PS: Now I found this:
type=PROCTITLE msg=audit(09/22/2017 12:08:29.911:1023) :
proctitle=/usr/lib/sendmail -t -oi -oem -fwawi-genimp
type=SYSCALL msg=audit(09/22/2017 12:08:29.911:1023) : arch=x86_64
syscall=setgroups success=no exit=EPERM(Operation not permitted) a0=0x1
a1=0x7ffc1df3b0d0 a2=0x0 a3=0x7f5d77c3a300 items=0 ppid=19417 pid=19418
auid=unset uid=lighttpd gid=lighttpd euid=root suid=root fsuid=root
egid=lighttpd sgid=lighttpd fsgid=lighttpd tty=(none) ses=unset comm=sendmail
exe=/usr/sbin/exim subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(09/22/2017 12:08:29.911:1023) : avc: denied { setgid } for
pid=19418 comm=sendmail capability=setgid
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=capability
type=SYSCALL msg=audit(09/15/2017 12:12:14.551:31746) : arch=x86_64 syscall=open
success=yes exit=7 a0=0x7ffd1659ec70 a1=O_RDONLY a2=0x0 a3=0x9 items=0
ppid=27605 pid=27633 auid=unset uid=lighttpd gid=lighttpd euid=lighttpd
suid=lighttpd fsuid=lighttpd egid=lighttpd sgid=lighttpd fsgid=lighttpd
tty=(none) ses=unset comm=lpr exe=/usr/bin/lpr.cups
subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(09/15/2017 12:12:14.551:31746) : avc: denied { open } for
pid=27633 comm=lpr path=/etc/cups/lpoptions dev="sdb2" ino=153957
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file
type=AVC msg=audit(09/15/2017 12:12:14.551:31746) : avc: denied { read } for
pid=27633 comm=lpr name=lpoptions dev="sdb2" ino=153957
scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file
So I can see that sending email and printing was denied -- which I already
found out --- and I don?t have any idea how to allow it.
hw wrote:> Johnny Hughes wrote:
>> On 09/20/2017 07:19 AM, hw wrote:
>>> hw wrote:
>>>>
>>>> Hi,
>>>>
>>>> how do I allow CGI programs to print (using 'lpr -P
some-printer
>>>> some-file.pdf') when
>>>> lighttpd is being used for a web server?
>>>>
>>>> When selinux is permissive, the printer prints; when it?s
enforcing,
>>>> the printer
>>>> does not print, and I?m getting the log message '/bin/lpr:
Permission
>>>> denied'.
>>>>
>>>> 'getsebool -a | grep http' doesn?t show any boolean I
could make out
>>>> to be responsible
>>>> for this.
>>>>
>>>> Any idea what I need to do/change to allow printing without
disabling
>>>> selinux?
>>>> _______________________________________________
>>>> CentOS mailing list
>>>> CentOS at centos.org
>>>> https://lists.centos.org/mailman/listinfo/centos
>>>
>>> Nobody knows?
>>
>>
>> Look in your audit logs while in permissive mode and you should see the
>> issue in there, the wiki has details:
>>
>>
https://wiki.centos.org/HowTos/SELinux#head-798c98ef37cb8a00425a048152113b7a7dc14f1b
>
> Thanks! I?m guessing I?m supposed to use ausearch to search for something,
and
> I don?t know what to search for.
>
> So far, lighttpd can not print and can not send emails (using MIME::Lite)
unless
> selinux is permissive. Using
>
> 'ausearch -c "httpd" -m
AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -i'
>
> , I only get
>
>
> type=PROCTITLE msg=audit(09/21/2017 14:08:40.569:559) :
proctitle=/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
> type=SYSCALL msg=audit(09/21/2017 14:08:40.569:559) : arch=x86_64
syscall=open success=no exit=EACCES(Permission denied) a0=0x559fc8094740
a1=O_WRONLY|O_CREAT|O_EXCL|O_NOCTTY|O_TRUNC|O_CLOEXEC a2=0644 a3=0x7 items=0
ppid=1 pid=14081 auid=unset uid=root gid=root euid=root suid=root fsuid=root
egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lighttpd
exe=/usr/sbin/lighttpd subj=system_u:system_r:httpd_t:s0 key=(null)
> type=AVC msg=audit(09/21/2017 14:08:40.569:559) : avc: denied { write }
for pid=14081 comm=lighttpd name=www dev="sda2" ino=64608
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
>
>
> Any idea what I would need to search for, or how to figure out what I would
> need to allow?
