From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.8) Gecko/20061107 Fedora/1.5.0.8-1.fc6 Firefox/1.5.0.8 Description of problem: Summary (from setroubleshoot) SELinux denied access requested by /usr/bin/smbspool. It is not expected that this access is required by /usr/bin/smbspool and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Please file a bug report against this package. Additional Information (from setroubleshoot) Source Contextsystem_u:system_r:cupsd_t:SystemLow-SystemHighTarget Contextsystem_u:object_r:samba_etc_tTarget Objectssamba [ dir ]Affected RPM Packagessamba-client-3.0.23c-2 [application]Policy RPMselinux-policy-2.4.2-3.fc6Selinux EnabledTruePolicy TypetargetedMLS EnabledTrueEnforcing ModeEnforcingPlugin Nameplugins.disable_transHost Namelarch.aoptix.comPlatformLinux larch.aoptix.com 2.6.18-1.2798.fc6 #1 SMP Mon Oct 16 14:37:32 EDT 2006 i686 i686Raw Audit Messagesavc: denied { search } for comm='"smb"' dev='dm-0' egid='7' euid='4' exe='"/usr/bin/smbspool"' exit='-13' fsgid='7' fsuid='4' gid='7' items='0' name='"samba"' pid='3540' scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 sgid='7' subj='system_u:system_r:cupsd_t:s0-s0:c0.c1023' suid='4' tclass='dir' tcontext=system_u:object_r:samba_etc_t:s0 tty='(none)' uid='4' Version-Release number of selected component (if applicable): cups-1.2.5-2.fc6.8 selinux-policy-2.4.2-3.fc6 How reproducible: Always Steps to Reproduce: 1. Configure an SMB printer 2. Print test page 3. Actual Results: Print job never leaves print Q Print Q is disabled. Expected Results: Output on printer Additional info: Fix suggested by setroubleshoot setsebool -P cupsd_disable_trans=1 does not work
I think this is really an seLinux bug.
cups.te has this: optional_policy(` # cups execs smbtool which reads samba_etc_t files samba_read_config(cupsd_t) samba_rw_var_files(cupsd_t) ') but serefpolicy-2.4.3/policy/modules/services/samba.if:137 has this: interface(`samba_read_config',` gen_require(` type samba_etc_t; ') files_search_etc($1) allow $1 samba_etc_t:file { read getattr lock }; ') We need allow $1 samba_etc_t:dir search; to be added to (at least) samba_read_config -- and probably most of the other samba_read_* definitions in that file. This problem comes about because /etc/samba/ has a different context from /etc.
Reassigning.
Fixed in selinux-policy-2.4.3-9.fc6
Fixed in current release