1cupsd_selinux(8) SELinux Policy cupsd cupsd_selinux(8)
2
6 cupsd_selinux - Security Enhanced Linux Policy for the cupsd processes
7
9 Security-Enhanced Linux secures the cupsd processes via flexible manda‐
10 tory access control.
11 The cupsd processes execute with the cupsd_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15 For example:
17 ps -eZ | grep cupsd_t
19
23 The cupsd_t SELinux type can be entered via the cupsd_exec_t file type.
24 The default entrypoint paths for the cupsd_t domain are the following:
26 /usr/sbin/hp-[^/]+, /usr/share/hplip/.*.py, /usr/lib/cups/backend/hp.*,
28 /usr/bin/hpijs, /usr/sbin/cupsd, /usr/sbin/hpiod, /usr/sbin/cups-
29 browsed
30
32 SELinux defines process types (domains) for each process running on the
33 system
34 You can see the context of a process using the -Z option to ps
36 Policy governs the access confined processes have to files. SELinux
38 cupsd policy is very flexible allowing users to setup their cupsd pro‐
39 cesses in as secure a method as possible.
40 The following process types are defined for cupsd:
42 cupsd_config_t, cupsd_t, cupsd_lpd_t, cups_pdf_t
44 Note: semanage permissive -a cupsd_t can be used to make the process
46 type cupsd_t permissive. SELinux does not deny access to permissive
47 process types, but the AVC (SELinux denials) messages are still gener‐
48 ated.
49
52 SELinux policy is customizable based on least access required. cupsd
53 policy is extremely flexible and has several booleans that allow you to
54 manipulate the policy and run cupsd with the tightest access possible.
55 If you want to allow cups execmem/execstack, you must turn on the
59 cups_execmem boolean. Disabled by default.
60 setsebool -P cups_execmem 1
62 If you want to allow users to resolve user passwd entries directly from
66 ldap rather then using a sssd server, you must turn on the authlo‐
67 gin_nsswitch_use_ldap boolean. Disabled by default.
68 setsebool -P authlogin_nsswitch_use_ldap 1
70 If you want to allow all daemons to write corefiles to /, you must turn
74 on the daemons_dump_core boolean. Disabled by default.
75 setsebool -P daemons_dump_core 1
77 If you want to enable cluster mode for daemons, you must turn on the
81 daemons_enable_cluster_mode boolean. Enabled by default.
82 setsebool -P daemons_enable_cluster_mode 1
84 If you want to allow all daemons to use tcp wrappers, you must turn on
88 the daemons_use_tcp_wrapper boolean. Disabled by default.
89 setsebool -P daemons_use_tcp_wrapper 1
91 If you want to allow all daemons the ability to read/write terminals,
95 you must turn on the daemons_use_tty boolean. Disabled by default.
96 setsebool -P daemons_use_tty 1
98 If you want to deny any process from ptracing or debugging any other
102 processes, you must turn on the deny_ptrace boolean. Enabled by
103 default.
104 setsebool -P deny_ptrace 1
106 If you want to allow any process to mmap any file on system with
110 attribute file_type, you must turn on the domain_can_mmap_files bool‐
111 ean. Enabled by default.
112 setsebool -P domain_can_mmap_files 1
114 If you want to allow all domains write to kmsg_device, while kernel is
118 executed with systemd.log_target=kmsg parameter, you must turn on the
119 domain_can_write_kmsg boolean. Disabled by default.
120 setsebool -P domain_can_write_kmsg 1
122 If you want to allow all domains to use other domains file descriptors,
126 you must turn on the domain_fd_use boolean. Enabled by default.
127 setsebool -P domain_fd_use 1
129 If you want to allow all domains to have the kernel load modules, you
133 must turn on the domain_kernel_load_modules boolean. Disabled by
134 default.
135 setsebool -P domain_kernel_load_modules 1
137 If you want to allow all domains to execute in fips_mode, you must turn
141 on the fips_mode boolean. Enabled by default.
142 setsebool -P fips_mode 1
144 If you want to enable reading of urandom for all domains, you must turn
148 on the global_ssp boolean. Disabled by default.
