Bug 214839 - Cups generates SeLinux error when printing to SMB printer
Cups generates SeLinux error when printing to SMB printer
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
6
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-11-09 13:04 EST by malcolm
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 10:13:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description malcolm 2006-11-09 13:04:37 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.8) Gecko/20061107 Fedora/1.5.0.8-1.fc6 Firefox/1.5.0.8

Description of problem:
Summary (from setroubleshoot)
SELinux denied access requested by /usr/bin/smbspool. It is not expected that this access is required by /usr/bin/smbspool and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Please file a bug report against this package.

Additional Information (from setroubleshoot)
Source Contextsystem_u:system_r:cupsd_t:SystemLow-SystemHighTarget Contextsystem_u:object_r:samba_etc_tTarget Objectssamba [ dir ]Affected RPM Packagessamba-client-3.0.23c-2 [application]Policy RPMselinux-policy-2.4.2-3.fc6Selinux EnabledTruePolicy TypetargetedMLS EnabledTrueEnforcing ModeEnforcingPlugin Nameplugins.disable_transHost Namelarch.aoptix.comPlatformLinux larch.aoptix.com 2.6.18-1.2798.fc6 #1 SMP Mon Oct 16 14:37:32 EDT 2006 i686 i686Raw Audit Messagesavc: denied { search } for comm='"smb"' dev='dm-0' egid='7' euid='4' exe='"/usr/bin/smbspool"' exit='-13' fsgid='7' fsuid='4' gid='7' items='0' name='"samba"' pid='3540' scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid='7' subj='system_u:system_r:cupsd_t:s0-s0:c0.c1023' suid='4' tclass='dir' tcontext=system_u:object_r:samba_etc_t:s0 tty='(none)' uid='4' 


Version-Release number of selected component (if applicable):
cups-1.2.5-2.fc6.8   selinux-policy-2.4.2-3.fc6

How reproducible:
Always


Steps to Reproduce:
1. Configure an SMB printer
2. Print test page
3.

Actual Results:
Print job never leaves print Q
Print Q is disabled.

Expected Results:
Output on printer

Additional info:
Fix suggested by setroubleshoot
setsebool -P cupsd_disable_trans=1
does not work
Comment 1 malcolm 2006-11-09 13:16:27 EST
I think this is really an seLinux bug.
Comment 2 Tim Waugh 2006-11-10 10:45:34 EST
cups.te has this:

optional_policy(`
        # cups execs smbtool which reads samba_etc_t files
        samba_read_config(cupsd_t)
        samba_rw_var_files(cupsd_t)
')

but serefpolicy-2.4.3/policy/modules/services/samba.if:137 has this:

interface(`samba_read_config',`
        gen_require(`
                type samba_etc_t;
        ')

        files_search_etc($1)
        allow $1 samba_etc_t:file { read getattr lock };
')

We need

  allow $1 samba_etc_t:dir search;

to be added to (at least) samba_read_config -- and probably most of the other
samba_read_* definitions in that file.

This problem comes about because /etc/samba/ has a different context from /etc.
Comment 3 Tim Waugh 2006-11-10 10:45:57 EST
Reassigning.
Comment 5 Daniel Walsh 2006-11-10 13:36:51 EST
Fixed in selinux-policy-2.4.3-9.fc6
Comment 6 Daniel Walsh 2007-08-22 10:13:53 EDT
Fixed in current release

Note You need to log in before you can comment on or make changes to this bug.