1cupsd_selinux(8)             SELinux Policy cupsd             cupsd_selinux(8)
2
3
4

NAME

6       cupsd_selinux - Security Enhanced Linux Policy for the cupsd processes
7

DESCRIPTION

9       Security-Enhanced Linux secures the cupsd processes via flexible manda‐
10       tory access control.
11
12       The cupsd processes execute with the  cupsd_t  SELinux  type.  You  can
13       check  if  you have these processes running by executing the ps command
14       with the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep cupsd_t
19
20
21

ENTRYPOINTS

23       The cupsd_t SELinux type can be entered via the cupsd_exec_t file type.
24
25       The default entrypoint paths for the cupsd_t domain are the following:
26
27       /usr/sbin/hp-[^/]+, /usr/share/hplip/.*.py, /usr/lib/cups/backend/hp.*,
28       /usr/bin/hpijs,   /usr/sbin/cupsd,   /usr/sbin/hpiod,   /usr/sbin/cups-
29       browsed
30

PROCESS TYPES

32       SELinux defines process types (domains) for each process running on the
33       system
34
35       You can see the context of a process using the -Z option to ps
36
37       Policy  governs  the  access confined processes have to files.  SELinux
38       cupsd policy is very flexible allowing users to setup their cupsd  pro‐
39       cesses in as secure a method as possible.
40
41       The following process types are defined for cupsd:
42
43       cupsd_config_t, cupsd_t, cupsd_lpd_t, cups_brf_t, cups_pdf_t
44
45       Note:  semanage  permissive  -a cupsd_t can be used to make the process
46       type cupsd_t permissive. SELinux does not  deny  access  to  permissive
47       process  types, but the AVC (SELinux denials) messages are still gener‐
48       ated.
49
50

BOOLEANS

52       SELinux policy is customizable based on least access  required.   cupsd
53       policy is extremely flexible and has several booleans that allow you to
54       manipulate the policy and run cupsd with the tightest access possible.
55
56
57
58       If you want to allow cups  execmem/execstack,  you  must  turn  on  the
59       cups_execmem boolean. Disabled by default.
60
61       setsebool -P cups_execmem 1
62
63
64
65       If  you  want  to  dontaudit all daemons scheduling requests (setsched,
66       sys_nice), you must turn on the  daemons_dontaudit_scheduling  boolean.
67       Enabled by default.
68
69       setsebool -P daemons_dontaudit_scheduling 1
70
71
72
73       If you want to allow all domains to execute in fips_mode, you must turn
74       on the fips_mode boolean. Enabled by default.
75
76       setsebool -P fips_mode 1
77
78
79
80       If you want to allow confined applications to run  with  kerberos,  you
81       must turn on the kerberos_enabled boolean. Enabled by default.
82
83       setsebool -P kerberos_enabled 1
84
85
86
87       If  you  want  to  allow  system  to run with NIS, you must turn on the
88       nis_enabled boolean. Disabled by default.
89
90       setsebool -P nis_enabled 1
91
92
93

