SE Linux and printing

SELinux (Security Enhanced Linux) is a security technology that has been incorporated into some mainstream GNU/Linux distributions. It is enabled by default in Red Hat Enterprise Linux (versions 4 and above) and Fedora Core (versions 3 and above).

The primary purpose of SELinux is to define and enforce a system-wide security policy limiting the capabilities of system processes. If an attacker manages to exploit a security hole in a program, the attacker is limited to the permissions allowed for that program, and cannot access other parts of the system.

If you cannot use VNC Enterprise Edition to print host computer files, it may be because SELinux policy has been applied to CUPS (the Common UNIX Printing System, allowing a computer to act as a print server). This document explains how to get printing working without compromising the security of your system.

If you are not having difficulty printing host computer files, you can ignore this document.

Contents

Establishing SELinux as the cause of printing problems

To determine if SELinux is active on your system, run the following command as root:

getenforce

(This and other commands are installed in /usr/sbin; it may be useful to add this to your $PATH.) If Enforcing is output, then SELinux is enabled and is blocking unauthorised actions. If Permissive is output, then SELinux logs policy violations but does not block them. If Disabled is output, SELinux is completely disabled, and is not the cause of printing problems. See the User Guide for more on troubleshooting printing.

If SELinux is enabled, you can quickly determine whether SELinux is the cause of printing problems by (temporarily) disabling it. Use the command:

setenforce 0

This puts SELinux into Permissive Mode, which persists until the system reboots. Disconnect and reconnect VNC Viewer, and try printing again. After the test, re-enable SELinux with the command:

setenforce 1

If printing works when SELinux is disabled, you need to install a policy module on the system. This is a set of rules that define exceptions to the normal SELinux enforcement policy. Choose one of the options below.

Option 1: Using a pre-compiled policy module

This option is recommended. Download the policy module for your distribution from the table below and install it using the command:

semodule -i <policy module>
Fedora 8 Install cups_vnc_fc8.pp.
Fedora 9 & 10 Install cups_vnc_fc8.pp. In addition, try installing cups_vnc_fc9.pp. (Note: If this latter module does not install, it is not needed.)
RHEL 4 Unfortunately, RHEL 4 does not support policy modules. You will need to follow the instructions in Option 2: Disabling SELinux.
RHEL 5 Install cups_vnc_rhel5.pp.

Option 2: Disabling SELinux

Depending on your distribution, you can disable SELinux either just for CUPS, or globally, in order to print, and then re-enable it again afterwards. This is not necessarily recommended, though note that you can do this once and then use the warnings generated when SELinux is in Permissive Mode to create your own policy module, which means you will not have to do it again. See Option 3: Creating a new policy module for CUPS for more information.

Disabling SELinux for CUPS

Recent versions of SELinux (such as that in Fedora 10) have introduced the concept of permissive domains, which allow you to disable SELinux protection for CUPS but leave it active for the rest of the system. This is better than disabling SELinux for the whole system, but it does remove any SELinux protections for CUPS. Use this command:

semanage permissive -a cupsd_t

to add CUPS (cupsd_t) to the list of permissive domains. This is a permanent change that survives a reboot.

To remove the permissive domain for CUPS after printing, re-enabling SELinux again, use the command: 

semanage permissive -d cupsd_t

Disabling SELinux globally

Older versions of SELinux do not allow this fine-grained configuration and you will need to disable SELinux globally using the following command:

setenforce 0

To re-enable SELinux after printing, use the command:

setenforce 1

Option 3: Creating a new policy module for CUPS

Depending on your distribution, you may be able to create a local policy module that enables you to print and leave SELinux enabled. Note that some early SELinux systems (such as RHEL 4) do not support policy modules, in which case you will need to recompile system policy; this is beyond the scope of this document.

To create a local policy module, it is first advisable to rotate the SELinux audit logs using the command:

killall -SIGUSR1 auditd

This ensures that only the relevant SELinux denials are included in the /var/log/audit.log file.

You need to disable any SELinux "dontaudit" rules, so that all policy violations are logged. This is necessary on some systems because certain permissions (such as "search") might not be logged by default, and you need to capture all SELinux violations that occur during printing. Use the command appropriate to your distribution below:

  • RHEL 5, CentOS 5, Fedora Core 6 & 7:

    semodule -b /usr/share/selinux/targeted/enableaudit.pp

  • Fedora 8 and above:

    semodule -DB

Next, put SELinux into Permissive Mode using the setenforce 0 command.

Use VNC Enterprise Edition to print a host computer file (you will need to disconnect and then reconnect if a connection is currently in progress).

After printing is complete, use the audit2allow tool to generate a set of rules from the audit logs. These rules go in the new policy module. Use the command:

grep cups /var/log/audit/audit.log | audit2allow

The output should look something like this:

#============= cupsd_t ==============

allow cupsd_t home_root_t:dir search;

allow cupsd_t unconfined_home_dir_t:dir search;

allow cupsd_t unconfined_home_t:dir search;

allow cupsd_t unconfined_home_t:sock_file write;

allow cupsd_t unconfined_t:unix_stream_socket connectto;

The "search" rules are usually needed for printing to work (an exception to this, at the time of publication, is Fedora 8 with the latest updates installed). If they are not present, it's likely that the SELinux "dontaudit" rules are still taking effect (a "dontaudit" policy rule means that the policy violation will be silently blocked by SELinux). You may need to manually inspect the audit log and tweak the grep command. Or it may be necessary to manually extract the relevant "denial" entries from the audit logs into a separate file.

Once you are happy with the "allow" rules, create the policy module using a command similar to the one below (use the same grep filter, or whatever you used to generate your rule set): 

grep cups /var/log/audit/audit.log | audit2allow -M cupsvnc

The command above creates a policy module called cupsvnc.pp (this is an arbitrary name; it just needs to be unique on your system). Install this package using the command:

semodule -i cupsvnc.pp

This is a permanent change that survives a reboot. After the policy module is installed into the system, you can delete the cupsvnc.pp file (or equivalent).

You can now re-enable SELinux again (setenforce 1) and use VNC Enterprise Edition to print a host computer file (you will need to disconnect and then reconnect if a connection is currently in progress).

Once printing is working, re-enable the "dontaudit" rules using the command appropriate to your distribution below:

  • RHEL 5, CentOS 5, Fedora Core 6 & 7:

    semodule -b /usr/share/selinux/targeted/base.pp

  • Fedora 8 and above:

    semodule -B

© RealVNC Limited