[CentOS] selinux prevents lighttpd from printing

Fri Sep 22 11:19:24 UTC 2017
Daniel Walsh <dwalsh at redhat.com>

On 09/22/2017 06:58 AM, hw wrote:
>
> PS: Now I found this:
>
>
> type=PROCTITLE msg=audit(09/22/2017 12:08:29.911:1023) : 
> proctitle=/usr/lib/sendmail -t -oi -oem -fwawi-genimp
> type=SYSCALL msg=audit(09/22/2017 12:08:29.911:1023) : arch=x86_64 
> syscall=setgroups success=no exit=EPERM(Operation not permitted) 
> a0=0x1 a1=0x7ffc1df3b0d0 a2=0x0 a3=0x7f5d77c3a300 items=0 ppid=19417 
> pid=19418 auid=unset uid=lighttpd gid=lighttpd euid=root suid=root 
> fsuid=root egid=lighttpd sgid=lighttpd fsgid=lighttpd tty=(none) 
> ses=unset comm=sendmail exe=/usr/sbin/exim 
> subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
> type=AVC msg=audit(09/22/2017 12:08:29.911:1023) : avc:  denied  { 
> setgid } for  pid=19418 comm=sendmail capability=setgid 
> scontext=system_u:system_r:httpd_sys_script_t:s0 
> tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=capability
>
> type=SYSCALL msg=audit(09/15/2017 12:12:14.551:31746) : arch=x86_64 
> syscall=open success=yes exit=7 a0=0x7ffd1659ec70 a1=O_RDONLY a2=0x0 
> a3=0x9 items=0 ppid=27605 pid=27633 auid=unset uid=lighttpd 
> gid=lighttpd euid=lighttpd suid=lighttpd fsuid=lighttpd egid=lighttpd 
> sgid=lighttpd fsgid=lighttpd tty=(none) ses=unset comm=lpr 
> exe=/usr/bin/lpr.cups subj=system_u:system_r:httpd_sys_script_t:s0 
> key=(null)
> type=AVC msg=audit(09/15/2017 12:12:14.551:31746) : avc:  denied { 
> open } for  pid=27633 comm=lpr path=/etc/cups/lpoptions dev="sdb2" 
> ino=153957 scontext=system_u:system_r:httpd_sys_script_t:s0 
> tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file
> type=AVC msg=audit(09/15/2017 12:12:14.551:31746) : avc:  denied { 
> read } for  pid=27633 comm=lpr name=lpoptions dev="sdb2" ino=153957 
> scontext=system_u:system_r:httpd_sys_script_t:s0 
> tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file
>
>
> So I can see that sending email and printing was denied -- which I 
> already
> found out --- and I don´t have any idea how to allow it.
>
>
> hw wrote:
>> Johnny Hughes wrote:
>>> On 09/20/2017 07:19 AM, hw wrote:
>>>> hw wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> how do I allow CGI programs to print (using 'lpr -P some-printer
>>>>> some-file.pdf') when
>>>>> lighttpd is being used for a web server?
>>>>>
>>>>> When selinux is permissive, the printer prints; when it´s enforcing,
>>>>> the printer
>>>>> does not print, and I´m getting the log message '/bin/lpr: Permission
>>>>> denied'.
>>>>>
>>>>> 'getsebool -a | grep http' doesn´t show any boolean I could make out
>>>>> to be responsible
>>>>> for this.
>>>>>
>>>>> Any idea what I need to do/change to allow printing without disabling
>>>>> selinux?
>>>>> _______________________________________________
>>>>> CentOS mailing list
>>>>> CentOS at centos.org
>>>>> https://lists.centos.org/mailman/listinfo/centos
>>>>
>>>> Nobody knows?
>>>
>>>
>>> Look in your audit logs while in permissive mode and you should see the
>>> issue in there, the wiki has details:
>>>
>>> https://wiki.centos.org/HowTos/SELinux#head-798c98ef37cb8a00425a048152113b7a7dc14f1b 
>>>
>>
>> Thanks!  I´m guessing I´m supposed to use ausearch to search for 
>> something, and
>> I don´t know what to search for.
>>
>> So far, lighttpd can not print and can not send emails (using 
>> MIME::Lite) unless
>> selinux is permissive.  Using
>>
>> 'ausearch -c "httpd" -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -i'
>>
>> , I only get
>>
>>
>> type=PROCTITLE msg=audit(09/21/2017 14:08:40.569:559) : 
>> proctitle=/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
>> type=SYSCALL msg=audit(09/21/2017 14:08:40.569:559) : arch=x86_64 
>> syscall=open success=no exit=EACCES(Permission denied) 
>> a0=0x559fc8094740 
>> a1=O_WRONLY|O_CREAT|O_EXCL|O_NOCTTY|O_TRUNC|O_CLOEXEC a2=0644 a3=0x7 
>> items=0 ppid=1 pid=14081 auid=unset uid=root gid=root euid=root 
>> suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) 
>> ses=unset comm=lighttpd exe=/usr/sbin/lighttpd 
>> subj=system_u:system_r:httpd_t:s0 key=(null)
>> type=AVC msg=audit(09/21/2017 14:08:40.569:559) : avc:  denied { 
>> write } for  pid=14081 comm=lighttpd name=www dev="sda2" ino=64608 
>> scontext=system_u:system_r:httpd_t:s0 
>> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
>>
>>
>> Any idea what I would need to search for, or how to figure out what I 
>> would
>> need to allow?
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos

First thing to enable httpd to send mail, you can turn on the send mail 
boolean.

# setsebool -P httpd_can_sendmail 1

The ability to print you would need to add custom rules.

# grep lpr /var/log/audit/audit.log | audit2allow -R -M myprint

# semodule -i myprint.pp

If you get another failure on lpt, you might have to run these commands 
a couple of times.