On 09/20/2017 07:19 AM, hw wrote:> hw wrote: >> >> Hi, >> >> how do I allow CGI programs to print (using 'lpr -P some-printer >> some-file.pdf') when >> lighttpd is being used for a web server? >> >> When selinux is permissive, the printer prints; when it?s enforcing, >> the printer >> does not print, and I?m getting the log message '/bin/lpr: Permission >> denied'. >> >> 'getsebool -a | grep http' doesn?t show any boolean I could make out >> to be responsible >> for this. >> >> Any idea what I need to do/change to allow printing without disabling >> selinux? >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> https://lists.centos.org/mailman/listinfo/centos > > Nobody knows?Look in your audit logs while in permissive mode and you should see the issue in there, the wiki has details: https://wiki.centos.org/HowTos/SELinux#head-798c98ef37cb8a00425a048152113b7a7dc14f1b -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20170920/c8626f80/attachment-0001.sig>
Johnny Hughes wrote:> On 09/20/2017 07:19 AM, hw wrote: >> hw wrote: >>> >>> Hi, >>> >>> how do I allow CGI programs to print (using 'lpr -P some-printer >>> some-file.pdf') when >>> lighttpd is being used for a web server? >>> >>> When selinux is permissive, the printer prints; when it?s enforcing, >>> the printer >>> does not print, and I?m getting the log message '/bin/lpr: Permission >>> denied'. >>> >>> 'getsebool -a | grep http' doesn?t show any boolean I could make out >>> to be responsible >>> for this. >>> >>> Any idea what I need to do/change to allow printing without disabling >>> selinux? >>> _______________________________________________ >>> CentOS mailing list >>> CentOS at centos.org >>> https://lists.centos.org/mailman/listinfo/centos >> >> Nobody knows? > > > Look in your audit logs while in permissive mode and you should see the > issue in there, the wiki has details: > > https://wiki.centos.org/HowTos/SELinux#head-798c98ef37cb8a00425a048152113b7a7dc14f1bThanks! I?m guessing I?m supposed to use ausearch to search for something, and I don?t know what to search for. So far, lighttpd can not print and can not send emails (using MIME::Lite) unless selinux is permissive. Using 'ausearch -c "httpd" -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -i' , I only get type=PROCTITLE msg=audit(09/21/2017 14:08:40.569:559) : proctitle=/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf type=SYSCALL msg=audit(09/21/2017 14:08:40.569:559) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x559fc8094740 a1=O_WRONLY|O_CREAT|O_EXCL|O_NOCTTY|O_TRUNC|O_CLOEXEC a2=0644 a3=0x7 items=0 ppid=1 pid=14081 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lighttpd exe=/usr/sbin/lighttpd subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(09/21/2017 14:08:40.569:559) : avc: denied { write } for pid=14081 comm=lighttpd name=www dev="sda2" ino=64608 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir Any idea what I would need to search for, or how to figure out what I would need to allow?
PS: Now I found this:
type=PROCTITLE msg=audit(09/22/2017 12:08:29.911:1023) :
proctitle=/usr/lib/sendmail -t -oi -oem -fwawi-genimp
type=SYSCALL msg=audit(09/22/2017 12:08:29.911:1023) : arch=x86_64
syscall=setgroups success=no exit=EPERM(Operation not permitted) a0=0x1
a1=0x7ffc1df3b0d0 a2=0x0 a3=0x7f5d77c3a300 items=0 ppid=19417 pid=19418
auid=unset uid=lighttpd gid=lighttpd euid=root suid=root fsuid=root
egid=lighttpd sgid=lighttpd fsgid=lighttpd tty=(none) ses=unset comm=sendmail
exe=/usr/sbin/exim subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(09/22/2017 12:08:29.911:1023) : avc: denied { setgid } for
pid=19418 comm=sendmail capability=setgid
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=capability
type=SYSCALL msg=audit(09/15/2017 12:12:14.551:31746) : arch=x86_64 syscall=open
success=yes exit=7 a0=0x7ffd1659ec70 a1=O_RDONLY a2=0x0 a3=0x9 items=0
ppid=27605 pid=27633 auid=unset uid=lighttpd gid=lighttpd euid=lighttpd
suid=lighttpd fsuid=lighttpd egid=lighttpd sgid=lighttpd fsgid=lighttpd
tty=(none) ses=unset comm=lpr exe=/usr/bin/lpr.cups
subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(09/15/2017 12:12:14.551:31746) : avc: denied { open } for
pid=27633 comm=lpr path=/etc/cups/lpoptions dev="sdb2" ino=153957
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file
type=AVC msg=audit(09/15/2017 12:12:14.551:31746) : avc: denied { read } for
pid=27633 comm=lpr name=lpoptions dev="sdb2" ino=153957
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file
So I can see that sending email and printing was denied -- which I already
found out --- and I don?t have any idea how to allow it.
hw wrote:> Johnny Hughes wrote:
>> On 09/20/2017 07:19 AM, hw wrote:
>>> hw wrote:
>>>>
>>>> Hi,
>>>>
>>>> how do I allow CGI programs to print (using 'lpr -P
some-printer
>>>> some-file.pdf') when
>>>> lighttpd is being used for a web server?
>>>>
>>>> When selinux is permissive, the printer prints; when it?s
enforcing,
>>>> the printer
>>>> does not print, and I?m getting the log message '/bin/lpr:
Permission
>>>> denied'.
>>>>
>>>> 'getsebool -a | grep http' doesn?t show any boolean I
could make out
>>>> to be responsible
>>>> for this.
>>>>
>>>> Any idea what I need to do/change to allow printing without
disabling
>>>> selinux?
>>>> _______________________________________________
>>>> CentOS mailing list
>>>> CentOS at centos.org
>>>> https://lists.centos.org/mailman/listinfo/centos
>>>
>>> Nobody knows?
>>
>>
>> Look in your audit logs while in permissive mode and you should see the
>> issue in there, the wiki has details:
>>
>>
https://wiki.centos.org/HowTos/SELinux#head-798c98ef37cb8a00425a048152113b7a7dc14f1b
>
> Thanks! I?m guessing I?m supposed to use ausearch to search for something,
and
> I don?t know what to search for.
>
> So far, lighttpd can not print and can not send emails (using MIME::Lite)
unless
> selinux is permissive. Using
>
> 'ausearch -c "httpd" -m
AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -i'
>
> , I only get
>
>
> type=PROCTITLE msg=audit(09/21/2017 14:08:40.569:559) :
proctitle=/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
> type=SYSCALL msg=audit(09/21/2017 14:08:40.569:559) : arch=x86_64
syscall=open success=no exit=EACCES(Permission denied) a0=0x559fc8094740
a1=O_WRONLY|O_CREAT|O_EXCL|O_NOCTTY|O_TRUNC|O_CLOEXEC a2=0644 a3=0x7 items=0
ppid=1 pid=14081 auid=unset uid=root gid=root euid=root suid=root fsuid=root
egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lighttpd
exe=/usr/sbin/lighttpd subj=system_u:system_r:httpd_t:s0 key=(null)
> type=AVC msg=audit(09/21/2017 14:08:40.569:559) : avc: denied { write }
for pid=14081 comm=lighttpd name=www dev="sda2" ino=64608
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
>
>
> Any idea what I would need to search for, or how to figure out what I would
> need to allow?
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos