Bug 214839 - Cups generates SeLinux error when printing to SMB printer
Summary: Cups generates SeLinux error when printing to SMB printer
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 6
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-11-09 18:04 UTC by malcolm
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-08-22 14:13:53 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description malcolm 2006-11-09 18:04:37 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.8) Gecko/20061107 Fedora/1.5.0.8-1.fc6 Firefox/1.5.0.8

Description of problem:
Summary (from setroubleshoot)
SELinux denied access requested by /usr/bin/smbspool. It is not expected that this access is required by /usr/bin/smbspool and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Please file a bug report against this package.

Additional Information (from setroubleshoot)
Source Contextsystem_u:system_r:cupsd_t:SystemLow-SystemHighTarget Contextsystem_u:object_r:samba_etc_tTarget Objectssamba [ dir ]Affected RPM Packagessamba-client-3.0.23c-2 [application]Policy RPMselinux-policy-2.4.2-3.fc6Selinux EnabledTruePolicy TypetargetedMLS EnabledTrueEnforcing ModeEnforcingPlugin Nameplugins.disable_transHost Namelarch.aoptix.comPlatformLinux larch.aoptix.com 2.6.18-1.2798.fc6 #1 SMP Mon Oct 16 14:37:32 EDT 2006 i686 i686Raw Audit Messagesavc: denied { search } for comm='"smb"' dev='dm-0' egid='7' euid='4' exe='"/usr/bin/smbspool"' exit='-13' fsgid='7' fsuid='4' gid='7' items='0' name='"samba"' pid='3540' scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid='7' subj='system_u:system_r:cupsd_t:s0-s0:c0.c1023' suid='4' tclass='dir' tcontext=system_u:object_r:samba_etc_t:s0 tty='(none)' uid='4' 


Version-Release number of selected component (if applicable):
cups-1.2.5-2.fc6.8   selinux-policy-2.4.2-3.fc6

How reproducible:
Always


Steps to Reproduce:
1. Configure an SMB printer
2. Print test page
3.

Actual Results:
Print job never leaves print Q
Print Q is disabled.

Expected Results:
Output on printer

Additional info:
Fix suggested by setroubleshoot
setsebool -P cupsd_disable_trans=1
does not work
Comment 1 malcolm 2006-11-09 18:16:27 UTC 
I think this is really an seLinux bug.
Comment 2 Tim Waugh 2006-11-10 15:45:34 UTC 
cups.te has this:

optional_policy(`
        # cups execs smbtool which reads samba_etc_t files
        samba_read_config(cupsd_t)
        samba_rw_var_files(cupsd_t)
')

but serefpolicy-2.4.3/policy/modules/services/samba.if:137 has this:

interface(`samba_read_config',`
        gen_require(`
                type samba_etc_t;
        ')

        files_search_etc($1)
        allow $1 samba_etc_t:file { read getattr lock };
')

We need

  allow $1 samba_etc_t:dir search;

to be added to (at least) samba_read_config -- and probably most of the other
samba_read_* definitions in that file.

This problem comes about because /etc/samba/ has a different context from /etc.
Comment 3 Tim Waugh 2006-11-10 15:45:57 UTC 
Reassigning.
Comment 5 Daniel Walsh 2006-11-10 18:36:51 UTC 
Fixed in selinux-policy-2.4.3-9.fc6
Comment 6 Daniel Walsh 2007-08-22 14:13:53 UTC 
Fixed in current release
Note You need to log in before you can comment on or make changes to this bug.