149 setsebool -P global_ssp 1
151 If you want to allow confined applications to run with kerberos, you
155 must turn on the kerberos_enabled boolean. Enabled by default.
156 setsebool -P kerberos_enabled 1
158 If you want to allow system to run with NIS, you must turn on the
162 nis_enabled boolean. Disabled by default.
163 setsebool -P nis_enabled 1
165 If you want to allow confined applications to use nscd shared memory,
169 you must turn on the nscd_use_shm boolean. Disabled by default.
170 setsebool -P nscd_use_shm 1
172
176 The SELinux process type cupsd_t can manage files labeled with the fol‐
177 lowing file types. The paths listed are the default paths for these
178 file types. Note the processes UID still need to have DAC permissions.
179 anon_inodefs_t
181 cluster_conf_t
184 /etc/cluster(/.*)?
186 cluster_var_lib_t
188 /var/lib/pcsd(/.*)?
190 /var/lib/cluster(/.*)?
191 /var/lib/openais(/.*)?
192 /var/lib/pengine(/.*)?
193 /var/lib/corosync(/.*)?
194 /usr/lib/heartbeat(/.*)?
195 /var/lib/heartbeat(/.*)?
196 /var/lib/pacemaker(/.*)?
197 cluster_var_run_t
199 /var/run/crm(/.*)?
201 /var/run/cman_.*
202 /var/run/rsctmp(/.*)?
203 /var/run/aisexec.*
204 /var/run/heartbeat(/.*)?
205 /var/run/corosync-qnetd(/.*)?
206 /var/run/corosync-qdevice(/.*)?
207 /var/run/cpglockd.pid
208 /var/run/corosync.pid
209 /var/run/rgmanager.pid
210 /var/run/cluster/rgmanager.sk
211 cupsd_interface_t
213 /etc/cups/interfaces(/.*)?
215 cupsd_lock_t
217 cupsd_log_t
220 /var/log/hp(/.*)?
222 /var/log/cups(/.*)?
223 /usr/Brother/fax/.*.log.*
224 /var/log/turboprint.*
225 /usr/local/Brother/fax/.*.log.*
226 cupsd_rw_etc_t
228 /etc/printcap.*
230 /etc/cups/ppd(/.*)?
231 /usr/Brother/(.*/)?inf(/.*)?
232 /usr/Printer/(.*/)?inf(/.*)?
233 /usr/lib/bjlib(/.*)?
234 /var/lib/iscan(/.*)?
235 /var/cache/cups(/.*)?
236 /etc/cups/certs/.*
237 /etc/opt/Brother/(.*/)?inf(/.*)?
238 /etc/cups/lpoptions.*
239 /var/cache/foomatic(/.*)?
240 /usr/local/Brother/(.*/)?inf(/.*)?
241 /usr/local/Printer/(.*/)?inf(/.*)?
242 /etc/cups/cupsd.conf.*
243 /var/lib/cups/certs/.*
244 /opt/gutenprint/ppds(/.*)?
245 /opt/brother/Printers(.*/)?inf(/.*)?
246 /etc/cups/classes.conf.*
247 /etc/cups/printers.conf.*
248 /etc/cups/subscriptions.*
249 /etc/opt/brother/Printers/(.*/)?inf(/.*)?
250 /usr/local/linuxprinter/ppd(/.*)?
251 /var/cache/alchemist/printconf.*
252 /etc/alchemist/namespace/printconf(/.*)?
253 /etc/cups/certs
254 /etc/cups/ppds.dat
255 /var/lib/cups/certs
256 /usr/share/foomatic/db/oldprinterids
257 cupsd_tmp_t
259 cupsd_var_lib_t
262 /var/lib/hp(/.*)?
264 cupsd_var_run_t
266 /var/ccpd(/.*)?
268 /var/ekpd(/.*)?
269 /var/run/hp.*.pid
270 /var/run/hp.*.port
271 /var/run/cups(/.*)?
272 /var/run/hplip(/.*)
273 /var/turboprint(/.*)?
274 faillog_t
276 /var/log/btmp.*
278 /var/log/faillog.*
279 /var/log/tallylog.*
280 /var/run/faillock(/.*)?
281 krb5_host_rcache_t
283 /var/cache/krb5rcache(/.*)?
285 /var/tmp/nfs_0
286 /var/tmp/DNS_25
287 /var/tmp/host_0
288 /var/tmp/imap_0
289 /var/tmp/HTTP_23
290 /var/tmp/HTTP_48
291 /var/tmp/ldap_55
292 /var/tmp/ldap_487
293 /var/tmp/ldapmap1_0
294 print_spool_t
296 /var/spool/lpd(/.*)?
298 /var/spool/cups(/.*)?
299 /var/spool/cups-pdf(/.*)?
300 root_t
302 /sysroot/ostree/deploy/.*-atomic.*/deploy(/.*)?
304 /
305 /initrd
306 samba_var_t
308 /var/nmbd(/.*)?
310 /var/lib/samba(/.*)?
311 /var/cache/samba(/.*)?
312 security_t
314 /selinux
316 usbfs_t
318
322 SELinux requires files to have an extended attribute to define the file
323 type.
324 You can see the context of a file using the -Z option to ls
326 Policy governs the access confined processes have to these files.
328 SELinux cupsd policy is very flexible allowing users to setup their
329 cupsd processes in as secure a method as possible.
330 STANDARD FILE CONTEXT
332 SELinux defines the file context types for the cupsd, if you wanted to
334 store files with these types in a diffent paths, you need to execute
335 the semanage command to sepecify alternate labeling and then use
336 restorecon to put the labels on disk.
337 semanage fcontext -a -t cupsd_var_run_t '/srv/mycupsd_content(/.*)?'
339 restorecon -R -v /srv/mycupsd_content
340 Note: SELinux often uses regular expressions to specify labels that
342 match multiple files.
343 The following file types are defined for cupsd:
345 cupsd_config_exec_t
349 - Set files with the cupsd_config_exec_t type, if you want to transi‐
351 tion an executable to the cupsd_config_t domain.
352 Paths:
355 /usr/sbin/hal_lpadmin, /usr/libexec/hal_lpadmin, /usr/bin/cups-
356 config-daemon, /usr/sbin/printconf-backend, /usr/lib/udev/udev-
357 configure-printer, /usr/libexec/cups-pk-helper-mechanism
358 cupsd_config_var_run_t
361 - Set files with the cupsd_config_var_run_t type, if you want to store
363 the cupsd config files under the /run or /var/run directory.
364 cupsd_etc_t
368 - Set files with the cupsd_etc_t type, if you want to store cupsd files
370 in the /etc directories.
371 Paths:
374 /etc/hp(/.*)?, /etc/cups(/.*)?, /usr/share/cups(/.*)?
375 cupsd_exec_t
378 - Set files with the cupsd_exec_t type, if you want to transition an
380 executable to the cupsd_t domain.
381 Paths:
384 /usr/sbin/hp-[^/]+, /usr/share/hplip/.*.py, /usr/lib/cups/back‐
385 end/hp.*, /usr/bin/hpijs, /usr/sbin/cupsd, /usr/sbin/hpiod,
386 /usr/sbin/cups-browsed
387 cupsd_initrc_exec_t
390 - Set files with the cupsd_initrc_exec_t type, if you want to transi‐
392 tion an executable to the cupsd_initrc_t domain.
393 cupsd_interface_t
397 - Set files with the cupsd_interface_t type, if you want to treat the
399 files as cupsd interface data.
400 cupsd_lock_t
404 - Set files with the cupsd_lock_t type, if you want to treat the files
406 as cupsd lock data, stored under the /var/lock directory
407 cupsd_log_t
411 - Set files with the cupsd_log_t type, if you want to treat the data as
413 cupsd log data, usually stored under the /var/log directory.
414 Paths:
417 /var/log/hp(/.*)?, /var/log/cups(/.*)?, /usr/Brother/fax/.*.log.*,
418 /var/log/turboprint.*, /usr/local/Brother/fax/.*.log.*
419 cupsd_lpd_exec_t
422 - Set files with the cupsd_lpd_exec_t type, if you want to transition
424 an executable to the cupsd_lpd_t domain.
425 cupsd_lpd_tmp_t
429 - Set files with the cupsd_lpd_tmp_t type, if you want to store cupsd
431 lpd temporary files in the /tmp directories.
432 cupsd_lpd_var_run_t
436 - Set files with the cupsd_lpd_var_run_t type, if you want to store the
438 cupsd lpd files under the /run or /var/run directory.
439 cupsd_rw_etc_t
443 - Set files with the cupsd_rw_etc_t type, if you want to store cupsd rw
445 files in the /etc directories.
446 Paths:
449 /etc/printcap.*, /etc/cups/ppd(/.*)?,
450 /usr/Brother/(.*/)?inf(/.*)?, /usr/Printer/(.*/)?inf(/.*)?,
451 /usr/lib/bjlib(/.*)?, /var/lib/iscan(/.*)?, /var/cache/cups(/.*)?,
452 /etc/cups/certs/.*, /etc/opt/Brother/(.*/)?inf(/.*)?,
453 /etc/cups/lpoptions.*, /var/cache/foomatic(/.*)?,
454 /usr/local/Brother/(.*/)?inf(/.*)?,
455 /usr/local/Printer/(.*/)?inf(/.*)?, /etc/cups/cupsd.conf.*,
456 /var/lib/cups/certs/.*, /opt/gutenprint/ppds(/.*)?,
457 /opt/brother/Printers(.*/)?inf(/.*)?, /etc/cups/classes.conf.*,
458 /etc/cups/printers.conf.*, /etc/cups/subscriptions.*,
459 /etc/opt/brother/Printers/(.*/)?inf(/.*)?, /usr/local/linux‐
460 printer/ppd(/.*)?, /var/cache/alchemist/printconf.*,
461 /etc/alchemist/namespace/printconf(/.*)?, /etc/cups/certs,
462 /etc/cups/ppds.dat, /var/lib/cups/certs,
463 /usr/share/foomatic/db/oldprinterids
464 cupsd_tmp_t
467 - Set files with the cupsd_tmp_t type, if you want to store cupsd tem‐
469 porary files in the /tmp directories.
470 cupsd_unit_file_t
474 - Set files with the cupsd_unit_file_t type, if you want to treat the
476 files as cupsd unit content.
477 cupsd_var_lib_t
481 - Set files with the cupsd_var_lib_t type, if you want to store the
483 cupsd files under the /var/lib directory.
484 cupsd_var_run_t
488 - Set files with the cupsd_var_run_t type, if you want to store the
490 cupsd files under the /run or /var/run directory.
491 Paths:
494 /var/ccpd(/.*)?, /var/ekpd(/.*)?, /var/run/hp.*.pid,
495 /var/run/hp.*.port, /var/run/cups(/.*)?, /var/run/hplip(/.*),
496 /var/turboprint(/.*)?
497 Note: File context can be temporarily modified with the chcon command.
500 If you want to permanently change the file context you need to use the
501 semanage fcontext command. This will modify the SELinux labeling data‐
502 base. You will need to use restorecon to apply the labels.
503
506 semanage fcontext can also be used to manipulate default file context
507 mappings.
508 semanage permissive can also be used to manipulate whether or not a
510 process type is permissive.
511 semanage module can also be used to enable/disable/install/remove pol‐
513 icy modules.
514 semanage boolean can also be used to manipulate the booleans
516 system-config-selinux is a GUI tool available to customize SELinux pol‐
519 icy settings.
520
523 This manual page was auto-generated using sepolicy manpage .
524
527 selinux(8), cupsd(8), semanage(8), restorecon(8), chcon(1), sepolicy(8)
528 , setsebool(8), cups_pdf_selinux(8), cupsd_config_selinux(8),
529 cupsd_lpd_selinux(8)
530cupsd 19-04-25 cupsd_selinux(8)