1cupsd_selinux(8)             SELinux Policy cupsd             cupsd_selinux(8)
2
3
4

NAME

6       cupsd_selinux - Security Enhanced Linux Policy for the cupsd processes
7

DESCRIPTION

9       Security-Enhanced Linux secures the cupsd processes via flexible manda‐
10       tory access control.
11
12       The cupsd processes execute with the  cupsd_t  SELinux  type.  You  can
13       check  if  you have these processes running by executing the ps command
14       with the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep cupsd_t
19
20
21

ENTRYPOINTS

23       The cupsd_t SELinux type can be entered via the cupsd_exec_t file type.
24
25       The default entrypoint paths for the cupsd_t domain are the following:
26
27       /usr/sbin/hp-[^/]+, /usr/share/hplip/.*.py, /usr/lib/cups/backend/hp.*,
28       /usr/bin/hpijs,   /usr/sbin/cupsd,   /usr/sbin/hpiod,   /usr/sbin/cups-
29       browsed
30

PROCESS TYPES

32       SELinux defines process types (domains) for each process running on the
33       system
34
35       You can see the context of a process using the -Z option to ps
36
37       Policy  governs  the  access confined processes have to files.  SELinux
38       cupsd policy is very flexible allowing users to setup their cupsd  pro‐
39       cesses in as secure a method as possible.
40
41       The following process types are defined for cupsd:
42
43       cupsd_config_t, cupsd_t, cupsd_lpd_t, cups_pdf_t
44
45       Note:  semanage  permissive  -a cupsd_t can be used to make the process
46       type cupsd_t permissive. SELinux does not  deny  access  to  permissive
47       process  types, but the AVC (SELinux denials) messages are still gener‐
48       ated.
49
50

BOOLEANS

52       SELinux policy is customizable based on least access  required.   cupsd
53       policy is extremely flexible and has several booleans that allow you to
54       manipulate the policy and run cupsd with the tightest access possible.
55
56
57
58       If you want to allow cups  execmem/execstack,  you  must  turn  on  the
59       cups_execmem boolean. Disabled by default.
60
61       setsebool -P cups_execmem 1
62
63
64
65       If you want to allow all domains to execute in fips_mode, you must turn
66       on the fips_mode boolean. Enabled by default.
67
68       setsebool -P fips_mode 1
69
70
71
72       If you want to allow confined applications to run  with  kerberos,  you
73       must turn on the kerberos_enabled boolean. Disabled by default.
74
75       setsebool -P kerberos_enabled 1
76
77
78

MANAGED FILES

80       The SELinux process type cupsd_t can manage files labeled with the fol‐
81       lowing file types.  The paths listed are the default  paths  for  these
82       file types.  Note the processes UID still need to have DAC permissions.
83
84       anon_inodefs_t
85
86
87       cluster_conf_t
88
89            /etc/cluster(/.*)?
90
91       cluster_var_lib_t
92
93            /var/lib/pcsd(/.*)?
94            /var/lib/cluster(/.*)?
95            /var/lib/openais(/.*)?
96            /var/lib/pengine(/.*)?
97            /var/lib/corosync(/.*)?
98            /usr/lib/heartbeat(/.*)?
99            /var/lib/heartbeat(/.*)?
100            /var/lib/pacemaker(/.*)?
101
102       cluster_var_run_t
103
104            /var/run/crm(/.*)?
105            /var/run/cman_.*
106            /var/run/rsctmp(/.*)?
107            /var/run/aisexec.*
108            /var/run/heartbeat(/.*)?
109            /var/run/corosync-qnetd(/.*)?
110            /var/run/corosync-qdevice(/.*)?
111            /var/run/corosync.pid
112            /var/run/cpglockd.pid
113            /var/run/rgmanager.pid
114            /var/run/cluster/rgmanager.sk
115
116       cupsd_interface_t
117
118            /etc/cups/interfaces(/.*)?
119
120       cupsd_lock_t
121
122
123       cupsd_log_t
124
125            /var/log/hp(/.*)?
126            /var/log/cups(/.*)?
127            /usr/Brother/fax/.*.log.*
128            /var/log/turboprint.*
129            /usr/local/Brother/fax/.*.log.*
130
131       cupsd_rw_etc_t
132
133            /etc/printcap.*
134            /etc/cups/ppd(/.*)?
135            /usr/Brother/(.*/)?inf(/.*)?
136            /usr/Printer/(.*/)?inf(/.*)?
137            /usr/lib/bjlib(/.*)?
138            /var/lib/iscan(/.*)?
139            /var/cache/cups(/.*)?
140            /etc/cups/certs/.*
141            /etc/opt/Brother/(.*/)?inf(/.*)?
142            /etc/cups/lpoptions.*
143            /var/cache/foomatic(/.*)?
144            /usr/local/Brother/(.*/)?inf(/.*)?
145            /usr/local/Printer/(.*/)?inf(/.*)?
146            /etc/cups/cupsd.conf.*
147            /var/lib/cups/certs/.*
148            /opt/gutenprint/ppds(/.*)?
149            /opt/brother/Printers(.*/)?inf(/.*)?
150            /etc/cups/classes.conf.*
151            /etc/cups/printers.conf.*
152            /etc/cups/subscriptions.*
153            /etc/opt/brother/Printers/(.*/)?inf(/.*)?
154            /usr/local/linuxprinter/ppd(/.*)?
155            /var/cache/alchemist/printconf.*
156            /etc/alchemist/namespace/printconf(/.*)?
157            /etc/cups/certs
158            /etc/cups/ppds.dat
159            /var/lib/cups/certs
160            /usr/share/foomatic/db/oldprinterids
161
162       cupsd_var_lib_t
163
164            /var/lib/hp(/.*)?
165
166       cupsd_var_run_t
167
168            /var/ccpd(/.*)?
169            /var/ekpd(/.*)?
170            /var/run/hp.*.pid
171            /var/run/hp.*.port
172            /var/run/cups(/.*)?
173            /var/run/hplip(/.*)
174            /var/turboprint(/.*)?
175            /var/run/ecblp0
176
177       faillog_t
178
179            /var/log/btmp.*
180            /var/log/faillog.*
181            /var/log/tallylog.*
182            /var/run/faillock(/.*)?
183
184       print_spool_t
185
186            /var/spool/lpd(/.*)?
187            /var/spool/cups(/.*)?
188            /var/spool/cups-pdf(/.*)?
189
190       root_t
191
192            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
193            /
194            /initrd
195
196       security_t
197
198            /selinux
199
200       snmpd_var_lib_t
201
202            /var/agentx(/.*)?
203            /var/net-snmp(/.*)
204            /var/lib/snmp(/.*)?
205            /var/net-snmp(/.*)?
206            /var/lib/net-snmp(/.*)?
207            /var/spool/snmptt(/.*)?
208            /usr/share/snmp/mibs/.index
209
210       usbfs_t
211
212
213

