xpra printer forwarding works by adding a PDF or PS virtual printer via a cups backend.
This cups backend then connects to the local xpra server via a unix domain socket and the server then forwards the PDF or PS file to the xpra client for printing.
The problem is connecting to the xpra server socket, which is currently forbidden by the core policy.
Here's what we have to add to make it work at the moment with the server socket in "~/.xpra/":
userdom_manage_user_home_content_files(cupsd_t)
userdom_manage_user_home_content_symlinks(cupsd_t)
userdom_manage_user_home_content_pipes(cupsd_t)
userdom_manage_user_home_content_sockets(cupsd_t)
Alternatively, if that helps, we can also place the server socket in /run/user/$UID/xpra, but then we still get:
type=AVC msg=audit(1470902846.451:911): avc: denied { write } for pid=9644 comm="xpra" name="desktop-100" dev="tmpfs" ino=74293 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1470902846.451:912): avc: denied { connectto } for pid=9644 comm="xpra" path="/run/user/1000/xpra/desktop-100" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
What is the preferred way forward to allow users to have both selinux in enforcing mode and printing to work with xpra by default?
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
