[cups] Question about CUPS 1.6.3 on RHEL SELINUX 7.0 (Presently "Permissive")

Helge Blischke helgeblischke at web.de
Mon Feb 23 02:01:25 PST 2015 

You need to investigate the following SELinux settings:
1.	Check out what SELinux user is associated with the operating system user „lp“.
2.	Check the role, objects and rules defined for that SELinux user
3.	Modify the rules/objects to make your destination directory accessible
	(writable) for this SELinux user.

Note that a modification like this might be repeated after system updates.


> Am 23.02.2015 um 00:32 schrieb Kevin King <kevin at precisonline.com>:
> 
> The problem I'm having isn't really a printer, but rather a script that
> I've setup to print to a file. We use this script on all our Linux systems,
> but this is the first time on RHEL 7.  The script is an interface script
> for a printer (0) that just copies a file from the spool directory to a tmp
> directory.
> 
> #!/bin/ksh
> # This printer will output the spooler job to /tmp/spool.
> 
> ENTRY=$1
> USER=$2
> FILE=$6
> NEWFILE=/tmp/spool/${USER}-${ENTRY}
> 
> echo cp ${FILE} ${NEWFILE} >&2
> 
> cp ${FILE} ${NEWFILE}
> chmod 777 ${NEWFILE}
> 
> exit 0
> 
> This was then created as a printer 0 using this:
> 
> lpadmin -p 0 -v file:/dev/null -i /tmp/0
> 
> (/tmp/0 is this script.)
> 
> Note how all this does is copy the CUPS spooler entry to /tmp/spool and
> give it a name of "user-job#".  I have an extra "echo" in there for testing
> but that's inconsequential.
> 
> /tmp exists.  /tmp/spool exists. Both are wide open in terms of permissions:
> 
> sh-4.2# ls -ld /tmp /tmp/spool
> drwxrwxrwt. 23 root root 4096 Feb 21 18:38 /tmp
> drwxrwxrwx   2 root root    6 Feb 21 18:38 /tmp/spool
> 
> I should note that the script runs fine - no errors - when run outside of
> the context of CUPS.  It also runs in CUPS 1.7.2 on an Ubuntu system and on
> CUPS 1.4.2 on RHEL.
> 
> In CUPS, however, here's what happens (from the error_log in CUPS)  First
> up, here's the output of the first echo that I added to show the command
> that is about to run:
> 
> D [21/Feb/2015:18:26:47 -0500] [Job 60] cp /var/spool/cups/d00060-001
> /tmp/spool/root-60
> 
> And then this:
> 
> D [21/Feb/2015:18:26:47 -0500] [Job 60] cp: cannot create regular file
> '/tmp/spool/root-60': No such file or directory
> D [21/Feb/2015:18:26:47 -0500] [Job 60] chmod: cannot access
> '/tmp/spool/root-60': No such file or directory
> 
> This appears to be telling me that CUPS interface scripts (presently
> configured to run as the lp user) has no visibility to the /tmp directory.
> I've also tried updating a log with:
> 
> echo "i am here" > /tmp/out.log
> 
> But nothing ever shows up, as if /tmp is entirely missing.
> 
> I've gone as far as to enable the lp user to login so that I could verify
> that it can see and write to the /tmp/spool directory.  The lp user can see
> the /tmp and /tmp/spool directories, and can write freely to them.  So it
> doesn't appear to be a limitation to permissions or that specific user.
> 
> But what could it be?  I'm running out of options to check.  This exact
> script works brilliantly on RHEL 6.6/CUPS 1.4.2 and also on Ubuntu 14.04
> LTS/CUPS 1.7.2.  On this one system, however, it's as if /tmp just doesn't
> exist.
> 
> Any ideas?
> 
> -K
> _______________________________________________
> cups mailing list
> cups at cups.org
> https://www.cups.org/mailman/listinfo/cups

More information about the cups mailing list