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
On 09/22/2017 06:58 AM, hw wrote:> > PS: Now I found this: > > > type=PROCTITLE msg=audit(09/22/2017 12:08:29.911:1023) : > proctitle=/usr/lib/sendmail -t -oi -oem -fwawi-genimp > type=SYSCALL msg=audit(09/22/2017 12:08:29.911:1023) : arch=x86_64 > syscall=setgroups success=no exit=EPERM(Operation not permitted) > a0=0x1 a1=0x7ffc1df3b0d0 a2=0x0 a3=0x7f5d77c3a300 items=0 ppid=19417 > pid=19418 auid=unset uid=lighttpd gid=lighttpd euid=root suid=root > fsuid=root egid=lighttpd sgid=lighttpd fsgid=lighttpd tty=(none) > ses=unset comm=sendmail exe=/usr/sbin/exim > subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) > type=AVC msg=audit(09/22/2017 12:08:29.911:1023) : avc: denied { > setgid } for pid=19418 comm=sendmail capability=setgid > scontext=system_u:system_r:httpd_sys_script_t:s0 > tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=capability > > type=SYSCALL msg=audit(09/15/2017 12:12:14.551:31746) : arch=x86_64 > syscall=open success=yes exit=7 a0=0x7ffd1659ec70 a1=O_RDONLY a2=0x0 > a3=0x9 items=0 ppid=27605 pid=27633 auid=unset uid=lighttpd > gid=lighttpd euid=lighttpd suid=lighttpd fsuid=lighttpd egid=lighttpd > sgid=lighttpd fsgid=lighttpd tty=(none) ses=unset comm=lpr > exe=/usr/bin/lpr.cups subj=system_u:system_r:httpd_sys_script_t:s0 > key=(null) > type=AVC msg=audit(09/15/2017 12:12:14.551:31746) : avc: denied { > open } for pid=27633 comm=lpr path=/etc/cups/lpoptions dev="sdb2" > ino=153957 scontext=system_u:system_r:httpd_sys_script_t:s0 > tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file > type=AVC msg=audit(09/15/2017 12:12:14.551:31746) : avc: denied { > read } for pid=27633 comm=lpr name=lpoptions dev="sdb2" ino=153957 > scontext=system_u:system_r:httpd_sys_script_t:s0 > tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file > > > So I can see that sending email and printing was denied -- which I > already > found out --- and I don?t have any idea how to allow it. > > > hw wrote: >> Johnny Hughes wrote: >>> On 09/20/2017 07:19 AM, hw wrote: >>>> hw wrote: >>>>> >>>>> Hi, >>>>> >>>>> how do I allow CGI programs to print (using 'lpr -P some-printer >>>>> some-file.pdf') when >>>>> lighttpd is being used for a web server? >>>>> >>>>> When selinux is permissive, the printer prints; when it?s enforcing, >>>>> the printer >>>>> does not print, and I?m getting the log message '/bin/lpr: Permission >>>>> denied'. >>>>> >>>>> 'getsebool -a | grep http' doesn?t show any boolean I could make out >>>>> to be responsible >>>>> for this. >>>>> >>>>> Any idea what I need to do/change to allow printing without disabling >>>>> selinux? >>>>> _______________________________________________ >>>>> CentOS mailing list >>>>> CentOS at centos.org >>>>> https://lists.centos.org/mailman/listinfo/centos >>>> >>>> Nobody knows? >>> >>> >>> Look in your audit logs while in permissive mode and you should see the >>> issue in there, the wiki has details: >>> >>> https://wiki.centos.org/HowTos/SELinux#head-798c98ef37cb8a00425a048152113b7a7dc14f1b >>> >> >> Thanks! I?m guessing I?m supposed to use ausearch to search for >> something, and >> I don?t know what to search for. >> >> So far, lighttpd can not print and can not send emails (using >> MIME::Lite) unless >> selinux is permissive. Using >> >> 'ausearch -c "httpd" -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -i' >> >> , I only get >> >> >> type=PROCTITLE msg=audit(09/21/2017 14:08:40.569:559) : >> proctitle=/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf >> type=SYSCALL msg=audit(09/21/2017 14:08:40.569:559) : arch=x86_64 >> syscall=open success=no exit=EACCES(Permission denied) >> a0=0x559fc8094740 >> a1=O_WRONLY|O_CREAT|O_EXCL|O_NOCTTY|O_TRUNC|O_CLOEXEC a2=0644 a3=0x7 >> items=0 ppid=1 pid=14081 auid=unset uid=root gid=root euid=root >> suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) >> ses=unset comm=lighttpd exe=/usr/sbin/lighttpd >> subj=system_u:system_r:httpd_t:s0 key=(null) >> type=AVC msg=audit(09/21/2017 14:08:40.569:559) : avc: denied { >> write } for pid=14081 comm=lighttpd name=www dev="sda2" ino=64608 >> scontext=system_u:system_r:httpd_t:s0 >> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir >> >> >> Any idea what I would need to search for, or how to figure out what I >> would >> need to allow? >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> https://lists.centos.org/mailman/listinfo/centos > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centosFirst thing to enable httpd to send mail, you can turn on the send mail boolean. # setsebool -P httpd_can_sendmail 1 The ability to print you would need to add custom rules. # grep lpr /var/log/audit/audit.log | audit2allow -R -M myprint # semodule -i myprint.pp If you get another failure on lpt, you might have to run these commands a couple of times.
