cupsd_selinux(8)

1cupsd_selinux(8)             SELinux Policy cupsd             cupsd_selinux(8)
2
3
4

NAME

6       cupsd_selinux - Security Enhanced Linux Policy for the cupsd processes
7

DESCRIPTION

9       Security-Enhanced Linux secures the cupsd processes via flexible manda‐
10       tory access control.
11
12       The cupsd processes execute with the  cupsd_t  SELinux  type.  You  can
13       check  if  you have these processes running by executing the ps command
14       with the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep cupsd_t
19
20
21

ENTRYPOINTS

23       The cupsd_t SELinux type can be entered via the cupsd_exec_t file type.
24
25       The default entrypoint paths for the cupsd_t domain are the following:
26
27       /usr/sbin/hp-[^/]+, /usr/share/hplip/.*.py, /usr/lib/cups/backend/hp.*,
28       /usr/bin/hpijs,   /usr/sbin/cupsd,   /usr/sbin/hpiod,   /usr/sbin/cups-
29       browsed
30

PROCESS TYPES

32       SELinux defines process types (domains) for each process running on the
33       system
34
35       You can see the context of a process using the -Z option to ps
36
37       Policy  governs  the  access confined processes have to files.  SELinux
38       cupsd policy is very flexible allowing users to setup their cupsd  pro‐
39       cesses in as secure a method as possible.
40
41       The following process types are defined for cupsd:
42
43       cupsd_config_t, cupsd_t, cupsd_lpd_t, cups_brf_t, cups_pdf_t
44
45       Note:  semanage  permissive  -a cupsd_t can be used to make the process
46       type cupsd_t permissive. SELinux does not  deny  access  to  permissive
47       process  types, but the AVC (SELinux denials) messages are still gener‐
48       ated.
49
50

BOOLEANS

52       SELinux policy is customizable based on least access  required.   cupsd
53       policy is extremely flexible and has several booleans that allow you to
54       manipulate the policy and run cupsd with the tightest access possible.
55
56
57
58       If you want to allow cups  execmem/execstack,  you  must  turn  on  the
59       cups_execmem boolean. Disabled by default.
60
61       setsebool -P cups_execmem 1
62
63
64
65       If you want to allow all domains to execute in fips_mode, you must turn
66       on the fips_mode boolean. Enabled by default.
67
68       setsebool -P fips_mode 1
69
70
71
72       If you want to allow confined applications to run  with  kerberos,  you
73       must turn on the kerberos_enabled boolean. Enabled by default.
74
75       setsebool -P kerberos_enabled 1
76
77
78

