I've used the PHP exec command to issue lpr -P printer_name file_to_print but after a RHEL system update (7.2 to 7.3), selinux has decided to start blocking these requests.

The following appears in the audit log, corresponding with the above cmd from PHP:

time->Thu Nov 3 15:07:02 2016

type=PATH msg=audit(1478200022.446:5151): item=0 name="/etc/cups/lpoptions" inode=134317708 dev=fd:03 mode=0100644 ouid=0 ogid=7 rdev=00:00 obj=system_u:object_r:cupsd_rw_etc_t:s0 objtype=NORMAL

type=CWD msg=audit(1478200022.446:5151): cwd="/var/www/html"

type=SYSCALL msg=audit(1478200022.446:5151): arch=c000003e syscall=2 success=yes exit=5 a0=7fff26837c70 a1=0 a2=0 a3=9 items=1 ppid=19397 pid=46644 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="lpr" exe="/usr/bin/lpr.cups" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1478200022.446:5151): avc: denied { open } for pid=46644 comm="lpr" path="/etc/cups/lpoptions" dev="dm-3" ino=134317708 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file

type=AVC msg=audit(1478200022.446:5151): avc: denied { read } for pid=46644 comm="lpr" name="lpoptions" dev="dm-3" ino=134317708 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file

Here's the current selinux config:

# getsebool -a | grep httpd httpd_anon_write --> off httpd_builtin_scripting --> on httpd_can_check_spam --> off httpd_can_connect_ftp --> off httpd_can_connect_ldap --> off httpd_can_connect_mythtv --> off httpd_can_connect_zabbix --> off httpd_can_network_connect --> on httpd_can_network_connect_cobbler --> off httpd_can_network_connect_db --> off httpd_can_network_memcache --> off httpd_can_network_relay --> off httpd_can_sendmail --> on httpd_dbus_avahi --> off httpd_dbus_sssd --> off httpd_dontaudit_search_dirs --> off httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> off httpd_execmem --> off httpd_graceful_shutdown --> on httpd_manage_ipa --> off httpd_mod_auth_ntlm_winbind --> off httpd_mod_auth_pam --> off httpd_read_user_content --> off httpd_run_ipa --> off httpd_run_preupgrade --> off httpd_run_stickshift --> off httpd_serve_cobbler_files --> off httpd_setrlimit --> off httpd_ssi_exec --> on httpd_sys_script_anon_write --> off httpd_tmp_exec --> off httpd_tty_comm --> off httpd_unified --> off httpd_use_cifs --> off httpd_use_fusefs --> off httpd_use_gpg --> off httpd_use_nfs --> on httpd_use_openstack --> off httpd_use_sasl --> off httpd_verify_dns --> off 

What is causing the denial?

I've used the PHP exec command to issue lpr -P printer_name /var/www/html/somefile.pdf but after a RHEL system update (7.2 to 7.3), selinux has decided to start blocking these requests.

selinux permissions of the file being sent to print:

ls -lZ /var/www/html/somefile.pdf -rw-r-----. apache webdev system_u:object_r:httpd_sys_rw_content_t:s0 /var/www/html/somefile.pdf 

The following appears in the audit log, corresponding with the above cmd from PHP:

time->Thu Nov 3 15:07:02 2016

type=PATH msg=audit(1478200022.446:5151): item=0 name="/etc/cups/lpoptions" inode=134317708 dev=fd:03 mode=0100644 ouid=0 ogid=7 rdev=00:00 obj=system_u:object_r:cupsd_rw_etc_t:s0 objtype=NORMAL

type=CWD msg=audit(1478200022.446:5151): cwd="/var/www/html"

type=SYSCALL msg=audit(1478200022.446:5151): arch=c000003e syscall=2 success=yes exit=5 a0=7fff26837c70 a1=0 a2=0 a3=9 items=1 ppid=19397 pid=46644 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="lpr" exe="/usr/bin/lpr.cups" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1478200022.446:5151): avc: denied { open } for pid=46644 comm="lpr" path="/etc/cups/lpoptions" dev="dm-3" ino=134317708 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file

type=AVC msg=audit(1478200022.446:5151): avc: denied { read } for pid=46644 comm="lpr" name="lpoptions" dev="dm-3" ino=134317708 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file

Here's the current selinux config:

