Selinux Prevents Lighttpd From Printing

Home » CentOS » Selinux Prevents Lighttpd From Printing
CentOS 7 Comments

Hi,

how do I allow CGI programs to print (using ‘lpr -P some-printer some-file.pdf’) when lighttpd is being used for a web server?

When selinux is permissive, the printer prints; when it´s enforcing, the printer does not print, and I´m getting the log message ‘/bin/lpr: Permission denied’.

‘getsebool -a | grep http’ doesn´t show any boolean I could make out to be responsible for this.

Any idea what I need to do/change to allow printing without disabling selinux?

7 thoughts on - Selinux Prevents Lighttpd From Printing

  • Johnny Hughes wrote:

    Thanks! I´m guessing I´m supposed to use ausearch to search for something, and I don´t know what to search for.

    So far, lighttpd can not print and can not send emails (using MIME::Lite) unless selinux is permissive. Using

    ‘ausearch -c “httpd” -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -i’

    , I only get

    type=PROCTITLE msg=audit(09/21/2017 14:08:40.569:559) : proctitle=/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf type=SYSCALL msg=audit(09/21/2017 14:08:40.569:559) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x559fc8094740 a1=O_WRONLY|O_CREAT|O_EXCL|O_NOCTTY|O_TRUNC|O_CLOEXEC a2=0644 a3=0x7 items=0 ppid=1 pid=14081 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lighttpd exe=/usr/sbin/lighttpd subj=system_u:system_r:httpd_t:s0 key=(null)
    type=AVC msg=audit(09/21/2017 14:08:40.569:559) : avc: denied { write } for pid=14081 comm=lighttpd name=www dev=”sda2″ ino=64608 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir

    Any idea what I would need to search for, or how to figure out what I would need to allow?

  • PS: Now I found this:

    type=PROCTITLE msg=audit(09/22/2017 12:08:29.911:1023) : proctitle=/usr/lib/sendmail -t -oi -oem -fwawi-genimp type=SYSCALL msg=audit(09/22/2017 12:08:29.911:1023) : arch=x86_64 syscall=setgroups success=no exit=EPERM(Operation not permitted) a0=0x1 a1=0x7ffc1df3b0d0 a2=0x0 a3=0x7f5d77c3a300 items=0 ppid=19417 pid=19418 auid=unset uid=lighttpd gid=lighttpd euid=root suid=root fsuid=root egid=lighttpd sgid=lighttpd fsgid=lighttpd tty=(none) ses=unset comm=sendmail exe=/usr/sbin/exim subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
    type=AVC msg=audit(09/22/2017 12:08:29.911:1023) : avc: denied { setgid } for pid=19418 comm=sendmail capability=setgid scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=capability

    type=SYSCALL msg=audit(09/15/2017 12:12:14.551:31746) : arch=x86_64 syscall=open success=yes exit=7 a0=0x7ffd1659ec70 a1=O_RDONLY a2=0x0 a3=0x9 items=0 ppid=27605 pid=27633 auid=unset uid=lighttpd gid=lighttpd euid=lighttpd suid=lighttpd fsuid=lighttpd egid=lighttpd sgid=lighttpd fsgid=lighttpd tty=(none) ses=unset comm=lpr exe=/usr/bin/lpr.cups subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
    type=AVC msg=audit(09/15/2017 12:12:14.551:31746) : avc: denied { open } for pid=27633 comm=lpr path=/etc/cups/lpoptions dev=”sdb2″ ino=153957 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file type=AVC msg=audit(09/15/2017 12:12:14.551:31746) : avc: denied { read } for pid=27633 comm=lpr name=lpoptions dev=”sdb2″ ino=153957 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file

    So I can see that sending email and printing was denied — which I already found out — and I don´t have any idea how to allow it.

    hw wrote:

  • First thing to enable httpd to send mail, you can turn on the send mail boolean.

    # setsebool -P httpd_can_sendmail 1

    The ability to print you would need to add custom rules.

    # grep lpr /var/log/audit/audit.log | audit2allow -R -M myprint

    # semodule -i myprint.pp

    If you get another failure on lpt, you might have to run these commands a couple of times.

  • Daniel Walsh wrote:

    Oh I looked at these variables and somehow didn´t see it.

    Thank you very much! Both problems are now fixed :)

    However:

    grep lpr /var/log/audit/audit.log | audit2allow -R -M myprint could not open interface info [/var/lib/sepolgen/interface_info]

    I don´t know what´s missing, so I omitted the -R option, and it worked.