1

I want to setup an cups-pdf printer to print PDFs to a samba shared directory but SELinux denies cups access to the shared directory. (cups needs to write to a local FS directory which is hosted as a windows share by samba running on the same machine)

I'm using CentOS 6.

My audit log shows:

type=AVC msg=audit(1342728685.377:32002): avc: denied { getattr } for pid=236 55 comm="cups-pdf" path="/mnt/storage/samba" dev=sdb1 ino=11927553 scontext=syst em_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:samba_sha re_t:s0 tclass=dir

I can't simply relabel the directory since it won't have samba_share_t label thus denying further samba access.

Does anyone have a solution to this?

Chris
  • 111
  • 1

2 Answers2

3

cups-pdf comes with an SELinux policy which allows cups to print to user home directories. You'll find it in /usr/share/doc/cups-pdf-*/contrib/SELinux-HOWTO.

It should be only a minor modification to let it write to Samba shares:

require {
    type samba_share_t;
}

allow cupsd_t samba_share_t:dir { add_name create getattr remove_name search setattr write };
allow cupsd_t samba_share_t:file { create getattr read setattr unlink write };
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
-3

I apologize in advance, this really isn't meant sarcastically - can you just disable SELinux?

If it's not needed in your environment, you can try putting SELinux into permissive mode, in which it will still log alerts, but won't prevent access, by calling

setenforce 0

This is only temporary until a reboot though, if you'd like to make it permanent, edit the /etc/selinux/config file and set the "SELINUX=XXXXXXX" line accordingly (enforcing, permissive, disabled)

Disabled will not log violations, and will not prevent any access

Univ426
  • 2,139
  • 14
  • 26
  • While I wouldn't recommend disabling SELinux in every environment, is there a problem with this if SEL/MAC's aren't needed? – Univ426 Jul 25 '12 at 14:50