# getsebool -a | grep httpd httpd_anon_write --> off httpd_builtin_scripting --> on httpd_can_check_spam --> off httpd_can_connect_ftp --> off httpd_can_connect_ldap --> off httpd_can_connect_mythtv --> off httpd_can_connect_zabbix --> off httpd_can_network_connect --> on httpd_can_network_connect_cobbler --> off httpd_can_network_connect_db --> off httpd_can_network_memcache --> off httpd_can_network_relay --> off httpd_can_sendmail --> on httpd_dbus_avahi --> off httpd_dbus_sssd --> off httpd_dontaudit_search_dirs --> off httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> off httpd_execmem --> off httpd_graceful_shutdown --> on httpd_manage_ipa --> off httpd_mod_auth_ntlm_winbind --> off httpd_mod_auth_pam --> off httpd_read_user_content --> off httpd_run_ipa --> off httpd_run_preupgrade --> off httpd_run_stickshift --> off httpd_serve_cobbler_files --> off httpd_setrlimit --> off httpd_ssi_exec --> on httpd_sys_script_anon_write --> off httpd_tmp_exec --> off httpd_tty_comm --> off httpd_unified --> off httpd_use_cifs --> off httpd_use_fusefs --> off httpd_use_gpg --> off httpd_use_nfs --> on httpd_use_openstack --> off httpd_use_sasl --> off httpd_verify_dns --> off 

What is causing the denial?

I've used the PHP exec command to issue lpr -P printer_name file_to_print but after a RHEL system update (7.2 to 7.3), selinux has decided to start blocking these requests.

The following appears in the audit log, corresponding with the above cmd from PHP:

time->Thu Nov 3 15:07:02 2016

type=PATH msg=audit(1478200022.446:5151): item=0 name="/etc/cups/lpoptions" inode=134317708 dev=fd:03 mode=0100644 ouid=0 ogid=7 rdev=00:00 obj=system_u:object_r:cupsd_rw_etc_t:s0 objtype=NORMAL

type=CWD msg=audit(1478200022.446:5151): cwd="/var/www/html"

type=SYSCALL msg=audit(1478200022.446:5151): arch=c000003e syscall=2 success=yes exit=5 a0=7fff26837c70 a1=0 a2=0 a3=9 items=1 ppid=19397 pid=46644 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="lpr" exe="/usr/bin/lpr.cups" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1478200022.446:5151): avc: denied { open } for pid=46644 comm="lpr" path="/etc/cups/lpoptions" dev="dm-3" ino=134317708 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file

type=AVC msg=audit(1478200022.446:5151): avc: denied { read } for pid=46644 comm="lpr" name="lpoptions" dev="dm-3" ino=134317708 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file

What is causing the denial?

I've used the PHP exec command to issue lpr -P printer_name file_to_print but after a RHEL system update (7.2 to 7.3), selinux has decided to start blocking these requests.

The following appears in the audit log, corresponding with the above cmd from PHP:

time->Thu Nov 3 15:07:02 2016

type=PATH msg=audit(1478200022.446:5151): item=0 name="/etc/cups/lpoptions" inode=134317708 dev=fd:03 mode=0100644 ouid=0 ogid=7 rdev=00:00 obj=system_u:object_r:cupsd_rw_etc_t:s0 objtype=NORMAL

type=CWD msg=audit(1478200022.446:5151): cwd="/var/www/html"

type=SYSCALL msg=audit(1478200022.446:5151): arch=c000003e syscall=2 success=yes exit=5 a0=7fff26837c70 a1=0 a2=0 a3=9 items=1 ppid=19397 pid=46644 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="lpr" exe="/usr/bin/lpr.cups" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1478200022.446:5151): avc: denied { open } for pid=46644 comm="lpr" path="/etc/cups/lpoptions" dev="dm-3" ino=134317708 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file

type=AVC msg=audit(1478200022.446:5151): avc: denied { read } for pid=46644 comm="lpr" name="lpoptions" dev="dm-3" ino=134317708 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file

Here's the current selinux config:

# getsebool -a | grep httpd httpd_anon_write --> off httpd_builtin_scripting --> on httpd_can_check_spam --> off httpd_can_connect_ftp --> off httpd_can_connect_ldap --> off httpd_can_connect_mythtv --> off httpd_can_connect_zabbix --> off httpd_can_network_connect --> on httpd_can_network_connect_cobbler --> off httpd_can_network_connect_db --> off httpd_can_network_memcache --> off httpd_can_network_relay --> off httpd_can_sendmail --> on httpd_dbus_avahi --> off httpd_dbus_sssd --> off httpd_dontaudit_search_dirs --> off httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> off httpd_execmem --> off httpd_graceful_shutdown --> on httpd_manage_ipa --> off httpd_mod_auth_ntlm_winbind --> off httpd_mod_auth_pam --> off httpd_read_user_content --> off httpd_run_ipa --> off httpd_run_preupgrade --> off httpd_run_stickshift --> off httpd_serve_cobbler_files --> off httpd_setrlimit --> off httpd_ssi_exec --> on httpd_sys_script_anon_write --> off httpd_tmp_exec --> off httpd_tty_comm --> off httpd_unified --> off httpd_use_cifs --> off httpd_use_fusefs --> off httpd_use_gpg --> off httpd_use_nfs --> on httpd_use_openstack --> off httpd_use_sasl --> off httpd_verify_dns --> off 

What is causing the denial?