SELinux prevents /usr/lib/cups/daemon/cups-lpd from read access on the sock_file cups.sock in Linux server

In spite of /usr/lib/cups/daemon/cups-lpd denial to read access sock_file cups.sock, cups-lpd will successfully migrate print jobs received via LPD to the local CUPS server. You can either ignore this issue or create a custom SELinux policy module. The steps to create a custom SELinux policy module are listed below:

  • yum -y install setools-console yum-utils policycoreutils-devel rpm-build make
  • Create a file named local_cupslpd-read-cupssock.te in vi with the following contents.

module local_cupslpd-read-cupssock 1.0;

require {
type cupsd_var_run_t;
type cupsd_lpd_t;
class sock_file read;

#============= cupsd_lpd_t ==============
allow cupsd_lpd_t cupsd_var_run_t:sock_file read;

  • Compile the SELinux policy module with make -f /usr/share/selinux/devel/Makefile local_cupslpd-read-cupssock.pp
  • Install the policy module with semodule -i local_cupslpd-read-cupssock.pp

Leave a Reply