SELinux denies cups-lpd read access to cups.sock in RHEL

Solution Unverified - Updated 13 Jun 2024

Environment

Red Hat Enterprise Linux 7 and 8

Issue

SELinux detects an invalid SELinux denial. On this system we installed cups and cups-lpd and both are operating. SELinux is preventing /usr/lib/cups/daemon/cups-lpd from read access on the sock_file cups.sock.

Resolution

A permanent solution to this issue has been released in RHEL 8. Please upgrade to the latest version of selinux-policy available for RHEL 8 to resolve this. More information can be found in RHBA-2021:4420. This issue will not be addressed via a code change in RHEL 7.

This issue does not actually affect functionality. Although SELInux denies cups-lpd read access to the Unix domain socket/var/run/cups/cups.sock, the ability of cups-lpd to transfer print jobs received via LPD to the local CUPS server is not inhibited. When cups-lpd detects that the Unix domain socket is inaccessible, it attempts to connect to the local CUPS server using TCP/IP on localhost:631. This connection succeeds and the print job transfer continues.

Since this issue doesn't affect the ability of cups-lpd to submit print jobs to CUPS, it can be ignored in most cases. It is possible to create a custom SELinux module to work around this issue, but please be aware that Red Hat doesn't support creating custom SELinux policy modules, because this breaks the Production Support Scope of Coverage. If you are not an expert, consult your Red Hat sales representative and request consulting services.

The following Knowledgebase Solution explains how to create customer SELinux policy modules:

How to create its own custom SELinux policy module wisely

Following the instructions in that Solution, you can create a custom SELinux policy module to work around this problem by doing the following:

Install the tools required to build the module:

 yum -y install policycoreutils-devel setools-console yum-utils rpm-build make

Create a file with the policy that should work around this issue:

 cat > local_cupslpd-read-cupssock.te << __EOF__
 module local_cupslpd-read-cupssock 1.0;
 
 require {
 	type cupsd_var_run_t;
 	type cupsd_lpd_t;
 	class sock_file read;
 }
 
 #============= cupsd_lpd_t ==============
 allow cupsd_lpd_t cupsd_var_run_t:sock_file read;
 __EOF__

Compile the policy module:

 make -f /usr/share/selinux/devel/Makefile local_cupslpd-read-cupssock.pp

Install the policy module:

 semodule -i local_cupslpd-read-cupssock.pp

Verify that the module is installed:

 # sesearch --allow | grep cupsd_lpd_t | grep cupsd_var_run_t
 allow cupsd_lpd_t cupsd_var_run_t:dir { getattr open search };
 allow cupsd_lpd_t cupsd_var_run_t:sock_file { append getattr open read write };

The last line should now include the "read" operation.

Diagnostic Steps

When the SELinux denial occurs, the following lines will appear in /var/log/audit/audit.log:

type=AVC msg=audit(1611337553.457:1827): avc:  denied  { read } for  pid=19870 comm="cups-lpd" name="cups.sock" dev="tmpfs" ino=41315 scontext=system_u:system_r:cupsd_lpd_t:s0 tcontext=system_u:object_r:cupsd_var_run_t:s0 tclass=sock_file permissive=0

and the SELinux Troubleshooter (sealert) may include the following:

SELinux is preventing /usr/lib/cups/daemon/cups-lpd from read access on the sock_file cups.sock.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that cups-lpd should be allowed read access on the cups.sock sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'cups-lpd' --raw | audit2allow -M my-cupslpd
# semodule -i my-cupslpd.pp

Additional Information:
Source Context                system_u:system_r:cupsd_lpd_t:s0
Target Context                system_u:object_r:cupsd_var_run_t:s0
Target Objects                cups.sock [ sock_file ]
Source                        cups-lpd
Source Path                   /usr/lib/cups/daemon/cups-lpd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           cups-lpd-1.6.3-51.el7.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-268.el7_9.2.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     host.example.com
Platform                      Linux host.example.com
                              3.10.0-1160.11.1.el7.x86_64 #1 SMP Mon Nov 30
                              13:05:31 EST 2020 x86_64 x86_64
Alert Count                   14
First Seen                    2021-01-21 10:17:09 CET
Last Seen                     2021-01-21 13:19:09 CET
Local ID                      123abc45-67d8-90e1-12f3-457g4hi890h1

Raw Audit Messages
type=AVC msg=audit(1611231549.598:1553): avc:  denied  { read } for  pid=4347
comm="cups-lpd" name="cups.sock" dev="tmpfs" ino=20530
scontext=system_u:system_r:cupsd_lpd_t:s0
tcontext=system_u:object_r:cupsd_var_run_t:s0 tclass=sock_file permissive=1

type=SYSCALL msg=audit(1611231549.598:1553): arch=x86_64 syscall=access success=yes exit=0
a0=3fhj39fh39fh a1=4 a2=eifjei23 a3=eifj9030fj3n items=0 ppid=1 pid=4347
auid=3847567495 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7
tty=(none) ses=4294967295 comm=cups-lpd
exe=/usr/lib/cups/daemon/cups-lpd subj=system_u:system_r:cupsd_lpd_t:s0 key=(null)

SBR

Shells

Product(s)

Red Hat Enterprise Linux

Components

cups

Category

Troubleshoot

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.