FILE CONTEXTS

215       SELinux requires files to have an extended attribute to define the file
216       type.
217
218       You can see the context of a file using the -Z option to ls
219
220       Policy governs the access  confined  processes  have  to  these  files.
221       SELinux  cupsd  policy  is  very flexible allowing users to setup their
222       cupsd processes in as secure a method as possible.
223
224       STANDARD FILE CONTEXT
225
226       SELinux defines the file context types for the cupsd, if you wanted  to
227       store  files  with  these types in a diffent paths, you need to execute
228       the semanage command  to  sepecify  alternate  labeling  and  then  use
229       restorecon to put the labels on disk.
230
231       semanage fcontext -a -t cupsd_unit_file_t '/srv/mycupsd_content(/.*)?'
232       restorecon -R -v /srv/mycupsd_content
233
234       Note:  SELinux  often  uses  regular expressions to specify labels that
235       match multiple files.
236
237       The following file types are defined for cupsd:
238
239
240
241       cupsd_config_exec_t
242
243       - Set files with the cupsd_config_exec_t type, if you want  to  transi‐
244       tion an executable to the cupsd_config_t domain.
245
246
247       Paths:
248            /usr/sbin/hal_lpadmin,   /usr/libexec/hal_lpadmin,  /usr/bin/cups-
249            config-daemon,  /usr/sbin/printconf-backend,   /usr/lib/udev/udev-
250            configure-printer, /usr/libexec/cups-pk-helper-mechanism
251
252
253       cupsd_config_var_run_t
254
255       -  Set files with the cupsd_config_var_run_t type, if you want to store
256       the cupsd config files under the /run or /var/run directory.
257
258
259
260       cupsd_etc_t
261
262       - Set files with the cupsd_etc_t type, if you want to store cupsd files
263       in the /etc directories.
264
265
266       Paths:
267            /etc/hp(/.*)?, /etc/cups(/.*)?, /usr/share/cups(/.*)?
268
269
270       cupsd_exec_t
271
272       -  Set  files  with the cupsd_exec_t type, if you want to transition an
273       executable to the cupsd_t domain.
274
275
276       Paths:
277            /usr/sbin/hp-[^/]+,  /usr/share/hplip/.*.py,   /usr/lib/cups/back‐
278            end/hp.*,    /usr/bin/hpijs,   /usr/sbin/cupsd,   /usr/sbin/hpiod,
279            /usr/sbin/cups-browsed
280
281
282       cupsd_initrc_exec_t
283
284       - Set files with the cupsd_initrc_exec_t type, if you want  to  transi‐
285       tion an executable to the cupsd_initrc_t domain.
286
287
288
289       cupsd_interface_t
290
291       -  Set  files with the cupsd_interface_t type, if you want to treat the
292       files as cupsd interface data.
293
294
295
296       cupsd_lock_t
297
298       - Set files with the cupsd_lock_t type, if you want to treat the  files
299       as cupsd lock data, stored under the /var/lock directory
300
301
302
303       cupsd_log_t
304
305       - Set files with the cupsd_log_t type, if you want to treat the data as
306       cupsd log data, usually stored under the /var/log directory.
307
308
309       Paths:
310            /var/log/hp(/.*)?, /var/log/cups(/.*)?, /usr/Brother/fax/.*.log.*,
311            /var/log/turboprint.*, /usr/local/Brother/fax/.*.log.*
312
313
314       cupsd_lpd_exec_t
315
316       -  Set  files with the cupsd_lpd_exec_t type, if you want to transition
317       an executable to the cupsd_lpd_t domain.
318
319
320
321       cupsd_lpd_tmp_t
322
323       - Set files with the cupsd_lpd_tmp_t type, if you want to  store  cupsd
324       lpd temporary files in the /tmp directories.
325
326
327
328       cupsd_lpd_var_run_t
329
