1cupsd_selinux(8) SELinux Policy cupsd cupsd_selinux(8)
2
6 cupsd_selinux - Security Enhanced Linux Policy for the cupsd processes
7
9 Security-Enhanced Linux secures the cupsd processes via flexible manda‐
10 tory access control.
11 The cupsd processes execute with the cupsd_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15 For example:
17 ps -eZ | grep cupsd_t
19
23 The cupsd_t SELinux type can be entered via the cupsd_exec_t file type.
24 The default entrypoint paths for the cupsd_t domain are the following:
26 /usr/sbin/hp-[^/]+, /usr/share/hplip/.*.py, /usr/lib/cups/backend/hp.*,
28 /usr/bin/hpijs, /usr/sbin/cupsd, /usr/sbin/hpiod, /usr/sbin/cups-
29 browsed
30
32 SELinux defines process types (domains) for each process running on the
33 system
34 You can see the context of a process using the -Z option to ps
36 Policy governs the access confined processes have to files. SELinux
38 cupsd policy is very flexible allowing users to setup their cupsd pro‐
39 cesses in as secure a method as possible.
40 The following process types are defined for cupsd:
42 cupsd_config_t, cupsd_t, cupsd_lpd_t, cups_brf_t, cups_pdf_t
44 Note: semanage permissive -a cupsd_t can be used to make the process
46 type cupsd_t permissive. SELinux does not deny access to permissive
47 process types, but the AVC (SELinux denials) messages are still gener‐
48 ated.
49
52 SELinux policy is customizable based on least access required. cupsd
53 policy is extremely flexible and has several booleans that allow you to
54 manipulate the policy and run cupsd with the tightest access possible.
55 If you want to allow cups execmem/execstack, you must turn on the
59 cups_execmem boolean. Disabled by default.
60 setsebool -P cups_execmem 1
62 If you want to dontaudit all daemons scheduling requests (setsched,
66 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
67 Enabled by default.
68 setsebool -P daemons_dontaudit_scheduling 1
70 If you want to allow all domains to execute in fips_mode, you must turn
74 on the fips_mode boolean. Enabled by default.
75 setsebool -P fips_mode 1
77 If you want to allow confined applications to run with kerberos, you
81 must turn on the kerberos_enabled boolean. Enabled by default.
82 setsebool -P kerberos_enabled 1
84 If you want to allow system to run with NIS, you must turn on the
88 nis_enabled boolean. Disabled by default.
89 setsebool -P nis_enabled 1
91
95 The SELinux process type cupsd_t can manage files labeled with the fol‐
96 lowing file types. The paths listed are the default paths for these
97 file types. Note the processes UID still need to have DAC permissions.
98 cluster_conf_t
100 /etc/cluster(/.*)?
102 cluster_var_lib_t
104 /var/lib/pcsd(/.*)?
106 /var/lib/cluster(/.*)?
107 /var/lib/openais(/.*)?
108 /var/lib/pengine(/.*)?
109 /var/lib/corosync(/.*)?
110 /usr/lib/heartbeat(/.*)?
111 /var/lib/heartbeat(/.*)?
112 /var/lib/pacemaker(/.*)?
113 cluster_var_run_t
115 /var/run/crm(/.*)?
117 /var/run/cman_.*
118 /var/run/rsctmp(/.*)?
119 /var/run/aisexec.*
120 /var/run/heartbeat(/.*)?
121 /var/run/pcsd-ruby.socket
122 /var/run/corosync-qnetd(/.*)?
123 /var/run/corosync-qdevice(/.*)?
124 /var/run/corosync.pid
125 /var/run/cpglockd.pid
126 /var/run/rgmanager.pid
127 /var/run/cluster/rgmanager.sk
128 cupsd_interface_t
130 /etc/cups/interfaces(/.*)?
132 cupsd_lock_t
134 cupsd_log_t
137 /var/log/hp(/.*)?
139 /var/log/cups(/.*)?
140 /usr/Brother/fax/.*.log.*
141 /var/log/turboprint.*
142 /usr/local/Brother/fax/.*.log.*
143 cupsd_rw_etc_t
145 /etc/printcap.*
147 /etc/cups/ppd(/.*)?
148 /usr/Brother/(.*/)?inf(/.*)?
149 /usr/Printer/(.*/)?inf(/.*)?
150 /usr/lib/bjlib(/.*)?
151 /var/lib/iscan(/.*)?
152 /var/cache/cups(/.*)?
153 /etc/cups/certs/.*
154 /etc/opt/Brother/(.*/)?inf(/.*)?
155 /etc/cups/lpoptions.*
156 /var/cache/foomatic(/.*)?
157 /usr/local/Brother/(.*/)?inf(/.*)?
158 /usr/local/Printer/(.*/)?inf(/.*)?
