1cupsd_selinux(8) SELinux Policy cupsd cupsd_selinux(8)
2
3
4
6 cupsd_selinux - Security Enhanced Linux Policy for the cupsd processes
7
9 Security-Enhanced Linux secures the cupsd processes via flexible manda‐
10 tory access control.
11
12 The cupsd processes execute with the cupsd_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep cupsd_t
19
20
21
23 The cupsd_t SELinux type can be entered via the cupsd_exec_t file type.
24
25 The default entrypoint paths for the cupsd_t domain are the following:
26
27 /usr/sbin/hp-[^/]+, /usr/share/hplip/.*.py, /usr/lib/cups/backend/hp.*,
28 /usr/bin/hpijs, /usr/sbin/cupsd, /usr/sbin/hpiod, /usr/sbin/cups-
29 browsed
30
32 SELinux defines process types (domains) for each process running on the
33 system
34
35 You can see the context of a process using the -Z option to ps
36
37 Policy governs the access confined processes have to files. SELinux
38 cupsd policy is very flexible allowing users to setup their cupsd pro‐
39 cesses in as secure a method as possible.
40
41 The following process types are defined for cupsd:
42
43 cupsd_config_t, cupsd_t, cupsd_lpd_t, cups_brf_t, cups_pdf_t
44
45 Note: semanage permissive -a cupsd_t can be used to make the process
46 type cupsd_t permissive. SELinux does not deny access to permissive
47 process types, but the AVC (SELinux denials) messages are still gener‐
48 ated.
49
50
52 SELinux policy is customizable based on least access required. cupsd
53 policy is extremely flexible and has several booleans that allow you to
54 manipulate the policy and run cupsd with the tightest access possible.
55
56
57
58 If you want to allow cups execmem/execstack, you must turn on the
59 cups_execmem boolean. Disabled by default.
60
61 setsebool -P cups_execmem 1
62
63
64
65 If you want to dontaudit all daemons scheduling requests (setsched,
66 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
67 Enabled by default.
68
69 setsebool -P daemons_dontaudit_scheduling 1
70
71
72
73 If you want to allow all domains to execute in fips_mode, you must turn
74 on the fips_mode boolean. Enabled by default.
75
76 setsebool -P fips_mode 1
77
78
79
80 If you want to allow confined applications to run with kerberos, you
81 must turn on the kerberos_enabled boolean. Enabled by default.
82
83 setsebool -P kerberos_enabled 1
84
85
86
87 If you want to allow system to run with NIS, you must turn on the
88 nis_enabled boolean. Disabled by default.
89
90 setsebool -P nis_enabled 1
91
92
93
95 The SELinux process type cupsd_t can manage files labeled with the fol‐
96 lowing file types. The paths listed are the default paths for these
97 file types. Note the processes UID still need to have DAC permissions.
98
99 cluster_conf_t
100
101 /etc/cluster(/.*)?
102
103 cluster_var_lib_t
104
105 /var/lib/pcsd(/.*)?
106 /var/lib/cluster(/.*)?
107 /var/lib/openais(/.*)?
108 /var/lib/pengine(/.*)?
109 /var/lib/corosync(/.*)?
110 /usr/lib/heartbeat(/.*)?
111 /var/lib/heartbeat(/.*)?
112 /var/lib/pacemaker(/.*)?
113
114 cluster_var_run_t
115
116 /var/run/crm(/.*)?
117 /var/run/cman_.*
118 /var/run/rsctmp(/.*)?
119 /var/run/aisexec.*
120 /var/run/heartbeat(/.*)?
121 /var/run/pcsd-ruby.socket
122 /var/run/corosync-qnetd(/.*)?
123 /var/run/corosync-qdevice(/.*)?
124 /var/run/corosync.pid
125 /var/run/cpglockd.pid
126 /var/run/rgmanager.pid
127 /var/run/cluster/rgmanager.sk
128
129 cupsd_interface_t
130
131 /etc/cups/interfaces(/.*)?
132
133 cupsd_lock_t
134
135
136 cupsd_log_t
137
138 /var/log/hp(/.*)?
139 /var/log/cups(/.*)?
140 /usr/Brother/fax/.*.log.*
141 /var/log/turboprint.*
142 /usr/local/Brother/fax/.*.log.*
143
144 cupsd_rw_etc_t
145
146 /etc/printcap.*
147 /etc/cups/ppd(/.*)?
148 /usr/Brother/(.*/)?inf(/.*)?
149 /usr/Printer/(.*/)?inf(/.*)?
150 /usr/lib/bjlib(/.*)?
151 /var/lib/iscan(/.*)?
152 /var/cache/cups(/.*)?
153 /etc/cups/certs/.*
154 /etc/opt/Brother/(.*/)?inf(/.*)?
155 /etc/cups/lpoptions.*
156 /var/cache/foomatic(/.*)?
157 /usr/local/Brother/(.*/)?inf(/.*)?
158 /usr/local/Printer/(.*/)?inf(/.*)?
