sure if that'll work though.

I kind of like that solution. See what avc messages you get and we could maybe add a boolean to allow searching of the users homedirs for this directory.
Paul.









[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux