1cups_pdf_selinux(8)         SELinux Policy cups_pdf        cups_pdf_selinux(8)
2
3
4

NAME

6       cups_pdf_selinux - Security Enhanced Linux Policy for the cups_pdf pro‐
7       cesses
8

DESCRIPTION

10       Security-Enhanced Linux secures the  cups_pdf  processes  via  flexible
11       mandatory access control.
12
13       The  cups_pdf  processes  execute with the cups_pdf_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep cups_pdf_t
20
21
22

ENTRYPOINTS

24       The cups_pdf_t SELinux type can be entered via the cups_pdf_exec_t file
25       type.
26
27       The default entrypoint paths for the cups_pdf_t domain are the  follow‐
28       ing:
29
30       /usr/lib/cups/backend/cups-pdf
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       cups_pdf policy is very flexible allowing users to setup their cups_pdf
40       processes in as secure a method as possible.
41
42       The following process types are defined for cups_pdf:
43
44       cups_pdf_t
45
46       Note: semanage permissive -a cups_pdf_t can be used to make the process
47       type  cups_pdf_t permissive. SELinux does not deny access to permissive
48       process types, but the AVC (SELinux denials) messages are still  gener‐
49       ated.
50
51

BOOLEANS

53       SELinux   policy  is  customizable  based  on  least  access  required.
54       cups_pdf policy is extremely flexible and  has  several  booleans  that
55       allow  you  to manipulate the policy and run cups_pdf with the tightest
56       access possible.
57
58
59
60       If you want to allow users to resolve user passwd entries directly from
61       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
62       gin_nsswitch_use_ldap boolean. Disabled by default.
63
64       setsebool -P authlogin_nsswitch_use_ldap 1
65
66
67
68       If you want to allow all domains to execute in fips_mode, you must turn
69       on the fips_mode boolean. Enabled by default.
70
71       setsebool -P fips_mode 1
72
73
74
75       If  you  want  to allow confined applications to run with kerberos, you
76       must turn on the kerberos_enabled boolean. Enabled by default.
77
78       setsebool -P kerberos_enabled 1
79
80
81
82       If you want to allow system to run with  NIS,  you  must  turn  on  the
83       nis_enabled boolean. Disabled by default.
84
85       setsebool -P nis_enabled 1
86
87
88
89       If  you  want to allow confined applications to use nscd shared memory,
90       you must turn on the nscd_use_shm boolean. Enabled by default.
91
92       setsebool -P nscd_use_shm 1
93
94
95
96       If you want to support NFS home  directories,  you  must  turn  on  the
97       use_nfs_home_dirs boolean. Disabled by default.
98
99       setsebool -P use_nfs_home_dirs 1
100
101
102

MANAGED FILES

104       The  SELinux  process type cups_pdf_t can manage files labeled with the
105       following file types.  The paths listed are the default paths for these
106       file types.  Note the processes UID still need to have DAC permissions.
107
108       anon_inodefs_t
109
110
111       cifs_t
112
113
114       cups_pdf_tmp_t
115
116
117       ecryptfs_t
118
119            /home/[^/]+/.Private(/.*)?
120            /home/[^/]+/.ecryptfs(/.*)?
121
122       fusefs_t
123
124            /var/run/user/[^/]*/gvfs
125
126       nfs_t
127
128
129       print_spool_t
130
131            /var/spool/lpd(/.*)?
132            /var/spool/cups(/.*)?
133            /var/spool/cups-pdf(/.*)?
134
135       user_home_t
136
137            /home/[^/]+/.+
138
139

FILE CONTEXTS

141       SELinux requires files to have an extended attribute to define the file
142       type.
143
144       You can see the context of a file using the -Z option to ls
145
146       Policy governs the access  confined  processes  have  to  these  files.
147       SELinux  cups_pdf policy is very flexible allowing users to setup their
148       cups_pdf processes in as secure a method as possible.
149
150       STANDARD FILE CONTEXT
151
152       SELinux defines the file context types for the cups_pdf, if you  wanted
153       to store files with these types in a diffent paths, you need to execute
154       the semanage command  to  sepecify  alternate  labeling  and  then  use
155       restorecon to put the labels on disk.
156
157       semanage fcontext -a -t cups_pdf_tmp_t '/srv/mycups_pdf_content(/.*)?'
158       restorecon -R -v /srv/mycups_pdf_content
159
160       Note:  SELinux  often  uses  regular expressions to specify labels that
161       match multiple files.
162
163       The following file types are defined for cups_pdf:
164
165
166
167       cups_pdf_exec_t
168
169       - Set files with the cups_pdf_exec_t type, if you want to transition an
170       executable to the cups_pdf_t domain.
171
172
173
174       cups_pdf_tmp_t
175
176       - Set files with the cups_pdf_tmp_t type, if you want to store cups pdf
177       temporary files in the /tmp directories.
178
179
180
181       Note: File context can be temporarily modified with the chcon  command.
182       If  you want to permanently change the file context you need to use the
183       semanage fcontext command.  This will modify the SELinux labeling data‐
184       base.  You will need to use restorecon to apply the labels.
185
186

COMMANDS

188       semanage  fcontext  can also be used to manipulate default file context
189       mappings.
190
191       semanage permissive can also be used to manipulate  whether  or  not  a
192       process type is permissive.
193
194       semanage  module can also be used to enable/disable/install/remove pol‐
195       icy modules.
196
197       semanage boolean can also be used to manipulate the booleans
198
199
200       system-config-selinux is a GUI tool available to customize SELinux pol‐
201       icy settings.
202
203

AUTHOR

205       This manual page was auto-generated using sepolicy manpage .
206
207

SEE ALSO

209       selinux(8),  cups_pdf(8),  semanage(8), restorecon(8), chcon(1), sepol‐
210       icy(8), setsebool(8)
211
212
213
214cups_pdf                           19-10-08                cups_pdf_selinux(8)
Impressum