cups-pdf && SELinux problem running
Samuel Díaz García
samueldg at arcoscom.com
Fri Feb 3 21:58:13 UTC 2006
Did you received the e-mail with all explanations and the attached .tar.gz file
with the required log?
Thanks
Daniel J Walsh wrote:
> Samuel Díaz García wrote:
>> Using your help, I had done this:
>>
>> audit2why < /var/log/audit/audit.log | audit2allow
>>
>> Whith this result:
>>
>> allow auditd_t var_log_t:file { append getattr };
>> allow cardmgr_t apmd_t:file { getattr read };
>> allow cardmgr_t apmd_t:lnk_file read;
>> allow cardmgr_t crond_t:file { getattr read };
>> allow cardmgr_t crond_t:lnk_file read;
>> allow cardmgr_t inetd_t:file { getattr read };
>> allow cardmgr_t inetd_t:lnk_file read;
>> allow cardmgr_t init_t:file { getattr read };
>> allow cardmgr_t init_t:lnk_file read;
>> allow cardmgr_t initrc_t:file { getattr read };
>> allow cardmgr_t initrc_t:lnk_file read;
>> allow cardmgr_t kernel_t:file { getattr read };
>> allow cardmgr_t kernel_t:lnk_file read;
>> allow cardmgr_t src_t:dir search;
>> allow cardmgr_t udev_t:file { getattr read };
>> allow cardmgr_t udev_t:lnk_file read;
>> allow cardmgr_t unconfined_t:file { getattr read };
>> allow cardmgr_t unconfined_t:lnk_file read;
>> allow cardmgr_t xserver_log_t:dir search;
>> allow consoletype_t tmp_t:chr_file read;
>> allow cupsd_config_t unconfined_t:fifo_file write;
>> allow cupsd_t home_root_t:dir search;
>> allow cupsd_t urandom_device_t:chr_file ioctl;
>> allow cupsd_t user_home_dir_t:dir { add_name write };
>> allow cupsd_t user_home_dir_t:file { create getattr setattr write };
>> allow cupsd_t var_spool_t:dir { add_name remove_name write };
>> allow cupsd_t var_spool_t:file { create getattr read setattr unlink
>> write };
>> allow dhcpc_t tmp_t:chr_file read;
>> allow fsadm_t dosfs_t:file getattr;
>> allow getty_t var_log_t:file { lock write };
>> allow hald_t mnt_t:dir { getattr read };
>> allow hald_t tty_device_t:chr_file ioctl;
>> allow hald_t usr_t:file { execute execute_no_trans ioctl };
>> allow hald_t var_lib_nfs_t:dir search;
>> allow httpd_t crond_t:fifo_file read;
>> allow ifconfig_t tmp_t:chr_file read;
>> allow ifconfig_t unconfined_t:fifo_file { read write };
>> allow updfstab_t dosfs_t:dir search;
>> allow updfstab_t dosfs_t:file getattr;
> Could you attach your audit.log? Looks like you might have some
> labeling problem. Also what version of policy are you running?
> What platform?
>
>>
>> The question now is:
>>
>> ¿Where need I put all this?
>>
>>
>> Thanks
>>
>>
>> Daniel J Walsh wrote:
>>> Paul Howarth wrote:
>>>> Samuel Díaz García wrote:
>>>>> Yes, cups-pdf is a "virtual printer" thar prints the ouput into pdf
>>>>> files. That pdf files are saved by cups-pdf into user's home
>>>>> directory.
>>>>>
>>>>> As you said fine, I need to allow cups to write into that
>>>>> directories (including /root) or into a $HOME/cups-pdf-docs
>>>>> directory to disallow cups all control over $HOME directory.
>>>>>
>>>>> If I remember well, cups is launched as root user (where a test I
>>>>> had done some days ago because were a "cups-pdf" prerrequisite -
>>>>> don't remember now).
>>>>>
>>>>> How can I solve the issue with home directories?
>>>>>
>>>>> If anybody knows how to, I would like to solve the problem in this
>>>>> form:
>>>>> 1) Allowing cups writing into home directories or especific
>>>>> subdirectory into $HOME.
>>>>> 2) Enablilng SELinux as restrictive I can (is my laptop and I
>>>>> want to learn a more about SELinux and apps issues.
>>>>
>>>> As a start you might try:
>>>>
>>>> # setsebool -P cupsd_disable_trans 1
>>>>
>>>> This would turn off SELinux protection for the cups daemon, whilst
>>>> leaving you able to have SELinux turned on for everything else.
>>>>
>>>> An alternative that might be worth trying would be to change the
>>>> context of any directories you want cups to be able to write to,
>>>> something like:
>>>>
>>>> # chcon -t print_spool_t $HOME/cups-pdf-doc
>>>>
>>>> Not sure if that'll work though.
>>>>
>>> I kind of like that solution. See what avc messages you get and we
>>> could maybe add a boolean to allow searching of the users homedirs
>>> for this directory.
>>>> Paul.
>>>>
>>>
>>>
>>>
>>
>
>
>
--
Samuel Díaz García
Director Gerente
ArcosCom Wireless, S.L.L.
CIF: B11828068
c/ Romero Gago, 19
Arcos de la Frontera
11630 - Cadiz
http://www.arcoscom.com
mailto:samueldg at arcoscom.com
msn: samueldg at arcoscom.com
Móvil: 651 93 72 48
Tlfn.: 956 70 13 15
Fax: 956 70 34 83
More information about the fedora-list
mailing list