[CentOS] selinux prevents lighttpd from printing

Fri Sep 22 13:00:16 UTC 2017
Daniel Walsh <dwalsh at redhat.com>

On 09/22/2017 08:24 AM, hw wrote:
> Daniel Walsh wrote:
>> On 09/22/2017 06:58 AM, hw wrote:
>>>
>>> PS: Now I found this:
>>>
>>>
>>> type=PROCTITLE msg=audit(09/22/2017 12:08:29.911:1023) : 
>>> proctitle=/usr/lib/sendmail -t -oi -oem -fwawi-genimp
>>> type=SYSCALL msg=audit(09/22/2017 12:08:29.911:1023) : arch=x86_64 
>>> syscall=setgroups success=no exit=EPERM(Operation not permitted) 
>>> a0=0x1 a1=0x7ffc1df3b0d0 a2=0x0 a3=0x7f5d77c3a300 items=0 ppid=19417 
>>> pid=19418 auid=unset uid=lighttpd gid=lighttpd euid=root suid=root 
>>> fsuid=root egid=lighttpd sgid=lighttpd fsgid=lighttpd tty=(none) 
>>> ses=unset comm=sendmail exe=/usr/sbin/exim 
>>> subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
>>> type=AVC msg=audit(09/22/2017 12:08:29.911:1023) : avc: denied  { 
>>> setgid } for  pid=19418 comm=sendmail capability=setgid 
>>> scontext=system_u:system_r:httpd_sys_script_t:s0 
>>> tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=capability
>>>
>>> type=SYSCALL msg=audit(09/15/2017 12:12:14.551:31746) : arch=x86_64 
>>> syscall=open success=yes exit=7 a0=0x7ffd1659ec70 a1=O_RDONLY a2=0x0 
>>> a3=0x9 items=0 ppid=27605 pid=27633 auid=unset uid=lighttpd 
>>> gid=lighttpd euid=lighttpd suid=lighttpd fsuid=lighttpd 
>>> egid=lighttpd sgid=lighttpd fsgid=lighttpd tty=(none) ses=unset 
>>> comm=lpr exe=/usr/bin/lpr.cups 
>>> subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
>>> type=AVC msg=audit(09/15/2017 12:12:14.551:31746) : avc: denied { 
>>> open } for  pid=27633 comm=lpr path=/etc/cups/lpoptions dev="sdb2" 
>>> ino=153957 scontext=system_u:system_r:httpd_sys_script_t:s0 
>>> tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file
>>> type=AVC msg=audit(09/15/2017 12:12:14.551:31746) : avc: denied { 
>>> read } for  pid=27633 comm=lpr name=lpoptions dev="sdb2" ino=153957 
>>> scontext=system_u:system_r:httpd_sys_script_t:s0 
>>> tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file
>>>
>>>
>>> So I can see that sending email and printing was denied -- which I 
>>> already
>>> found out --- and I don´t have any idea how to allow it.
>>>
>>>
>>> hw wrote:
>>>> Johnny Hughes wrote:
>>>>> On 09/20/2017 07:19 AM, hw wrote:
>>>>>> hw wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> how do I allow CGI programs to print (using 'lpr -P some-printer
>>>>>>> some-file.pdf') when
>>>>>>> lighttpd is being used for a web server?
>>>>>>>
>>>>>>> When selinux is permissive, the printer prints; when it´s 
>>>>>>> enforcing,
>>>>>>> the printer
>>>>>>> does not print, and I´m getting the log message '/bin/lpr: 
>>>>>>> Permission
>>>>>>> denied'.
>>>>>>>
>>>>>>> 'getsebool -a | grep http' doesn´t show any boolean I could make 
>>>>>>> out
>>>>>>> to be responsible
>>>>>>> for this.
>>>>>>>
>>>>>>> Any idea what I need to do/change to allow printing without 
>>>>>>> disabling
>>>>>>> selinux?
>>>>>>> _______________________________________________
>>>>>>> CentOS mailing list
>>>>>>> CentOS at centos.org
>>>>>>> https://lists.centos.org/mailman/listinfo/centos
>>>>>>
>>>>>> Nobody knows?
>>>>>
>>>>>
>>>>> Look in your audit logs while in permissive mode and you should 
>>>>> see the
>>>>> issue in there, the wiki has details:
>>>>>
>>>>> https://wiki.centos.org/HowTos/SELinux#head-798c98ef37cb8a00425a048152113b7a7dc14f1b 
>>>>>
>>>>
>>>> Thanks!  I´m guessing I´m supposed to use ausearch to search for 
>>>> something, and
>>>> I don´t know what to search for.
>>>>
>>>> So far, lighttpd can not print and can not send emails (using 
>>>> MIME::Lite) unless
>>>> selinux is permissive.  Using
>>>>
>>>> 'ausearch -c "httpd" -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR -i'
>>>>
>>>> , I only get
>>>>
>>>>
>>>> type=PROCTITLE msg=audit(09/21/2017 14:08:40.569:559) : 
>>>> proctitle=/usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
>>>> type=SYSCALL msg=audit(09/21/2017 14:08:40.569:559) : arch=x86_64 
>>>> syscall=open success=no exit=EACCES(Permission denied) 
>>>> a0=0x559fc8094740 
>>>> a1=O_WRONLY|O_CREAT|O_EXCL|O_NOCTTY|O_TRUNC|O_CLOEXEC a2=0644 
>>>> a3=0x7 items=0 ppid=1 pid=14081 auid=unset uid=root gid=root 
>>>> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root 
>>>> tty=(none) ses=unset comm=lighttpd exe=/usr/sbin/lighttpd 
>>>> subj=system_u:system_r:httpd_t:s0 key=(null)
>>>> type=AVC msg=audit(09/21/2017 14:08:40.569:559) : avc: denied { 
>>>> write } for  pid=14081 comm=lighttpd name=www dev="sda2" ino=64608 
>>>> scontext=system_u:system_r:httpd_t:s0 
>>>> tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=dir
>>>>
>>>>
>>>> Any idea what I would need to search for, or how to figure out what 
>>>> I would
>>>> need to allow?
>>>> _______________________________________________
>>>> CentOS mailing list
>>>> CentOS at centos.org
>>>> https://lists.centos.org/mailman/listinfo/centos
>>>
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS at centos.org
>>> https://lists.centos.org/mailman/listinfo/centos
>>
>> First thing to enable httpd to send mail, you can turn on the send 
>> mail boolean.
>>
>> # setsebool -P httpd_can_sendmail 1
>
> Oh I looked at these variables and somehow didn´t see it.
>
>> The ability to print you would need to add custom rules.
>>
>> # grep lpr /var/log/audit/audit.log | audit2allow -R -M myprint
>>
>> # semodule -i myprint.pp
>>
>> If you get another failure on lpt, you might have to run these 
>> commands a couple of times.
>
> Thank you very much!  Both problems are now fixed :)
>
> However:
>
> grep lpr /var/log/audit/audit.log | audit2allow -R -M myprint
> could not open interface info [/var/lib/sepolgen/interface_info]
>
>
> I don´t know what´s missing, so I omitted the -R option, and it worked.

That is fine.  The -R Sometimes finds additional rules.