I'm migrating a CUPS print server from Ubuntu to RHEL6. Previously I had CUPS configured to listen on port 80, 443 and 631. Now SELinux is preventing CUPS from binding to ports 80 and 443. What would be the recommended way to permit this in SELinux?
Thanks! Steve
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/29/2013 01:19 PM, Steve Wilson wrote:
I'm migrating a CUPS print server from Ubuntu to RHEL6. Previously I had CUPS configured to listen on port 80, 443 and 631. Now SELinux is preventing CUPS from binding to ports 80 and 443. What would be the recommended way to permit this in SELinux?
Thanks! Steve
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I would just add a custom policy.
# grep cups /var/log/audit/audit.log | audit2allow -M mycups # semodule -i mycups.pp
Another option would be change the labels on those ports to cups ports, but this would break httpd if it was also looking to use those ports.
# semanage port -m -t cups_port_t -p tcp 80
On 01/29/2013 01:34 PM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/29/2013 01:19 PM, Steve Wilson wrote:
I'm migrating a CUPS print server from Ubuntu to RHEL6. Previously I had CUPS configured to listen on port 80, 443 and 631. Now SELinux is preventing CUPS from binding to ports 80 and 443. What would be the recommended way to permit this in SELinux?
Thanks! Steve
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I would just add a custom policy.
# grep cups /var/log/audit/audit.log | audit2allow -M mycups # semodule -i mycups.pp
Another option would be change the labels on those ports to cups ports, but this would break httpd if it was also looking to use those ports.
# semanage port -m -t cups_port_t -p tcp 80
Thanks for the prompt response. This is probably a very basic SELinux question, but when CUPS is denied access to ports 80 and 443 there are no corresponding log entries in audit.log. The CUPS error log shows: E [29/Jan/2013:13:45:24 -0500] Unable to bind socket for address 128.210.18.165:80 - Permission denied. E [29/Jan/2013:13:45:24 -0500] Unable to bind socket for address 128.210.18.165:443 - Permission denied. And I don't get these CUPS messages when SELinux is in permissive mode.
Yes, auditd is running and I do see other messages in audit.log.
Any thoughts???
Thanks, Steve
On Tue, Jan 29, 2013 at 01:34:59PM -0500, Daniel J Walsh wrote:
I'm migrating a CUPS print server from Ubuntu to RHEL6. Previously I had CUPS configured to listen on port 80, 443 and 631. Now SELinux is preventing CUPS from binding to ports 80 and 443. What would be the recommended way to permit this in SELinux?
Another option would be change the labels on those ports to cups ports, but this would break httpd if it was also looking to use those ports. # semanage port -m -t cups_port_t -p tcp 80
Given that replacing httpd with CUPS running their directly is the intended use of the machine, that actually seems better -- if httpd breaks, *good*, because it's not supposed to be there.
On 01/29/2013 02:12 PM, Matthew Miller wrote:
On Tue, Jan 29, 2013 at 01:34:59PM -0500, Daniel J Walsh wrote:
I'm migrating a CUPS print server from Ubuntu to RHEL6. Previously I had CUPS configured to listen on port 80, 443 and 631. Now SELinux is preventing CUPS from binding to ports 80 and 443. What would be the recommended way to permit this in SELinux?
Another option would be change the labels on those ports to cups ports, but this would break httpd if it was also looking to use those ports. # semanage port -m -t cups_port_t -p tcp 80
Given that replacing httpd with CUPS running their directly is the intended use of the machine, that actually seems better -- if httpd breaks, *good*, because it's not supposed to be there.
I think I'll go with this approach. Thanks for all the help!
Steve
On Tue, Jan 29, 2013 at 02:42:30PM -0500, Steve Wilson wrote:
Another option would be change the labels on those ports to cups ports, but this would break httpd if it was also looking to use those ports. # semanage port -m -t cups_port_t -p tcp 80
Given that replacing httpd with CUPS running their directly is the intended use of the machine, that actually seems better -- if httpd breaks, *good*, because it's not supposed to be there.
I think I'll go with this approach. Thanks for all the help!
I should add, though, that it might be even better to run httpd on ports 80/443 and proxy to the CUPS ports on localhost. This gives you an additional level of control, and you don't have to change anything SELinux related.
On 01/29/2013 03:23 PM, Matthew Miller wrote:
On Tue, Jan 29, 2013 at 02:42:30PM -0500, Steve Wilson wrote:
Another option would be change the labels on those ports to cups ports, but this would break httpd if it was also looking to use those ports. # semanage port -m -t cups_port_t -p tcp 80
Given that replacing httpd with CUPS running their directly is the intended use of the machine, that actually seems better -- if httpd breaks, *good*, because it's not supposed to be there.