Daniel Walsh wrote:> On 09/22/2017 06:58 AM, hw wrote: >> >> PS: Now I found this: >> >> >> type=PROCTITLE msg=audit(09/22/2017 12:08:29.911:1023) : proctitle=/usr/lib/sendmail -t -oi -oem -fwawi-genimp >> type=SYSCALL msg=audit(09/22/2017 12:08:29.911:1023) : arch=x86_64 syscall=setgroups success=no exit=EPERM(Operation not permitted) a0=0x1 a1=0x7ffc1df3b0d0 a2=0x0 a3=0x7f5d77c3a300 items=0 ppid=19417 pid=19418 auid=unset uid=lighttpd gid=lighttpd euid=root suid=root fsuid=root egid=lighttpd sgid=lighttpd fsgid=lighttpd tty=(none) ses=unset comm=sendmail exe=/usr/sbin/exim subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) >> type=AVC msg=audit(09/22/2017 12:08:29.911:1023) : avc: denied { setgid } for pid=19418 comm=sendmail capability=setgid scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=capability >> >> type=SYSCALL msg=audit(09/15/2017 12:12:14.551:31746) : arch=x86_64 syscall=open success=yes exit=7 a0=0x7ffd1659ec70 a1=O_RDONLY a2=0x0 a3=0x9 items=0 ppid=27605 pid=27633 auid=unset uid=lighttpd gid=lighttpd euid=lighttpd suid=lighttpd fsuid=lighttpd egid=lighttpd sgid=lighttpd fsgid=lighttpd tty=(none) ses=unset comm=lpr exe=/usr/bin/lpr.cups subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) >> type=AVC msg=audit(09/15/2017 12:12:14.551:31746) : avc: denied { open } for pid=27633 comm=lpr path=/etc/cups/lpoptions dev="sdb2" ino=153957 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file >> type=AVC msg=audit(09/15/2017 12:12:14.551:31746) : avc: denied { read } for pid=27633 comm=lpr name=lpoptions dev="sdb2" ino=153957 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file >> >> >> So I can see that sending email and printing was denied -- which I already >> found out --- and I don?t have any idea how to allow it. >> >> >> hw wrote: >>> Johnny Hughes wrote: >>>> On 09/20/2017 07:19 AM, hw wrote: >>>>> hw wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> how do I allow CGI programs to print (using 'lpr -P some-printer >>>>>> some-file.pdf') when >>>>>> lighttpd is being used for a web server? >>>>>> >>>>>> When selinux is permissive, the printer prints; when it?s enforcing, >>>>>> the printer >>>>>> does not print, and I?m getting the log message '/bin/lpr: Permission >>>>>> denied'. >>>>>> >>>>>> 'getsebool -a | grep http' doesn?t show any boolean I could make out >>>>>> to be responsible >>>>>> for this. >>>>>> >>>>>> Any idea what I need to do/change to allow printing without disabling >>>>>> selinux? >>>>>> _______________________________________________ >>>>>> CentOS mailing list >>>>>> CentOS at centos.org >>>>>> https://lists.centos.org/mailman/listinfo/centos >>>>> >>>>> Nobody knows? >>>> >>>> >>>> Look in your audit logs while in permissive mode and you should see the >>>> issue in there, the wiki has details: >>>> >>>> https://wiki.centos.org/HowTos/SELinux#head-798c98ef37cb8a00425a048152113b7a7dc14f1b >>> >>> Thanks! I?m guessing I?m supposed to use ausearch to search for something, and >>> I don?t know what to search for. >>> >>> So far, lighttpd can not print and can not send emails (using MIME::Lite) unless >>> selinux is permissive. Using >>> >>> 'ausearch -c "httpd" -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -i' >>> >>> , I only get >>> >>> >>> type=PROCTITLE msg=audit(09/21/2017 14:08:40.569:559) : proctitle=/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf >>> type=SYSCALL msg=audit(09/21/2017 14:08:40.569:559) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x559fc8094740 a1=O_WRONLY|O_CREAT|O_EXCL|O_NOCTTY|O_TRUNC|O_CLOEXEC a2=0644 a3=0x7 items=0 ppid=1 pid=14081 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lighttpd exe=/usr/sbin/lighttpd subj=system_u:system_r:httpd_t:s0 key=(null) >>> type=AVC msg=audit(09/21/2017 14:08:40.569:559) : avc: denied { write } for pid=14081 comm=lighttpd name=www dev="sda2" ino=64608 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir >>> >>> >>> Any idea what I would need to search for, or how to figure out what I would >>> need to allow? >>> _______________________________________________ >>> CentOS mailing list >>> CentOS at centos.org >>> https://lists.centos.org/mailman/listinfo/centos >> >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> https://lists.centos.org/mailman/listinfo/centos > > First thing to enable httpd to send mail, you can turn on the send mail boolean. > > # setsebool -P httpd_can_sendmail 1Oh I looked at these variables and somehow didn?t see it.> The ability to print you would need to add custom rules. > > # grep lpr /var/log/audit/audit.log | audit2allow -R -M myprint > > # semodule -i myprint.pp > > If you get another failure on lpt, you might have to run these commands a couple of times.Thank you very much! Both problems are now fixed :) However: grep lpr /var/log/audit/audit.log | audit2allow -R -M myprint could not open interface info [/var/lib/sepolgen/interface_info] I don?t know what?s missing, so I omitted the -R option, and it worked.