159 /etc/cups/cupsd.conf.*
160 /var/lib/cups/certs/.*
161 /opt/gutenprint/ppds(/.*)?
162 /opt/brother/Printers(.*/)?inf(/.*)?
163 /etc/cups/classes.conf.*
164 /etc/cups/printers.conf.*
165 /etc/cups/subscriptions.*
166 /etc/opt/brother/Printers/(.*/)?inf(/.*)?
167 /usr/local/linuxprinter/ppd(/.*)?
168 /var/cache/alchemist/printconf.*
169 /etc/alchemist/namespace/printconf(/.*)?
170 /etc/cups/certs
171 /etc/cups/ppds.dat
172 /var/lib/cups/certs
173 /usr/share/foomatic/db/oldprinterids
174 cupsd_tmp_t
176 cupsd_var_lib_t
179 /var/lib/hp(/.*)?
181 cupsd_var_run_t
183 /var/ccpd(/.*)?
185 /var/ekpd(/.*)?
186 /var/run/hp.*.pid
187 /var/run/hp.*.port
188 /var/run/cups(/.*)?
189 /var/run/hplip(/.*)
190 /var/turboprint(/.*)?
191 /var/run/ecblp0
192 faillog_t
194 /var/log/btmp.*
196 /var/log/faillog.*
197 /var/log/tallylog.*
198 /var/run/faillock(/.*)?
199 krb5_host_rcache_t
201 /var/tmp/krb5_0.rcache2
203 /var/cache/krb5rcache(/.*)?
204 /var/tmp/nfs_0
205 /var/tmp/DNS_25
206 /var/tmp/host_0
207 /var/tmp/imap_0
208 /var/tmp/HTTP_23
209 /var/tmp/HTTP_48
210 /var/tmp/ldap_55
211 /var/tmp/ldap_487
212 /var/tmp/ldapmap1_0
213 print_spool_t
215 /var/spool/lpd(/.*)?
217 /var/spool/cups(/.*)?
218 /var/spool/cups-pdf(/.*)?
219 root_t
221 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
223 /
224 /initrd
225 security_t
227 /selinux
229 snmpd_var_lib_t
231 /var/agentx(/.*)?
233 /var/net-snmp(/.*)
234 /var/lib/snmp(/.*)?
235 /var/net-snmp(/.*)?
236 /var/lib/net-snmp(/.*)?
237 /var/spool/snmptt(/.*)?
238 /usr/share/snmp/mibs/.index
239 usbfs_t
241
245 SELinux requires files to have an extended attribute to define the file
246 type.
247 You can see the context of a file using the -Z option to ls
249 Policy governs the access confined processes have to these files.
251 SELinux cupsd policy is very flexible allowing users to setup their
252 cupsd processes in as secure a method as possible.
253 STANDARD FILE CONTEXT
255 SELinux defines the file context types for the cupsd, if you wanted to
257 store files with these types in a different paths, you need to execute
258 the semanage command to specify alternate labeling and then use re‐
259 storecon to put the labels on disk.
260 semanage fcontext -a -t cupsd_config_exec_t '/srv/cupsd/content(/.*)?'
262 restorecon -R -v /srv/mycupsd_content
263 Note: SELinux often uses regular expressions to specify labels that
265 match multiple files.
266 The following file types are defined for cupsd:
268 cupsd_config_exec_t
272 - Set files with the cupsd_config_exec_t type, if you want to transi‐
274 tion an executable to the cupsd_config_t domain.
275 Paths:
278 /usr/sbin/hal_lpadmin, /usr/libexec/hal_lpadmin, /usr/bin/cups-
279 config-daemon, /usr/sbin/printconf-backend, /usr/lib/udev/udev-
280 configure-printer, /usr/libexec/cups-pk-helper-mechanism
281 cupsd_config_var_run_t
284 - Set files with the cupsd_config_var_run_t type, if you want to store
286 the cupsd config files under the /run or /var/run directory.
287 cupsd_etc_t
291 - Set files with the cupsd_etc_t type, if you want to store cupsd files
293 in the /etc directories.
294 Paths:
297 /etc/hp(/.*)?, /etc/cups(/.*)?, /usr/share/cups(/.*)?
298 cupsd_exec_t
301 - Set files with the cupsd_exec_t type, if you want to transition an
303 executable to the cupsd_t domain.
304 Paths:
307 /usr/sbin/hp-[^/]+, /usr/share/hplip/.*.py, /usr/lib/cups/back‐
308 end/hp.*, /usr/bin/hpijs, /usr/sbin/cupsd, /usr/sbin/hpiod,
309 /usr/sbin/cups-browsed
310 cupsd_initrc_exec_t
313 - Set files with the cupsd_initrc_exec_t type, if you want to transi‐
315 tion an executable to the cupsd_initrc_t domain.