159 /etc/cups/cupsd.conf.*
160 /var/lib/cups/certs/.*
161 /opt/gutenprint/ppds(/.*)?
162 /opt/brother/Printers(.*/)?inf(/.*)?
163 /etc/cups/classes.conf.*
164 /etc/cups/printers.conf.*
165 /etc/cups/subscriptions.*
166 /etc/opt/brother/Printers/(.*/)?inf(/.*)?
167 /usr/local/linuxprinter/ppd(/.*)?
168 /var/cache/alchemist/printconf.*
169 /etc/alchemist/namespace/printconf(/.*)?
170 /etc/cups/certs
171 /etc/cups/ppds.dat
172 /var/lib/cups/certs
173 /usr/share/foomatic/db/oldprinterids
174
175 cupsd_tmp_t
176
177
178 cupsd_var_lib_t
179
180 /var/lib/hp(/.*)?
181
182 cupsd_var_run_t
183
184 /var/ccpd(/.*)?
185 /var/ekpd(/.*)?
186 /var/run/hp.*.pid
187 /var/run/hp.*.port
188 /var/run/cups(/.*)?
189 /var/run/hplip(/.*)
190 /var/turboprint(/.*)?
191 /var/run/ecblp0
192
193 faillog_t
194
195 /var/log/btmp.*
196 /var/log/faillog.*
197 /var/log/tallylog.*
198 /var/run/faillock(/.*)?
199
200 krb5_host_rcache_t
201
202 /var/tmp/krb5_0.rcache2
203 /var/cache/krb5rcache(/.*)?
204 /var/tmp/nfs_0
205 /var/tmp/DNS_25
206 /var/tmp/host_0
207 /var/tmp/imap_0
208 /var/tmp/HTTP_23
209 /var/tmp/HTTP_48
210 /var/tmp/ldap_55
211 /var/tmp/ldap_487
212 /var/tmp/ldapmap1_0
213
214 print_spool_t
215
216 /var/spool/lpd(/.*)?
217 /var/spool/cups(/.*)?
218 /var/spool/cups-pdf(/.*)?
219
220 root_t
221
222 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
223 /
224 /initrd
225
226 security_t
227
228 /selinux
229
230 snmpd_var_lib_t
231
232 /var/agentx(/.*)?
233 /var/net-snmp(/.*)
234 /var/lib/snmp(/.*)?
235 /var/net-snmp(/.*)?
236 /var/lib/net-snmp(/.*)?
237 /var/spool/snmptt(/.*)?
238 /usr/share/snmp/mibs/.index
239
240 usbfs_t
241
242
243
245 SELinux requires files to have an extended attribute to define the file
246 type.
247
248 You can see the context of a file using the -Z option to ls
249
250 Policy governs the access confined processes have to these files.
251 SELinux cupsd policy is very flexible allowing users to setup their
252 cupsd processes in as secure a method as possible.
253
254 STANDARD FILE CONTEXT
255
256 SELinux defines the file context types for the cupsd, if you wanted to
257 store files with these types in a different paths, you need to execute
258 the semanage command to specify alternate labeling and then use re‐
259 storecon to put the labels on disk.
260
261 semanage fcontext -a -t cupsd_config_exec_t '/srv/cupsd/content(/.*)?'
262 restorecon -R -v /srv/mycupsd_content
263
264 Note: SELinux often uses regular expressions to specify labels that
265 match multiple files.
266
267 The following file types are defined for cupsd:
268
269
270
271 cupsd_config_exec_t
272
273 - Set files with the cupsd_config_exec_t type, if you want to transi‐
274 tion an executable to the cupsd_config_t domain.
275
276
277 Paths:
278 /usr/sbin/hal_lpadmin, /usr/libexec/hal_lpadmin, /usr/bin/cups-
279 config-daemon, /usr/sbin/printconf-backend, /usr/lib/udev/udev-
280 configure-printer, /usr/libexec/cups-pk-helper-mechanism
281
282
283 cupsd_config_var_run_t
284
285 - Set files with the cupsd_config_var_run_t type, if you want to store
286 the cupsd config files under the /run or /var/run directory.
287
288
289
290 cupsd_etc_t
291
292 - Set files with the cupsd_etc_t type, if you want to store cupsd files
293 in the /etc directories.
294
295
296 Paths:
297 /etc/hp(/.*)?, /etc/cups(/.*)?, /usr/share/cups(/.*)?
298
299
300 cupsd_exec_t
301
302 - Set files with the cupsd_exec_t type, if you want to transition an
303 executable to the cupsd_t domain.
304
305
306 Paths:
307 /usr/sbin/hp-[^/]+, /usr/share/hplip/.*.py, /usr/lib/cups/back‐
308 end/hp.*, /usr/bin/hpijs, /usr/sbin/cupsd, /usr/sbin/hpiod,
309 /usr/sbin/cups-browsed
310
311
312 cupsd_initrc_exec_t
313
314 - Set files with the cupsd_initrc_exec_t type, if you want to transi‐
315 tion an executable to the cupsd_initrc_t domain.
