Bug 235810
| Summary: | selinux error connecting to samba cups printer (connectto denied) | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jason Salcido <ebusinux> |
| Component: | samba | Assignee: | Samba Maint Team <samba-bugs-list> |
| Status: | CLOSED NOTABUG | QA Contact: | David Lawrence <dkl> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6 | CC: | jplans |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-04-10 14:21:28 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
performed test by disabling selinux for smbd and connecting to server for printers works with no denied errors from selinux. Did you disable trans on cups? You should reenable it and add policy to fix why every you disabled it in the first place. I had previously disabled selinux on cups because of numerous problems including the fact that cups-pdf would not work without significant selinux tweaking. I enabled selinux for cupsd and for smbd to check your hypothesis and in fact the client can see and use the printer queues. However the client still sees an "access denied" when viewing the queue despite being able to print to it. This seems odd that samba would require that cups selinux be enabled since it exposes printing services through cups. It seems more logical to have samba work despite what selinux setting cups may have. This still seems to me like a bug because I cannot fix every dependency samba has on other subsystems and selinux. |
Description of problem: Trying to connect a windows client to a samba server on fc6 with latest updates. I get an selinux error message: SELinux is preventing /usr/sbin/smbd (smbd_t) "connectto" access to /var/run/cups/cups.sock (initrc_t). Did restorecon on cups.sock but still get error. Version-Release number of selected component (if applicable): Using selinux-policy 2.4.6-49.fc6. cups 1.2.10-3.fc6 samba 3.0.24-3.fc6 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: samba config for printers: [printers] comment = All Printers path = /usr/spool/samba browseable = yes # Set public = yes to allow user 'guest account' to print public = yes guest ok = yes writable = no printable = yes security context for cups.sock user_u:object_r:cupsd_var_run_t cups.sock selinux alert info: Source Context: user_u:system_r:smbd_t Target Context: user_u:system_r:initrc_t:SystemLow-SystemHigh Target Objects: /var/run/cups/cups.sock [ unix_stream_socket ] Affected RPM Packages: samba-3.0.24-3.fc6 [application] Policy RPM: selinux-policy-2.4.6-49.fc6Selinux Enabled: TruePolicy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: plugins.disable_trans avc: denied { connectto } for comm="smbd" egid=0 euid=0 exe="/usr/sbin/smbd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="cups.sock" path="/var/run/cups/cups.sock" pid=13535 scontext=user_u:system_r:smbd_t:s0 sgid=0 subj=user_u:system_r:smbd_t:s0 suid=0 tclass=unix_stream_socket tcontext=user_u:system_r:initrc_t:s0-s0:c0.c1023 tty=(none) uid=0