MANAGED FILES

80       The SELinux process type cupsd_t can manage files labeled with the fol‐
81       lowing file types.  The paths listed are the default  paths  for  these
82       file types.  Note the processes UID still need to have DAC permissions.
83
84       cluster_conf_t
85
86            /etc/cluster(/.*)?
87
88       cluster_var_lib_t
89
90            /var/lib/pcsd(/.*)?
91            /var/lib/cluster(/.*)?
92            /var/lib/openais(/.*)?
93            /var/lib/pengine(/.*)?
94            /var/lib/corosync(/.*)?
95            /usr/lib/heartbeat(/.*)?
96            /var/lib/heartbeat(/.*)?
97            /var/lib/pacemaker(/.*)?
98
99       cluster_var_run_t
100
101            /var/run/crm(/.*)?
102            /var/run/cman_.*
103            /var/run/rsctmp(/.*)?
104            /var/run/aisexec.*
105            /var/run/heartbeat(/.*)?
106            /var/run/pcsd-ruby.socket
107            /var/run/corosync-qnetd(/.*)?
108            /var/run/corosync-qdevice(/.*)?
109            /var/run/corosync.pid
110            /var/run/cpglockd.pid
111            /var/run/rgmanager.pid
112            /var/run/cluster/rgmanager.sk
113
114       cupsd_interface_t
115
116            /etc/cups/interfaces(/.*)?
117
118       cupsd_lock_t
119
120
121       cupsd_log_t
122
123            /var/log/hp(/.*)?
124            /var/log/cups(/.*)?
125            /usr/Brother/fax/.*.log.*
126            /var/log/turboprint.*
127            /usr/local/Brother/fax/.*.log.*
128
129       cupsd_rw_etc_t
130
131            /etc/printcap.*
132            /etc/cups/ppd(/.*)?
133            /usr/Brother/(.*/)?inf(/.*)?
134            /usr/Printer/(.*/)?inf(/.*)?
135            /usr/lib/bjlib(/.*)?
136            /var/lib/iscan(/.*)?
137            /var/cache/cups(/.*)?
138            /etc/cups/certs/.*
139            /etc/opt/Brother/(.*/)?inf(/.*)?
140            /etc/cups/lpoptions.*
141            /var/cache/foomatic(/.*)?
142            /usr/local/Brother/(.*/)?inf(/.*)?
143            /usr/local/Printer/(.*/)?inf(/.*)?
144            /etc/cups/cupsd.conf.*
145            /var/lib/cups/certs/.*
146            /opt/gutenprint/ppds(/.*)?
147            /opt/brother/Printers(.*/)?inf(/.*)?
148            /etc/cups/classes.conf.*
149            /etc/cups/printers.conf.*
150            /etc/cups/subscriptions.*
151            /etc/opt/brother/Printers/(.*/)?inf(/.*)?
152            /usr/local/linuxprinter/ppd(/.*)?
153            /var/cache/alchemist/printconf.*
154            /etc/alchemist/namespace/printconf(/.*)?
155            /etc/cups/certs
156            /etc/cups/ppds.dat
157            /var/lib/cups/certs
158            /usr/share/foomatic/db/oldprinterids
159
160       cupsd_tmp_t
161
162
163       cupsd_var_lib_t
164
165            /var/lib/hp(/.*)?
166
167       cupsd_var_run_t
168
169            /var/ccpd(/.*)?
170            /var/ekpd(/.*)?
171            /var/run/hp.*.pid
172            /var/run/hp.*.port
173            /var/run/cups(/.*)?
174            /var/run/hplip(/.*)
175            /var/turboprint(/.*)?
176            /var/run/ecblp0
177
178       faillog_t
179
180            /var/log/btmp.*
181            /var/log/faillog.*
182            /var/log/tallylog.*
183            /var/run/faillock(/.*)?
184
185       krb5_host_rcache_t
186
187            /var/tmp/krb5_0.rcache2
188            /var/cache/krb5rcache(/.*)?
189            /var/tmp/nfs_0
190            /var/tmp/DNS_25
191            /var/tmp/host_0
192            /var/tmp/imap_0
193            /var/tmp/HTTP_23
194            /var/tmp/HTTP_48
195            /var/tmp/ldap_55
196            /var/tmp/ldap_487
197            /var/tmp/ldapmap1_0
198
199       print_spool_t
200
201            /var/spool/lpd(/.*)?
202            /var/spool/cups(/.*)?
203            /var/spool/cups-pdf(/.*)?
204
205       root_t
206
207            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
208            /
209            /initrd
210
211       security_t
212
213            /selinux
214
215       snmpd_var_lib_t
216
217            /var/agentx(/.*)?
218            /var/net-snmp(/.*)
219            /var/lib/snmp(/.*)?
220            /var/net-snmp(/.*)?
221            /var/lib/net-snmp(/.*)?
222            /var/spool/snmptt(/.*)?
223            /usr/share/snmp/mibs/.index
224
225       usbfs_t
226
227
228

