On 08/11/2016 10:18 AM, antoine@xxxxxxxxxxxxx wrote:
> xpra printer forwarding works by adding a PDF or PS virtual printer via a cups backend.
> This cups backend then connects to the local xpra server via a unix domain socket and the server then forwards the PDF or PS file to the xpra client for printing.
>
> The problem is connecting to the xpra server socket, which is currently forbidden by the core policy.
>
> Here's what we have to add to make it work at the moment with the server socket in "~/.xpra/":
> userdom_manage_user_home_content_files(cupsd_t)
> userdom_manage_user_home_content_symlinks(cupsd_t)
> userdom_manage_user_home_content_pipes(cupsd_t)
> userdom_manage_user_home_content_sockets(cupsd_t)
>
> Alternatively, if that helps, we can also place the server socket in /run/user/$UID/xpra, but then we still get:
> type=AVC msg=audit(1470902846.451:911): avc: denied { write } for pid=9644 comm="xpra" name="desktop-100" dev="tmpfs" ino=74293 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=1
> type=AVC msg=audit(1470902846.451:912): avc: denied { connectto } for pid=9644 comm="xpra" path="/run/user/1000/xpra/desktop-100" scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
>
> What is the preferred way forward to allow users to have both selinux in enforcing mode and printing to work with xpra by default?
> --
> selinux mailing list
> selinux@xxxxxxxxxxxxxxxxxxxxxxx
> https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
>
We could try to label xpra by a label to get it running in a different
CUPS domain.
What is a path to xpra?
What does
chcon -t cups_pdf_exec_t PATHTO/xpra
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
