SELinux preventing cups-pdf output to samba shared directory

Chris asked:

I want to setup an cups-pdf printer to print PDFs to a samba shared directory but SELinux denies cups access to the shared directory. (cups needs to write to a local FS directory which is hosted as a windows share by samba running on the same machine)

I’m using CentOS 6.

My audit log shows:

type=AVC msg=audit(1342728685.377:32002): avc: denied { getattr } for pid=236
55 comm=”cups-pdf” path=”/mnt/storage/samba” dev=sdb1 ino=11927553 scontext=syst
em_u:system_r:cups_pdf_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:samba_sha
re_t:s0 tclass=dir

I can’t simply relabel the directory since it won’t have samba_share_t label thus denying further samba access.

Does anyone have a solution to this?

My answer:

cups-pdf comes with an SELinux policy which allows cups to print to user home directories. You’ll find it in /usr/share/doc/cups-pdf-*/contrib/SELinux-HOWTO.

It should be only a minor modification to let it write to Samba shares:

require {
    type samba_share_t;

allow cupsd_t samba_share_t:dir { add_name create getattr remove_name search setattr write };
allow cupsd_t samba_share_t:file { create getattr read setattr unlink write };

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.