MANAGED FILES

95       The SELinux process type cupsd_t can manage files labeled with the fol‐
96       lowing  file  types.   The paths listed are the default paths for these
97       file types.  Note the processes UID still need to have DAC permissions.
98
99       cluster_conf_t
100
101            /etc/cluster(/.*)?
102
103       cluster_var_lib_t
104
105            /var/lib/pcsd(/.*)?
106            /var/lib/cluster(/.*)?
107            /var/lib/openais(/.*)?
108            /var/lib/pengine(/.*)?
109            /var/lib/corosync(/.*)?
110            /usr/lib/heartbeat(/.*)?
111            /var/lib/heartbeat(/.*)?
112            /var/lib/pacemaker(/.*)?
113
114       cluster_var_run_t
115
116            /var/run/crm(/.*)?
117            /var/run/cman_.*
118            /var/run/rsctmp(/.*)?
119            /var/run/aisexec.*
120            /var/run/heartbeat(/.*)?
121            /var/run/pcsd-ruby.socket
122            /var/run/corosync-qnetd(/.*)?
123            /var/run/corosync-qdevice(/.*)?
124            /var/run/corosync.pid
125            /var/run/cpglockd.pid
126            /var/run/rgmanager.pid
127            /var/run/cluster/rgmanager.sk
128
129       cupsd_interface_t
130
131            /etc/cups/interfaces(/.*)?
132
133       cupsd_lock_t
134
135
136       cupsd_log_t
137
138            /var/log/hp(/.*)?
139            /var/log/cups(/.*)?
140            /usr/Brother/fax/.*.log.*
141            /var/log/turboprint.*
142            /usr/local/Brother/fax/.*.log.*
143
144       cupsd_rw_etc_t
145
146            /etc/printcap.*
147            /etc/cups/ppd(/.*)?
148            /usr/Brother/(.*/)?inf(/.*)?
149            /usr/Printer/(.*/)?inf(/.*)?
150            /usr/lib/bjlib(/.*)?
151            /var/lib/iscan(/.*)?
152            /var/cache/cups(/.*)?
153            /etc/cups/certs/.*
154            /etc/opt/Brother/(.*/)?inf(/.*)?
155            /etc/cups/lpoptions.*
156            /var/cache/foomatic(/.*)?
157            /usr/local/Brother/(.*/)?inf(/.*)?
158            /usr/local/Printer/(.*/)?inf(/.*)?
159            /etc/cups/cupsd.conf.*
160            /var/lib/cups/certs/.*
161            /opt/gutenprint/ppds(/.*)?
162            /opt/brother/Printers(.*/)?inf(/.*)?
163            /etc/cups/classes.conf.*
164            /etc/cups/printers.conf.*
165            /etc/cups/subscriptions.*
166            /etc/opt/brother/Printers/(.*/)?inf(/.*)?
167            /usr/local/linuxprinter/ppd(/.*)?
168            /var/cache/alchemist/printconf.*
169            /etc/alchemist/namespace/printconf(/.*)?
170            /etc/cups/certs
171            /etc/cups/ppds.dat
172            /var/lib/cups/certs
173            /usr/share/foomatic/db/oldprinterids
174
175       cupsd_tmp_t
176
177
178       cupsd_var_lib_t
179
180            /var/lib/hp(/.*)?
181
182       cupsd_var_run_t
183
184            /var/ccpd(/.*)?
185            /var/ekpd(/.*)?
186            /var/run/hp.*.pid
187            /var/run/hp.*.port
188            /var/run/cups(/.*)?
189            /var/run/hplip(/.*)
190            /var/turboprint(/.*)?
191            /var/run/ecblp0
192
193       faillog_t
194
195            /var/log/btmp.*
196            /var/log/faillog.*
197            /var/log/tallylog.*
198            /var/run/faillock(/.*)?
199
200       krb5_host_rcache_t
201
202            /var/tmp/krb5_0.rcache2
203            /var/cache/krb5rcache(/.*)?
204            /var/tmp/nfs_0
205            /var/tmp/DNS_25
206            /var/tmp/host_0
207            /var/tmp/imap_0
208            /var/tmp/HTTP_23
209            /var/tmp/HTTP_48
210            /var/tmp/ldap_55
211            /var/tmp/ldap_487
212            /var/tmp/ldapmap1_0
213
214       print_spool_t
215
216            /var/spool/lpd(/.*)?
217            /var/spool/cups(/.*)?
218            /var/spool/cups-pdf(/.*)?
219
220       root_t
221
222            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
223            /
224            /initrd
225
226       security_t
227
228            /selinux
229
230       snmpd_var_lib_t
231
232            /var/agentx(/.*)?
233            /var/net-snmp(/.*)
234            /var/lib/snmp(/.*)?
235            /var/net-snmp(/.*)?
236            /var/lib/net-snmp(/.*)?
237            /var/spool/snmptt(/.*)?
238            /usr/share/snmp/mibs/.index
239
240       usbfs_t
241
242
243

