Revision e4cf49d4-e37c-45a9-9843-873722b19485

I've used the PHP [exec][1] command to issue `lpr -P printer_name file_to_print` but after a RHEL system update (7.2 to 7.3), selinux has decided to start blocking these requests. 

The following appears in the audit log, corresponding with the above `cmd` from PHP: 

> time->Thu Nov 3 15:07:02 2016
> 
> type=PATH msg=audit(1478200022.446:5151): item=0
> name="/etc/cups/lpoptions" inode=134317708 dev=fd:03 mode=0100644
> ouid=0 ogid=7 rdev=00:00 obj=system_u:object_r:cupsd_rw_etc_t:s0
> objtype=NORMAL
> 
> type=CWD msg=audit(1478200022.446:5151): cwd="/var/www/html"
> 
> type=SYSCALL msg=audit(1478200022.446:5151): arch=c000003e syscall=2
> success=yes exit=5 a0=7fff26837c70 a1=0 a2=0 a3=9 items=1 ppid=19397
> pid=46644 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="lpr"
> exe="/usr/bin/lpr.cups" subj=system_u:system_r:httpd_t:s0 key=(null)
> 
> type=AVC msg=audit(1478200022.446:5151): avc: denied { open } for 
> pid=46644 comm="lpr" path="/etc/cups/lpoptions" dev="dm-3"
> ino=134317708 scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file
> 
> type=AVC msg=audit(1478200022.446:5151): avc: denied { read } for 
> pid=46644 comm="lpr" name="lpoptions" dev="dm-3" ino=134317708
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file


Here's the current selinux config: 

 # getsebool -a | grep httpd
 httpd_anon_write --> off
 httpd_builtin_scripting --> on
 httpd_can_check_spam --> off
 httpd_can_connect_ftp --> off
 httpd_can_connect_ldap --> off
 httpd_can_connect_mythtv --> off
 httpd_can_connect_zabbix --> off
 httpd_can_network_connect --> on
 httpd_can_network_connect_cobbler --> off
 httpd_can_network_connect_db --> off
 httpd_can_network_memcache --> off
 httpd_can_network_relay --> off
 httpd_can_sendmail --> on
 httpd_dbus_avahi --> off
 httpd_dbus_sssd --> off
 httpd_dontaudit_search_dirs --> off
 httpd_enable_cgi --> on
 httpd_enable_ftp_server --> off
 httpd_enable_homedirs --> off
 httpd_execmem --> off
 httpd_graceful_shutdown --> on
 httpd_manage_ipa --> off
 httpd_mod_auth_ntlm_winbind --> off
 httpd_mod_auth_pam --> off
 httpd_read_user_content --> off
 httpd_run_ipa --> off
 httpd_run_preupgrade --> off
 httpd_run_stickshift --> off
 httpd_serve_cobbler_files --> off
 httpd_setrlimit --> off
 httpd_ssi_exec --> on
 httpd_sys_script_anon_write --> off
 httpd_tmp_exec --> off
 httpd_tty_comm --> off
 httpd_unified --> off
 httpd_use_cifs --> off
 httpd_use_fusefs --> off
 httpd_use_gpg --> off
 httpd_use_nfs --> on
 httpd_use_openstack --> off
 httpd_use_sasl --> off
 httpd_verify_dns --> off


What is causing the denial?


 [1]: http://php.net/manual/en/function.exec.php