316
317
318
319 cupsd_interface_t
320
321 - Set files with the cupsd_interface_t type, if you want to treat the
322 files as cupsd interface data.
323
324
325
326 cupsd_lock_t
327
328 - Set files with the cupsd_lock_t type, if you want to treat the files
329 as cupsd lock data, stored under the /var/lock directory
330
331
332
333 cupsd_log_t
334
335 - Set files with the cupsd_log_t type, if you want to treat the data as
336 cupsd log data, usually stored under the /var/log directory.
337
338
339 Paths:
340 /var/log/hp(/.*)?, /var/log/cups(/.*)?, /usr/Brother/fax/.*.log.*,
341 /var/log/turboprint.*, /usr/local/Brother/fax/.*.log.*
342
343
344 cupsd_lpd_exec_t
345
346 - Set files with the cupsd_lpd_exec_t type, if you want to transition
347 an executable to the cupsd_lpd_t domain.
348
349
350
351 cupsd_lpd_tmp_t
352
353 - Set files with the cupsd_lpd_tmp_t type, if you want to store cupsd
354 lpd temporary files in the /tmp directories.
355
356
357
358 cupsd_lpd_var_run_t
359
360 - Set files with the cupsd_lpd_var_run_t type, if you want to store the
361 cupsd lpd files under the /run or /var/run directory.
362
363
364
365 cupsd_rw_etc_t
366
367 - Set files with the cupsd_rw_etc_t type, if you want to store cupsd rw
368 files in the /etc directories.
369
370
371 Paths:
372 /etc/printcap.*, /etc/cups/ppd(/.*)?,
373 /usr/Brother/(.*/)?inf(/.*)?, /usr/Printer/(.*/)?inf(/.*)?,
374 /usr/lib/bjlib(/.*)?, /var/lib/iscan(/.*)?, /var/cache/cups(/.*)?,
375 /etc/cups/certs/.*, /etc/opt/Brother/(.*/)?inf(/.*)?,
376 /etc/cups/lpoptions.*, /var/cache/foomatic(/.*)?, /usr/lo‐
377 cal/Brother/(.*/)?inf(/.*)?, /usr/local/Printer/(.*/)?inf(/.*)?,
378 /etc/cups/cupsd.conf.*, /var/lib/cups/certs/.*, /opt/guten‐
379 print/ppds(/.*)?, /opt/brother/Printers(.*/)?inf(/.*)?,
380 /etc/cups/classes.conf.*, /etc/cups/printers.conf.*,
381 /etc/cups/subscriptions.*, /etc/opt/brother/Print‐
382 ers/(.*/)?inf(/.*)?, /usr/local/linuxprinter/ppd(/.*)?,
383 /var/cache/alchemist/printconf.*, /etc/alchemist/namespace/print‐
384 conf(/.*)?, /etc/cups/certs, /etc/cups/ppds.dat,
385 /var/lib/cups/certs, /usr/share/foomatic/db/oldprinterids
386
387
388 cupsd_tmp_t
389
390 - Set files with the cupsd_tmp_t type, if you want to store cupsd tem‐
391 porary files in the /tmp directories.
392
393
394
395 cupsd_unit_file_t
396
397 - Set files with the cupsd_unit_file_t type, if you want to treat the
398 files as cupsd unit content.
399
400
401
402 cupsd_var_lib_t
403
404 - Set files with the cupsd_var_lib_t type, if you want to store the
405 cupsd files under the /var/lib directory.
406
407
408
409 cupsd_var_run_t
410
411 - Set files with the cupsd_var_run_t type, if you want to store the
412 cupsd files under the /run or /var/run directory.
413
414
415 Paths:
416 /var/ccpd(/.*)?, /var/ekpd(/.*)?, /var/run/hp.*.pid,
417 /var/run/hp.*.port, /var/run/cups(/.*)?, /var/run/hplip(/.*),
418 /var/turboprint(/.*)?, /var/run/ecblp0
419
420
421 Note: File context can be temporarily modified with the chcon command.
422 If you want to permanently change the file context you need to use the
423 semanage fcontext command. This will modify the SELinux labeling data‐
424 base. You will need to use restorecon to apply the labels.
425
426
428 semanage fcontext can also be used to manipulate default file context
429 mappings.
430
431 semanage permissive can also be used to manipulate whether or not a
432 process type is permissive.
433
434 semanage module can also be used to enable/disable/install/remove pol‐
435 icy modules.
436
437 semanage boolean can also be used to manipulate the booleans
438
439
440 system-config-selinux is a GUI tool available to customize SELinux pol‐
441 icy settings.
442
443
445 This manual page was auto-generated using sepolicy manpage .
446
447
449 selinux(8), cupsd(8), semanage(8), restorecon(8), chcon(1), sepol‐
450 icy(8), setsebool(8), cups_brf_selinux(8), cups_pdf_selinux(8),
451 cupsd_config_selinux(8), cupsd_lpd_selinux(8)
452
453
454
455cupsd 23-12-15 cupsd_selinux(8)