cups-pdf && SELinux problem running

Samuel Díaz García samueldg at arcoscom.com
Fri Feb 3 21:58:13 UTC 2006


Did you received the e-mail with all explanations and the attached .tar.gz file 
with the required log?

Thanks

Daniel J Walsh wrote:
> Samuel Díaz García wrote:
>> Using your help, I had done this:
>>
>> audit2why < /var/log/audit/audit.log | audit2allow
>>
>> Whith this result:
>>
>> allow auditd_t var_log_t:file { append getattr };
>> allow cardmgr_t apmd_t:file { getattr read };
>> allow cardmgr_t apmd_t:lnk_file read;
>> allow cardmgr_t crond_t:file { getattr read };
>> allow cardmgr_t crond_t:lnk_file read;
>> allow cardmgr_t inetd_t:file { getattr read };
>> allow cardmgr_t inetd_t:lnk_file read;
>> allow cardmgr_t init_t:file { getattr read };
>> allow cardmgr_t init_t:lnk_file read;
>> allow cardmgr_t initrc_t:file { getattr read };
>> allow cardmgr_t initrc_t:lnk_file read;
>> allow cardmgr_t kernel_t:file { getattr read };
>> allow cardmgr_t kernel_t:lnk_file read;
>> allow cardmgr_t src_t:dir search;
>> allow cardmgr_t udev_t:file { getattr read };
>> allow cardmgr_t udev_t:lnk_file read;
>> allow cardmgr_t unconfined_t:file { getattr read };
>> allow cardmgr_t unconfined_t:lnk_file read;
>> allow cardmgr_t xserver_log_t:dir search;
>> allow consoletype_t tmp_t:chr_file read;
>> allow cupsd_config_t unconfined_t:fifo_file write;
>> allow cupsd_t home_root_t:dir search;
>> allow cupsd_t urandom_device_t:chr_file ioctl;
>> allow cupsd_t user_home_dir_t:dir { add_name write };
>> allow cupsd_t user_home_dir_t:file { create getattr setattr write };
>> allow cupsd_t var_spool_t:dir { add_name remove_name write };
>> allow cupsd_t var_spool_t:file { create getattr read setattr unlink 
>> write };
>> allow dhcpc_t tmp_t:chr_file read;
>> allow fsadm_t dosfs_t:file getattr;
>> allow getty_t var_log_t:file { lock write };
>> allow hald_t mnt_t:dir { getattr read };
>> allow hald_t tty_device_t:chr_file ioctl;
>> allow hald_t usr_t:file { execute execute_no_trans ioctl };
>> allow hald_t var_lib_nfs_t:dir search;
>> allow httpd_t crond_t:fifo_file read;
>> allow ifconfig_t tmp_t:chr_file read;
>> allow ifconfig_t unconfined_t:fifo_file { read write };
>> allow updfstab_t dosfs_t:dir search;
>> allow updfstab_t dosfs_t:file getattr;
> Could you attach your audit.log?  Looks like you might have some 
> labeling problem. Also what version of policy are you running?
> What platform?
> 
>>
>> The question now is:
>>
>> ¿Where need I put all this?
>>
>>
>> Thanks
>>
>>
>> Daniel J Walsh wrote:
>>> Paul Howarth wrote:
>>>> Samuel Díaz García wrote:
>>>>> Yes, cups-pdf is a "virtual printer" thar prints the ouput into pdf 
>>>>> files. That pdf files are saved by cups-pdf into user's home 
>>>>> directory.
>>>>>
>>>>> As you said fine, I need to allow cups to write into that 
>>>>> directories (including /root) or into a $HOME/cups-pdf-docs 
>>>>> directory to disallow cups all control over $HOME directory.
>>>>>
>>>>> If I remember well, cups is launched as root user (where a test I 
>>>>> had done some days ago because were a "cups-pdf" prerrequisite - 
>>>>> don't remember now).
>>>>>
>>>>> How can I solve the issue with home directories?
>>>>>
>>>>> If anybody knows how to, I would like to solve the problem in this 
>>>>> form:
>>>>>    1) Allowing cups writing into home directories or especific 
>>>>> subdirectory into $HOME.
>>>>>    2) Enablilng SELinux as restrictive I can (is my laptop and I 
>>>>> want to learn a more about SELinux and apps issues.
>>>>
>>>> As a start you might try:
>>>>
>>>> # setsebool -P cupsd_disable_trans 1
>>>>
>>>> This would turn off SELinux protection for the cups daemon, whilst 
>>>> leaving you able to have SELinux turned on for everything else.
>>>>
>>>> An alternative that might be worth trying would be to change the 
>>>> context of any directories you want cups to be able to write to, 
>>>> something like:
>>>>
>>>> # chcon -t print_spool_t $HOME/cups-pdf-doc
>>>>
>>>> Not sure if that'll work though.
>>>>
>>> I kind of like that solution.  See what avc messages you get and we 
>>> could maybe add a boolean to allow searching of the users homedirs 
>>> for this directory.
>>>> Paul.
>>>>
>>>
>>>
>>>
>>
> 
> 
> 

-- 
    Samuel Díaz García
     Director Gerente
ArcosCom Wireless, S.L.L.

CIF: B11828068
c/ Romero Gago, 19
Arcos de la Frontera
11630 - Cadiz

http://www.arcoscom.com

mailto:samueldg at arcoscom.com
msn: samueldg at arcoscom.com

Móvil: 651 93 72 48
Tlfn.: 956 70 13 15
Fax:   956 70 34 83




More information about the fedora-list mailing list