FILE CONTEXTS

230       SELinux requires files to have an extended attribute to define the file
231       type.
232
233       You can see the context of a file using the -Z option to ls
234
235       Policy governs the access  confined  processes  have  to  these  files.
236       SELinux  cupsd  policy  is  very flexible allowing users to setup their
237       cupsd processes in as secure a method as possible.
238
239       STANDARD FILE CONTEXT
240
241       SELinux defines the file context types for the cupsd, if you wanted  to
242       store  files  with  these types in a diffent paths, you need to execute
243       the semanage command to specify alternate labeling  and  then  use  re‐
244       storecon to put the labels on disk.
245
246       semanage fcontext -a -t cupsd_unit_file_t '/srv/mycupsd_content(/.*)?'
247       restorecon -R -v /srv/mycupsd_content
248
249       Note:  SELinux  often  uses  regular expressions to specify labels that
250       match multiple files.
251
252       The following file types are defined for cupsd:
253
254
255
256       cupsd_config_exec_t
257
258       - Set files with the cupsd_config_exec_t type, if you want  to  transi‐
259       tion an executable to the cupsd_config_t domain.
260
261
262       Paths:
263            /usr/sbin/hal_lpadmin,   /usr/libexec/hal_lpadmin,  /usr/bin/cups-
264            config-daemon,  /usr/sbin/printconf-backend,   /usr/lib/udev/udev-
265            configure-printer, /usr/libexec/cups-pk-helper-mechanism
266
267
268       cupsd_config_var_run_t
269
270       -  Set files with the cupsd_config_var_run_t type, if you want to store
271       the cupsd config files under the /run or /var/run directory.
272
273
274
275       cupsd_etc_t
276
277       - Set files with the cupsd_etc_t type, if you want to store cupsd files
278       in the /etc directories.
279
280
281       Paths:
282            /etc/hp(/.*)?, /etc/cups(/.*)?, /usr/share/cups(/.*)?
283
284
285       cupsd_exec_t
286
287       -  Set  files  with the cupsd_exec_t type, if you want to transition an
288       executable to the cupsd_t domain.
289
290
291       Paths:
292            /usr/sbin/hp-[^/]+,  /usr/share/hplip/.*.py,   /usr/lib/cups/back‐
293            end/hp.*,    /usr/bin/hpijs,   /usr/sbin/cupsd,   /usr/sbin/hpiod,
294            /usr/sbin/cups-browsed
295
296
297       cupsd_initrc_exec_t
298
299       - Set files with the cupsd_initrc_exec_t type, if you want  to  transi‐
300       tion an executable to the cupsd_initrc_t domain.
301
302
303
304       cupsd_interface_t
305
306       -  Set  files with the cupsd_interface_t type, if you want to treat the
307       files as cupsd interface data.
308
309
310
311       cupsd_lock_t
312
313       - Set files with the cupsd_lock_t type, if you want to treat the  files
314       as cupsd lock data, stored under the /var/lock directory
315
316
317
318       cupsd_log_t
319
320       - Set files with the cupsd_log_t type, if you want to treat the data as
321       cupsd log data, usually stored under the /var/log directory.
322
323
324       Paths:
325            /var/log/hp(/.*)?, /var/log/cups(/.*)?, /usr/Brother/fax/.*.log.*,
326            /var/log/turboprint.*, /usr/local/Brother/fax/.*.log.*
327
328
329       cupsd_lpd_exec_t
330
331       -  Set  files with the cupsd_lpd_exec_t type, if you want to transition
332       an executable to the cupsd_lpd_t domain.
333
334
335
336       cupsd_lpd_tmp_t
337
338       - Set files with the cupsd_lpd_tmp_t type, if you want to  store  cupsd
339       lpd temporary files in the /tmp directories.
340
341
342
343       cupsd_lpd_var_run_t
344
345       - Set files with the cupsd_lpd_var_run_t type, if you want to store the
346       cupsd lpd files under the /run or /var/run directory.
347
348
349
350       cupsd_rw_etc_t
351
352       - Set files with the cupsd_rw_etc_t type, if you want to store cupsd rw
353       files in the /etc directories.
354
355
356       Paths:
357            /etc/printcap.*,                              /etc/cups/ppd(/.*)?,
358            /usr/Brother/(.*/)?inf(/.*)?,        /usr/Printer/(.*/)?inf(/.*)?,
359            /usr/lib/bjlib(/.*)?, /var/lib/iscan(/.*)?, /var/cache/cups(/.*)?,
360            /etc/cups/certs/.*,              /etc/opt/Brother/(.*/)?inf(/.*)?,
361            /etc/cups/lpoptions.*,     /var/cache/foomatic(/.*)?,     /usr/lo‐
362            cal/Brother/(.*/)?inf(/.*)?,   /usr/local/Printer/(.*/)?inf(/.*)?,
363            /etc/cups/cupsd.conf.*,     /var/lib/cups/certs/.*,    /opt/guten‐
364            print/ppds(/.*)?,            /opt/brother/Printers(.*/)?inf(/.*)?,
365            /etc/cups/classes.conf.*,               /etc/cups/printers.conf.*,
366            /etc/cups/subscriptions.*,                 /etc/opt/brother/Print‐
367            ers/(.*/)?inf(/.*)?,            /usr/local/linuxprinter/ppd(/.*)?,
368            /var/cache/alchemist/printconf.*,  /etc/alchemist/namespace/print‐
369            conf(/.*)?,          /etc/cups/certs,          /etc/cups/ppds.dat,
370            /var/lib/cups/certs, /usr/share/foomatic/db/oldprinterids
371
372
373       cupsd_tmp_t
374
375       - Set files with the cupsd_tmp_t type, if you want to store cupsd  tem‐
376       porary files in the /tmp directories.
377
378
379
380       cupsd_unit_file_t
381
382       -  Set  files with the cupsd_unit_file_t type, if you want to treat the
383       files as cupsd unit content.
384
385
386
387       cupsd_var_lib_t
388
389       - Set files with the cupsd_var_lib_t type, if you  want  to  store  the
390       cupsd files under the /var/lib directory.
391
392
393
394       cupsd_var_run_t
395
396       -  Set  files  with  the cupsd_var_run_t type, if you want to store the
397       cupsd files under the /run or /var/run directory.
398
399
400       Paths:
401            /var/ccpd(/.*)?,        /var/ekpd(/.*)?,        /var/run/hp.*.pid,
402            /var/run/hp.*.port,    /var/run/cups(/.*)?,   /var/run/hplip(/.*),
403            /var/turboprint(/.*)?, /var/run/ecblp0
404
405
406       Note: File context can be temporarily modified with the chcon  command.
407       If  you want to permanently change the file context you need to use the
408       semanage fcontext command.  This will modify the SELinux labeling data‐
409       base.  You will need to use restorecon to apply the labels.
410
411

COMMANDS

413       semanage  fcontext  can also be used to manipulate default file context
414       mappings.
415
416       semanage permissive can also be used to manipulate  whether  or  not  a
417       process type is permissive.
418
419       semanage  module can also be used to enable/disable/install/remove pol‐
420       icy modules.
421
422       semanage boolean can also be used to manipulate the booleans
423
424
425       system-config-selinux is a GUI tool available to customize SELinux pol‐
426       icy settings.
427
428

AUTHOR

430       This manual page was auto-generated using sepolicy manpage .
431
432