I think I'll go with this approach. Thanks for all the help!
I should add, though, that it might be even better to run httpd on ports 80/443 and proxy to the CUPS ports on localhost. This gives you an additional level of control, and you don't have to change anything SELinux related.
True, but it's also another service that's running and requires configuration, etc. (even though very minimal...).
Steve
On 01/29/2013 01:19 PM, Steve Wilson wrote:
I'm migrating a CUPS print server from Ubuntu to RHEL6. Previously I had CUPS configured to listen on port 80, 443 and 631. Now SELinux is preventing CUPS from binding to ports 80 and 443. What would be the recommended way to permit this in SELinux?
Thanks! Steve
Why did you not use port 515?
From /etc/services...
# UNIX specific services # exec 512/tcp biff 512/udp comsat login 513/tcp who 513/udp whod shell 514/tcp cmd # no passwords used syslog 514/udp printer 515/tcp spooler # line printer spooler printer 515/udp spooler # line printer spooler talk 517/udp
On 01/29/2013 01:46 PM, Jean-David Beyer wrote:
On 01/29/2013 01:19 PM, Steve Wilson wrote:
I'm migrating a CUPS print server from Ubuntu to RHEL6. Previously I had CUPS configured to listen on port 80, 443 and 631. Now SELinux is preventing CUPS from binding to ports 80 and 443. What would be the recommended way to permit this in SELinux?
Thanks! Steve
Why did you not use port 515?
From /etc/services...
# UNIX specific services # exec 512/tcp biff 512/udp comsat login 513/tcp who 513/udp whod shell 514/tcp cmd # no passwords used syslog 514/udp printer 515/tcp spooler # line printer spooler printer 515/udp spooler # line printer spooler talk 517/udp -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Thanks for the suggestion... but I'd rather user the default http port for the Web interface provided by CUPS. It's a convenience for the users so they don't have to remember to add the port at the end of the URL when accessing the CUPS Web interface.
Steve
Steve Wilson wrote:
On 01/29/2013 01:46 PM, Jean-David Beyer wrote:
On 01/29/2013 01:19 PM, Steve Wilson wrote:
I'm migrating a CUPS print server from Ubuntu to RHEL6. Previously I had CUPS configured to listen on port 80, 443 and 631. Now SELinux is preventing CUPS from binding to ports 80 and 443. What would be the recommended way to permit this in SELinux?
Why did you not use port 515?
From /etc/services...
<snip>
Thanks for the suggestion... but I'd rather user the default http port for the Web interface provided by CUPS. It's a convenience for the users so they don't have to remember to add the port at the end of the URL when accessing the CUPS Web interface.
Um, cups is port 631.
mark
On 01/29/2013 02:17 PM, m.roth@5-cent.us wrote:
Steve Wilson wrote:
On 01/29/2013 01:46 PM, Jean-David Beyer wrote:
On 01/29/2013 01:19 PM, Steve Wilson wrote:
I'm migrating a CUPS print server from Ubuntu to RHEL6. Previously I had CUPS configured to listen on port 80, 443 and 631. Now SELinux is preventing CUPS from binding to ports 80 and 443. What would be the recommended way to permit this in SELinux?
Why did you not use port 515?
From /etc/services...
<snip> > Thanks for the suggestion... but I'd rather user the default http port > for the Web interface provided by CUPS. It's a convenience for the > users so they don't have to remember to add the port at the end of the > URL when accessing the CUPS Web interface.
Um, cups is port 631.
Oops! I did not look down far enough in /etc/services.
In fact, that is what my system is using locally and over my LAN. And no grumbling from SELinux either.
--- On Tue, 1/29/13, Steve Wilson stevew@purdue.edu wrote:
From: Steve Wilson stevew@purdue.edu Subject: Allowing CUPS to use http ports 80 and 443 To: selinux@lists.fedoraproject.org Date: Tuesday, January 29, 2013, 8:19 PM I'm migrating a CUPS print server from Ubuntu to RHEL6. Previously I had CUPS configured to listen on port 80, 443 and 631. Now SELinux is preventing CUPS from binding to ports 80 and 443. What would be the recommended way to permit this in SELinux?
If you don't want to mess with SELinux, a workaround would be to use iptables like this:
iptables -t nat -I PREROUTING -p tcp --dport 80 \ -j REDIRECT --to-port 631 iptables -t nat -I PREROUTING -p tcp --dport 443 \ -j REDIRECT --to-port 631
Cheers, Cristian
selinux@lists.fedoraproject.org