[CentOS] selinux prevents lighttpd from printing

Fri Sep 22 10:30:13 UTC 2017
hw <hw at gc-24.de>

Johnny Hughes wrote:
> On 09/20/2017 07:19 AM, hw wrote:
>> hw wrote:
>>> Hi,
>>> how do I allow CGI programs to print (using 'lpr -P some-printer
>>> some-file.pdf') when
>>> lighttpd is being used for a web server?
>>> When selinux is permissive, the printer prints; when it´s enforcing,
>>> the printer
>>> does not print, and I´m getting the log message '/bin/lpr: Permission
>>> denied'.
>>> 'getsebool -a | grep http' doesn´t show any boolean I could make out
>>> to be responsible
>>> for this.
>>> Any idea what I need to do/change to allow printing without disabling
>>> selinux?
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS at centos.org
>>> https://lists.centos.org/mailman/listinfo/centos
>> Nobody knows?
> Look in your audit logs while in permissive mode and you should see the
> issue in there, the wiki has details:
> https://wiki.centos.org/HowTos/SELinux#head-798c98ef37cb8a00425a048152113b7a7dc14f1b

Thanks!  I´m guessing I´m supposed to use ausearch to search for something, and
I don´t know what to search for.

So far, lighttpd can not print and can not send emails (using MIME::Lite) unless
selinux is permissive.  Using

'ausearch -c "httpd" -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -i'

, I only get

type=PROCTITLE msg=audit(09/21/2017 14:08:40.569:559) : proctitle=/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
type=SYSCALL msg=audit(09/21/2017 14:08:40.569:559) : arch=x86_64 syscall=open success=no exit=EACCES(Permission denied) a0=0x559fc8094740 a1=O_WRONLY|O_CREAT|O_EXCL|O_NOCTTY|O_TRUNC|O_CLOEXEC a2=0644 a3=0x7 items=0 ppid=1 pid=14081 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lighttpd exe=/usr/sbin/lighttpd subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(09/21/2017 14:08:40.569:559) : avc:  denied  { write } for  pid=14081 comm=lighttpd name=www dev="sda2" ino=64608 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir

Any idea what I would need to search for, or how to figure out what I would
need to allow?