Changing CUPS to run on Port 443 with SELinux

When setting up a check printing environment for a client, I ran into an issue where even though I changed the /etc/cupsd.conf file to listen on port 443, the service would not actually start!

Why not use the CUPS default port 631? Simple answer – too many of the client’s Palo Alto firewalls were configured to block IPP printing and since we were under a tight schedule, we could not afford to be held back by this. The client opted to instead run the services on 443 and thus take this element out of the picture when it came to testing the printing services on their end. So we had to make CUPS run on 443 instead of 631.

Upon reading some guides online, they seemed to indicate that CUPS could listen on any port and any interface as long as it is specified in the configuration file.

# Only listen for connections from the local machine.
Listen 443
Listen /var/run/cups/cups.sock

However, when I ran lsof -i -P, I could not see the CUPSD service running! If I changed the configuration back to port 631 and restarted the service, I would see it come up.

[oraerpprntsvc@dmz-print1 ~]$ sudo lsof -i -P
COMMAND  PID  USER    FD TYPE DEVICE SIZE/OFF NODE NAME
systemd    1  root   47u IPv4 34335 0t0 TCP *:111 (LISTEN)
systemd    1  root   48u IPv4 34336 0t0 UDP *:111
sshd     6292 root    3u IPv4 41258 0t0 TCP *:22 (LISTEN)
master   6663 root   13u IPv4 42810 0t0 TCP localhost:25 (LISTEN)
dnsmasq  6768 nobody  3u IPv4 43160 0t0 UDP *:67
dnsmasq  6768 nobody  5u IPv4 43163 0t0 UDP dmz-print1.localdomain:53
dnsmasq  6768 nobody  6u IPv4 43164 0t0 TCP dmz-print1.localdomain:53 (LISTEN)
chronyd  6836 chrony  1u IPv4 43777 0t0 UDP localhost:323
cupsd    8682 root    9u IPv4 58443 0t0 TCP *:631 (LISTEN)

I started poking around and discovered that SELinux was enabled:

[oraerpprntsvc@dmz-print1 ~]$ getenforce
Enforcing

I am not as well versed in Linux as I wish I would be, and having not worked in an environment where SELinux was in use, I admittedly had to do some googling.

I located this fine article about running SSHD on Port 443 and it helped me realize that I needed to make some changes to the SELinux port labeling policies. See, SELinux adds additional security and prevents services from running on ports other than what is defined in the master policy.

In order to bring up a list of services allowed to use port 443 (normally called HTTPS)

[oraerpprntsvc@dmz-print1 ~]$ sudo semanage port -l | grep 443
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
pki_ca_port_t tcp 829, 9180, 9701, 9443-9447
pki_kra_port_t tcp 10180, 10701, 10443-10446
pki_ocsp_port_t tcp 11180, 11701, 11443-11446
pki_tks_port_t tcp 13180, 13701, 13443-13446

The solution suggested by the guide was to add the tcp port 443 for the SSH_PORT_T configuration. Since we actually want to change the port for CUPS, we just replace SSH_PORT_T with IPP_PORT_T in the command.

[oraerpprntsvc@dmz-print1 ~]$ semanage port -m -t ipp_port_t -p tcp 443

After running the command and verifying that port tcp 443 was added to the allowed list for IPP (CUPS), we restart the service…

[oraerpprntsvc@dmz-print1 ~]$ sudo semanage port -l | grep ipp
ipp_port_t tcp 443, 631, 8610-8614
ipp_port_t udp 631, 8610-8614
[oraerpprntsvc@dmz-print1 ~]$ sudo systemctl restart cups

We can observe that CUPS now shows up as listening on port 443:

[oraerpprntsvc@dmz-print1 ~]$ sudo lsof -i -P
COMMAND  PID  USER    FD TYPE DEVICE SIZE/OFF NODE NAME
systemd    1  root   47u IPv4 34335 0t0 TCP *:111 (LISTEN)
systemd    1  root   48u IPv4 34336 0t0 UDP *:111
sshd     6292 root    3u IPv4 41258 0t0 TCP *:22 (LISTEN)
master   6663 root   13u IPv4 42810 0t0 TCP localhost:25 (LISTEN)
dnsmasq  6768 nobody  3u IPv4 43160 0t0 UDP *:67
dnsmasq  6768 nobody  5u IPv4 43163 0t0 UDP dmz-print1.localdomain:53
dnsmasq  6768 nobody  6u IPv4 43164 0t0 TCP dmz-print1.localdomain:53 (LISTEN)
chronyd  6836 chrony  1u IPv4 43777 0t0 UDP localhost:323
cupsd    8682 root    9u IPv4 58443 0t0 TCP *:443 (LISTEN)

A quick check in the browser verifies that the service is correctly listening and accepting HTTPS/IPPS traffic.

That’s it! We are done.

cups

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s