316 cupsd_interface_t
320 - Set files with the cupsd_interface_t type, if you want to treat the
322 files as cupsd interface data.
323 cupsd_lock_t
327 - Set files with the cupsd_lock_t type, if you want to treat the files
329 as cupsd lock data, stored under the /var/lock directory
330 cupsd_log_t
334 - Set files with the cupsd_log_t type, if you want to treat the data as
336 cupsd log data, usually stored under the /var/log directory.
337 Paths:
340 /var/log/hp(/.*)?, /var/log/cups(/.*)?, /usr/Brother/fax/.*.log.*,
341 /var/log/turboprint.*, /usr/local/Brother/fax/.*.log.*
342 cupsd_lpd_exec_t
345 - Set files with the cupsd_lpd_exec_t type, if you want to transition
347 an executable to the cupsd_lpd_t domain.
348 cupsd_lpd_tmp_t
352 - Set files with the cupsd_lpd_tmp_t type, if you want to store cupsd
354 lpd temporary files in the /tmp directories.
355 cupsd_lpd_var_run_t
359 - Set files with the cupsd_lpd_var_run_t type, if you want to store the
361 cupsd lpd files under the /run or /var/run directory.
362 cupsd_rw_etc_t
366 - Set files with the cupsd_rw_etc_t type, if you want to store cupsd rw
368 files in the /etc directories.
369 Paths:
372 /etc/printcap.*, /etc/cups/ppd(/.*)?,
373 /usr/Brother/(.*/)?inf(/.*)?, /usr/Printer/(.*/)?inf(/.*)?,
374 /usr/lib/bjlib(/.*)?, /var/lib/iscan(/.*)?, /var/cache/cups(/.*)?,
375 /etc/cups/certs/.*, /etc/opt/Brother/(.*/)?inf(/.*)?,
376 /etc/cups/lpoptions.*, /var/cache/foomatic(/.*)?, /usr/lo‐
377 cal/Brother/(.*/)?inf(/.*)?, /usr/local/Printer/(.*/)?inf(/.*)?,
378 /etc/cups/cupsd.conf.*, /var/lib/cups/certs/.*, /opt/guten‐
379 print/ppds(/.*)?, /opt/brother/Printers(.*/)?inf(/.*)?,
380 /etc/cups/classes.conf.*, /etc/cups/printers.conf.*,
381 /etc/cups/subscriptions.*, /etc/opt/brother/Print‐
382 ers/(.*/)?inf(/.*)?, /usr/local/linuxprinter/ppd(/.*)?,
383 /var/cache/alchemist/printconf.*, /etc/alchemist/namespace/print‐
384 conf(/.*)?, /etc/cups/certs, /etc/cups/ppds.dat,
385 /var/lib/cups/certs, /usr/share/foomatic/db/oldprinterids
386 cupsd_tmp_t
389 - Set files with the cupsd_tmp_t type, if you want to store cupsd tem‐
391 porary files in the /tmp directories.
392 cupsd_unit_file_t
396 - Set files with the cupsd_unit_file_t type, if you want to treat the
398 files as cupsd unit content.
399 cupsd_var_lib_t
403 - Set files with the cupsd_var_lib_t type, if you want to store the
405 cupsd files under the /var/lib directory.
406 cupsd_var_run_t
410 - Set files with the cupsd_var_run_t type, if you want to store the
412 cupsd files under the /run or /var/run directory.
413 Paths:
416 /var/ccpd(/.*)?, /var/ekpd(/.*)?, /var/run/hp.*.pid,
417 /var/run/hp.*.port, /var/run/cups(/.*)?, /var/run/hplip(/.*),
418 /var/turboprint(/.*)?, /var/run/ecblp0
419 Note: File context can be temporarily modified with the chcon command.
422 If you want to permanently change the file context you need to use the
423 semanage fcontext command. This will modify the SELinux labeling data‐
424 base. You will need to use restorecon to apply the labels.
425
428 semanage fcontext can also be used to manipulate default file context
429 mappings.
430 semanage permissive can also be used to manipulate whether or not a
432 process type is permissive.
433 semanage module can also be used to enable/disable/install/remove pol‐
435 icy modules.
436 semanage boolean can also be used to manipulate the booleans
438 system-config-selinux is a GUI tool available to customize SELinux pol‐
441 icy settings.
442
445 This manual page was auto-generated using sepolicy manpage .
446
449 selinux(8), cupsd(8), semanage(8), restorecon(8), chcon(1), sepol‐
450 icy(8), setsebool(8), cups_brf_selinux(8), cups_pdf_selinux(8),
451 cupsd_config_selinux(8), cupsd_lpd_selinux(8)
452cupsd 23-10-20 cupsd_selinux(8)