FILE CONTEXTS

245       SELinux requires files to have an extended attribute to define the file
246       type.
247
248       You can see the context of a file using the -Z option to ls
249
250       Policy  governs  the  access  confined  processes  have to these files.
251       SELinux cupsd policy is very flexible allowing  users  to  setup  their
252       cupsd processes in as secure a method as possible.
253
254       STANDARD FILE CONTEXT
255
256       SELinux  defines the file context types for the cupsd, if you wanted to
257       store files with these types in a different paths, you need to  execute
258       the  semanage  command  to  specify alternate labeling and then use re‐
259       storecon to put the labels on disk.
260
261       semanage fcontext -a -t cupsd_config_exec_t '/srv/cupsd/content(/.*)?'
262       restorecon -R -v /srv/mycupsd_content
263
264       Note: SELinux often uses regular expressions  to  specify  labels  that
265       match multiple files.
266
267       The following file types are defined for cupsd:
268
269
270
271       cupsd_config_exec_t
272
273       -  Set  files with the cupsd_config_exec_t type, if you want to transi‐
274       tion an executable to the cupsd_config_t domain.
275
276
277       Paths:
278            /usr/sbin/hal_lpadmin,  /usr/libexec/hal_lpadmin,   /usr/bin/cups-
279            config-daemon,   /usr/sbin/printconf-backend,  /usr/lib/udev/udev-
280            configure-printer, /usr/libexec/cups-pk-helper-mechanism
281
282
283       cupsd_config_var_run_t
284
285       - Set files with the cupsd_config_var_run_t type, if you want to  store
286       the cupsd config files under the /run or /var/run directory.
287
288
289
290       cupsd_etc_t
291
292       - Set files with the cupsd_etc_t type, if you want to store cupsd files
293       in the /etc directories.
294
295
296       Paths:
297            /etc/hp(/.*)?, /etc/cups(/.*)?, /usr/share/cups(/.*)?
298
299
300       cupsd_exec_t
301
302       - Set files with the cupsd_exec_t type, if you want  to  transition  an
303       executable to the cupsd_t domain.
304
305
306       Paths:
307            /usr/sbin/hp-[^/]+,   /usr/share/hplip/.*.py,  /usr/lib/cups/back‐
308            end/hp.*,   /usr/bin/hpijs,   /usr/sbin/cupsd,    /usr/sbin/hpiod,
309            /usr/sbin/cups-browsed
310
311
312       cupsd_initrc_exec_t
313
314       -  Set  files with the cupsd_initrc_exec_t type, if you want to transi‐
315       tion an executable to the cupsd_initrc_t domain.
316
317
318
319       cupsd_interface_t
320
321       - Set files with the cupsd_interface_t type, if you want to  treat  the
322       files as cupsd interface data.
323
324
325
326       cupsd_lock_t
327
328       -  Set files with the cupsd_lock_t type, if you want to treat the files
329       as cupsd lock data, stored under the /var/lock directory
330
331
332
333       cupsd_log_t
334
335       - Set files with the cupsd_log_t type, if you want to treat the data as
336       cupsd log data, usually stored under the /var/log directory.
337
338
339       Paths:
340            /var/log/hp(/.*)?, /var/log/cups(/.*)?, /usr/Brother/fax/.*.log.*,
341            /var/log/turboprint.*, /usr/local/Brother/fax/.*.log.*
342
343
344       cupsd_lpd_exec_t
345
346       - Set files with the cupsd_lpd_exec_t type, if you want  to  transition
347       an executable to the cupsd_lpd_t domain.
348
349
350
351       cupsd_lpd_tmp_t
352
353       -  Set  files with the cupsd_lpd_tmp_t type, if you want to store cupsd
354       lpd temporary files in the /tmp directories.
355
356
357
358       cupsd_lpd_var_run_t
359
