[cups] Question about CUPS 1.6.3 on RHEL SELINUX 7.0 (Presently "Permissive")

Kevin King kevin at precisonline.com
Mon Feb 23 06:20:45 PST 2015 

I have tried with SELINUX both disabled and in permissive mode with no
change. In either of these configurations does it not rule out SELINUX as
being the cause? Is CUPS using the enhanced security even when it has been
disabled? We have this working on other SELINUX systems in permissive mode.

On Monday, February 23, 2015, Helge Blischke <helgeblischke at web.de> wrote:

> You need to investigate the following SELinux settings:
> 1.      Check out what SELinux user is associated with the operating
> system user „lp“.
> 2.      Check the role, objects and rules defined for that SELinux user
> 3.      Modify the rules/objects to make your destination directory
> accessible
>         (writable) for this SELinux user.
>
> Note that a modification like this might be repeated after system updates.
>
>
> > Am 23.02.2015 um 00:32 schrieb Kevin King <kevin at precisonline.com
> <javascript:;>>:
> >
> > The problem I'm having isn't really a printer, but rather a script that
> > I've setup to print to a file. We use this script on all our Linux
> systems,
> > but this is the first time on RHEL 7.  The script is an interface script
> > for a printer (0) that just copies a file from the spool directory to a
> tmp
> > directory.
> >
> > #!/bin/ksh
> > # This printer will output the spooler job to /tmp/spool.
> >
> > ENTRY=$1
> > USER=$2
> > FILE=$6
> > NEWFILE=/tmp/spool/${USER}-${ENTRY}
> >
> > echo cp ${FILE} ${NEWFILE} >&2
> >
> > cp ${FILE} ${NEWFILE}
> > chmod 777 ${NEWFILE}
> >
> > exit 0
> >
> > This was then created as a printer 0 using this:
> >
> > lpadmin -p 0 -v file:/dev/null -i /tmp/0
> >
> > (/tmp/0 is this script.)
> >
> > Note how all this does is copy the CUPS spooler entry to /tmp/spool and
> > give it a name of "user-job#".  I have an extra "echo" in there for
> testing
> > but that's inconsequential.
> >
> > /tmp exists.  /tmp/spool exists. Both are wide open in terms of
> permissions:
> >
> > sh-4.2# ls -ld /tmp /tmp/spool
> > drwxrwxrwt. 23 root root 4096 Feb 21 18:38 /tmp
> > drwxrwxrwx   2 root root    6 Feb 21 18:38 /tmp/spool
> >
> > I should note that the script runs fine - no errors - when run outside of
> > the context of CUPS.  It also runs in CUPS 1.7.2 on an Ubuntu system and
> on
> > CUPS 1.4.2 on RHEL.
> >
> > In CUPS, however, here's what happens (from the error_log in CUPS)  First
> > up, here's the output of the first echo that I added to show the command
> > that is about to run:
> >
> > D [21/Feb/2015:18:26:47 -0500] [Job 60] cp /var/spool/cups/d00060-001
> > /tmp/spool/root-60
> >
> > And then this:
> >
> > D [21/Feb/2015:18:26:47 -0500] [Job 60] cp: cannot create regular file
> > '/tmp/spool/root-60': No such file or directory
> > D [21/Feb/2015:18:26:47 -0500] [Job 60] chmod: cannot access
> > '/tmp/spool/root-60': No such file or directory
> >
> > This appears to be telling me that CUPS interface scripts (presently
> > configured to run as the lp user) has no visibility to the /tmp
> directory.
> > I've also tried updating a log with:
> >
> > echo "i am here" > /tmp/out.log
> >
> > But nothing ever shows up, as if /tmp is entirely missing.
> >
> > I've gone as far as to enable the lp user to login so that I could verify
> > that it can see and write to the /tmp/spool directory.  The lp user can
> see
> > the /tmp and /tmp/spool directories, and can write freely to them.  So it
> > doesn't appear to be a limitation to permissions or that specific user.
> >
> > But what could it be?  I'm running out of options to check.  This exact
> > script works brilliantly on RHEL 6.6/CUPS 1.4.2 and also on Ubuntu 14.04
> > LTS/CUPS 1.7.2.  On this one system, however, it's as if /tmp just
> doesn't
> > exist.
> >
> > Any ideas?
> >
> > -K
> > _______________________________________________
> > cups mailing list
> > cups at cups.org <javascript:;>
> > https://www.cups.org/mailman/listinfo/cups
>
> _______________________________________________
> cups mailing list
> cups at cups.org <javascript:;>
> https://www.cups.org/mailman/listinfo/cups
>


-- 
-K

More information about the cups mailing list