cups-pdf && SELinux problem running
Samuel Díaz García
samueldg at arcoscom.com
Wed Feb 1 15:13:30 UTC 2006
Using your help, I had done this:
audit2why < /var/log/audit/audit.log | audit2allow
Whith this result:
allow auditd_t var_log_t:file { append getattr };
allow cardmgr_t apmd_t:file { getattr read };
allow cardmgr_t apmd_t:lnk_file read;
allow cardmgr_t crond_t:file { getattr read };
allow cardmgr_t crond_t:lnk_file read;
allow cardmgr_t inetd_t:file { getattr read };
allow cardmgr_t inetd_t:lnk_file read;
allow cardmgr_t init_t:file { getattr read };
allow cardmgr_t init_t:lnk_file read;
allow cardmgr_t initrc_t:file { getattr read };
allow cardmgr_t initrc_t:lnk_file read;
allow cardmgr_t kernel_t:file { getattr read };
allow cardmgr_t kernel_t:lnk_file read;
allow cardmgr_t src_t:dir search;
allow cardmgr_t udev_t:file { getattr read };
allow cardmgr_t udev_t:lnk_file read;
allow cardmgr_t unconfined_t:file { getattr read };
allow cardmgr_t unconfined_t:lnk_file read;
allow cardmgr_t xserver_log_t:dir search;
allow consoletype_t tmp_t:chr_file read;
allow cupsd_config_t unconfined_t:fifo_file write;
allow cupsd_t home_root_t:dir search;
allow cupsd_t urandom_device_t:chr_file ioctl;
allow cupsd_t user_home_dir_t:dir { add_name write };
allow cupsd_t user_home_dir_t:file { create getattr setattr write };
allow cupsd_t var_spool_t:dir { add_name remove_name write };
allow cupsd_t var_spool_t:file { create getattr read setattr unlink write };
allow dhcpc_t tmp_t:chr_file read;
allow fsadm_t dosfs_t:file getattr;
allow getty_t var_log_t:file { lock write };
allow hald_t mnt_t:dir { getattr read };
allow hald_t tty_device_t:chr_file ioctl;
allow hald_t usr_t:file { execute execute_no_trans ioctl };
allow hald_t var_lib_nfs_t:dir search;
allow httpd_t crond_t:fifo_file read;
allow ifconfig_t tmp_t:chr_file read;
allow ifconfig_t unconfined_t:fifo_file { read write };
allow updfstab_t dosfs_t:dir search;
allow updfstab_t dosfs_t:file getattr;
The question now is:
¿Where need I put all this?
Thanks
Daniel J Walsh wrote:
> Paul Howarth wrote:
>> Samuel Díaz García wrote:
>>> Yes, cups-pdf is a "virtual printer" thar prints the ouput into pdf
>>> files. That pdf files are saved by cups-pdf into user's home directory.
>>>
>>> As you said fine, I need to allow cups to write into that directories
>>> (including /root) or into a $HOME/cups-pdf-docs directory to disallow
>>> cups all control over $HOME directory.
>>>
>>> If I remember well, cups is launched as root user (where a test I had
>>> done some days ago because were a "cups-pdf" prerrequisite - don't
>>> remember now).
>>>
>>> How can I solve the issue with home directories?
>>>
>>> If anybody knows how to, I would like to solve the problem in this form:
>>> 1) Allowing cups writing into home directories or especific
>>> subdirectory into $HOME.
>>> 2) Enablilng SELinux as restrictive I can (is my laptop and I want
>>> to learn a more about SELinux and apps issues.
>>
>> As a start you might try:
>>
>> # setsebool -P cupsd_disable_trans 1
>>
>> This would turn off SELinux protection for the cups daemon, whilst
>> leaving you able to have SELinux turned on for everything else.
>>
>> An alternative that might be worth trying would be to change the
>> context of any directories you want cups to be able to write to,
>> something like:
>>
>> # chcon -t print_spool_t $HOME/cups-pdf-doc
>>
>> Not sure if that'll work though.
>>
> I kind of like that solution. See what avc messages you get and we
> could maybe add a boolean to allow searching of the users homedirs for
> this directory.
>> Paul.
>>
>
>
>
--
Samuel Díaz García
Director Gerente
ArcosCom Wireless, S.L.L.
CIF: B11828068
c/ Romero Gago, 19
Arcos de la Frontera
11630 - Cadiz
http://www.arcoscom.com
mailto:samueldg at arcoscom.com
msn: samueldg at arcoscom.com
Móvil: 651 93 72 48
Tlfn.: 956 70 13 15
Fax: 956 70 34 83
More information about the fedora-list
mailing list