360       - Set files with the cupsd_lpd_var_run_t type, if you want to store the
361       cupsd lpd files under the /run or /var/run directory.
362
363
364
365       cupsd_rw_etc_t
366
367       - Set files with the cupsd_rw_etc_t type, if you want to store cupsd rw
368       files in the /etc directories.
369
370
371       Paths:
372            /etc/printcap.*,                              /etc/cups/ppd(/.*)?,
373            /usr/Brother/(.*/)?inf(/.*)?,        /usr/Printer/(.*/)?inf(/.*)?,
374            /usr/lib/bjlib(/.*)?, /var/lib/iscan(/.*)?, /var/cache/cups(/.*)?,
375            /etc/cups/certs/.*,              /etc/opt/Brother/(.*/)?inf(/.*)?,
376            /etc/cups/lpoptions.*,     /var/cache/foomatic(/.*)?,     /usr/lo‐
377            cal/Brother/(.*/)?inf(/.*)?,   /usr/local/Printer/(.*/)?inf(/.*)?,
378            /etc/cups/cupsd.conf.*,    /var/lib/cups/certs/.*,     /opt/guten‐
379            print/ppds(/.*)?,            /opt/brother/Printers(.*/)?inf(/.*)?,
380            /etc/cups/classes.conf.*,               /etc/cups/printers.conf.*,
381            /etc/cups/subscriptions.*,                 /etc/opt/brother/Print‐
382            ers/(.*/)?inf(/.*)?,            /usr/local/linuxprinter/ppd(/.*)?,
383            /var/cache/alchemist/printconf.*,  /etc/alchemist/namespace/print‐
384            conf(/.*)?,          /etc/cups/certs,          /etc/cups/ppds.dat,
385            /var/lib/cups/certs, /usr/share/foomatic/db/oldprinterids
386
387
388       cupsd_tmp_t
389
390       -  Set files with the cupsd_tmp_t type, if you want to store cupsd tem‐
391       porary files in the /tmp directories.
392
393
394
395       cupsd_unit_file_t
396
397       - Set files with the cupsd_unit_file_t type, if you want to  treat  the
398       files as cupsd unit content.
399
400
401
402       cupsd_var_lib_t
403
404       -  Set  files  with  the cupsd_var_lib_t type, if you want to store the
405       cupsd files under the /var/lib directory.
406
407
408
409       cupsd_var_run_t
410
411       - Set files with the cupsd_var_run_t type, if you  want  to  store  the
412       cupsd files under the /run or /var/run directory.
413
414
415       Paths:
416            /var/ccpd(/.*)?,        /var/ekpd(/.*)?,        /var/run/hp.*.pid,
417            /var/run/hp.*.port,   /var/run/cups(/.*)?,    /var/run/hplip(/.*),
418            /var/turboprint(/.*)?, /var/run/ecblp0
419
420
421       Note:  File context can be temporarily modified with the chcon command.
422       If you want to permanently change the file context you need to use  the
423       semanage fcontext command.  This will modify the SELinux labeling data‐
424       base.  You will need to use restorecon to apply the labels.
425
426

COMMANDS

428       semanage fcontext can also be used to manipulate default  file  context
429       mappings.
430
431       semanage  permissive  can  also  be used to manipulate whether or not a
432       process type is permissive.
433
434       semanage module can also be used to enable/disable/install/remove  pol‐
435       icy modules.
436
437       semanage boolean can also be used to manipulate the booleans
438
439
440       system-config-selinux is a GUI tool available to customize SELinux pol‐
441       icy settings.
442
443

AUTHOR

445       This manual page was auto-generated using sepolicy manpage .
446
447

SEE ALSO

449       selinux(8),  cupsd(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
450       icy(8),    setsebool(8),    cups_brf_selinux(8),   cups_pdf_selinux(8),
451       cupsd_config_selinux(8), cupsd_lpd_selinux(8)
452
453
454
455cupsd                              23-12-15                   cupsd_selinux(8)
Impressum