1

I've used the PHP exec command to issue lpr -P printer_name /var/www/html/somefile.pdf but after a RHEL system update (7.2 to 7.3), selinux has decided to start blocking these requests.

selinux permissions of the file being sent to print: 

ls -lZ /var/www/html/somefile.pdf -rw-r-----. apache webdev system_u:object_r:httpd_sys_rw_content_t:s0 /var/www/html/somefile.pdf

The following appears in the audit log, corresponding with the above cmd from PHP:

time->Thu Nov 3 15:07:02 2016

type=PATH msg=audit(1478200022.446:5151): item=0 name="/etc/cups/lpoptions" inode=134317708 dev=fd:03 mode=0100644 ouid=0 ogid=7 rdev=00:00 obj=system_u:object_r:cupsd_rw_etc_t:s0 objtype=NORMAL

type=CWD msg=audit(1478200022.446:5151): cwd="/var/www/html"

type=SYSCALL msg=audit(1478200022.446:5151): arch=c000003e syscall=2 success=yes exit=5 a0=7fff26837c70 a1=0 a2=0 a3=9 items=1 ppid=19397 pid=46644 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="lpr" exe="/usr/bin/lpr.cups" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1478200022.446:5151): avc: denied { open } for pid=46644 comm="lpr" path="/etc/cups/lpoptions" dev="dm-3" ino=134317708 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file

type=AVC msg=audit(1478200022.446:5151): avc: denied { read } for pid=46644 comm="lpr" name="lpoptions" dev="dm-3" ino=134317708 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file

Here's the current selinux config: 

# getsebool -a | grep httpd httpd_anon_write --> off httpd_builtin_scripting --> on httpd_can_check_spam --> off httpd_can_connect_ftp --> off httpd_can_connect_ldap --> off httpd_can_connect_mythtv --> off httpd_can_connect_zabbix --> off httpd_can_network_connect --> on httpd_can_network_connect_cobbler --> off httpd_can_network_connect_db --> off httpd_can_network_memcache --> off httpd_can_network_relay --> off httpd_can_sendmail --> on httpd_dbus_avahi --> off httpd_dbus_sssd --> off httpd_dontaudit_search_dirs --> off httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> off httpd_execmem --> off httpd_graceful_shutdown --> on httpd_manage_ipa --> off httpd_mod_auth_ntlm_winbind --> off httpd_mod_auth_pam --> off httpd_read_user_content --> off httpd_run_ipa --> off httpd_run_preupgrade --> off httpd_run_stickshift --> off httpd_serve_cobbler_files --> off httpd_setrlimit --> off httpd_ssi_exec --> on httpd_sys_script_anon_write --> off httpd_tmp_exec --> off httpd_tty_comm --> off httpd_unified --> off httpd_use_cifs --> off httpd_use_fusefs --> off httpd_use_gpg --> off httpd_use_nfs --> on httpd_use_openstack --> off httpd_use_sasl --> off httpd_verify_dns --> off

What is causing the denial?

Improve this question

1 Answer 1

Reset to default
1

I ended up installing some additional seLinux tools to help troubleshoot: 

yum install setroubleshoot setools

Then ran

sealert -a /var/log/audit/audit.log

The output suggested the following modifications: 

ausearch -c 'lpr' --raw | audit2allow -M my-lpr semodule -i my-lpr.pp ausearch -c 'wkhtmltopdf-amd' --raw | audit2allow -M my-wkhtmltopdfamd semodule -i my-wkhtmltopdfamd.pp

Issued those commands and am now able to print from my PHP app again.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.