330       - Set files with the cupsd_lpd_var_run_t type, if you want to store the
331       cupsd lpd files under the /run or /var/run directory.
332
333
334
335       cupsd_rw_etc_t
336
337       - Set files with the cupsd_rw_etc_t type, if you want to store cupsd rw
338       files in the /etc directories.
339
340
341       Paths:
342            /etc/printcap.*,                              /etc/cups/ppd(/.*)?,
343            /usr/Brother/(.*/)?inf(/.*)?,        /usr/Printer/(.*/)?inf(/.*)?,
344            /usr/lib/bjlib(/.*)?, /var/lib/iscan(/.*)?, /var/cache/cups(/.*)?,
345            /etc/cups/certs/.*,              /etc/opt/Brother/(.*/)?inf(/.*)?,
346            /etc/cups/lpoptions.*,                  /var/cache/foomatic(/.*)?,
347            /usr/local/Brother/(.*/)?inf(/.*)?,
348            /usr/local/Printer/(.*/)?inf(/.*)?,        /etc/cups/cupsd.conf.*,
349            /var/lib/cups/certs/.*,                /opt/gutenprint/ppds(/.*)?,
350            /opt/brother/Printers(.*/)?inf(/.*)?,    /etc/cups/classes.conf.*,
351            /etc/cups/printers.conf.*,              /etc/cups/subscriptions.*,
352            /etc/opt/brother/Printers/(.*/)?inf(/.*)?,       /usr/local/linux‐
353            printer/ppd(/.*)?,               /var/cache/alchemist/printconf.*,
354            /etc/alchemist/namespace/printconf(/.*)?,         /etc/cups/certs,
355            /etc/cups/ppds.dat,                           /var/lib/cups/certs,
356            /usr/share/foomatic/db/oldprinterids
357
358
359       cupsd_tmp_t
360
361       -  Set files with the cupsd_tmp_t type, if you want to store cupsd tem‐
362       porary files in the /tmp directories.
363
364
365
366       cupsd_unit_file_t
367
368       - Set files with the cupsd_unit_file_t type, if you want to  treat  the
369       files as cupsd unit content.
370
371
372
373       cupsd_var_lib_t
374
375       -  Set  files  with  the cupsd_var_lib_t type, if you want to store the
376       cupsd files under the /var/lib directory.
377
378
379
380       cupsd_var_run_t
381
382       - Set files with the cupsd_var_run_t type, if you  want  to  store  the
383       cupsd files under the /run or /var/run directory.
384
385
386       Paths:
387            /var/ccpd(/.*)?,        /var/ekpd(/.*)?,        /var/run/hp.*.pid,
388            /var/run/hp.*.port,   /var/run/cups(/.*)?,    /var/run/hplip(/.*),
389            /var/turboprint(/.*)?, /var/run/ecblp0
390
391
392       Note:  File context can be temporarily modified with the chcon command.
393       If you want to permanently change the file context you need to use  the
394       semanage fcontext command.  This will modify the SELinux labeling data‐
395       base.  You will need to use restorecon to apply the labels.
396
397

COMMANDS

399       semanage fcontext can also be used to manipulate default  file  context
400       mappings.
401
402       semanage  permissive  can  also  be used to manipulate whether or not a
403       process type is permissive.
404
405       semanage module can also be used to enable/disable/install/remove  pol‐
406       icy modules.
407
408       semanage boolean can also be used to manipulate the booleans
409
410
411       system-config-selinux is a GUI tool available to customize SELinux pol‐
412       icy settings.
413
414

AUTHOR

416       This manual page was auto-generated using sepolicy manpage .
417
418

SEE ALSO

420       selinux(8),  cupsd(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
421       icy(8),   setsebool(8),  cups_pdf_selinux(8),  cupsd_config_selinux(8),
422       cupsd_lpd_selinux(8)
423
424
425
426cupsd                              20-05-05                   cupsd_selinux(8)
Impressum