Bug 214953 - SELinux is preventing /usr/bin/smbspool (cupsd_t) "search" access to samba (samba_etc_t)
SELinux is preventing /usr/bin/smbspool (cupsd_t) "search" access to samba (s...
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2006-11-10 04:31 EST by Gerard Fernandes
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-11-30 12:45:22 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
SELinux troubleshooter output (77.64 KB, application/pdf)
2006-11-10 04:31 EST, Gerard Fernandes
no flags Details
Screenshot (208.26 KB, image/png)
2006-11-21 04:28 EST, Gerard Fernandes
no flags Details
Print of the SELinux error (51.52 KB, application/pdf)
2006-11-21 04:29 EST, Gerard Fernandes
no flags Details

  None (edit)
Description Gerard Fernandes 2006-11-10 04:31:58 EST
Description of problem: Can not connect to a Windows network shared printer over
SMB because of this SELinux denial.

Version-Release number of selected component (if applicable): Latest updated FC6
as of today.

How reproducible: Always

Steps to Reproduce:
1. Configure a network printer
2. Attempt to print test page
Actual results: SELinux denial

Expected results: Should be able to print to a network printer.

Additional info: The "cupsd_t" should be granted enough rights by default to be
able to access a Printer shared on a Windows network.
Comment 1 Gerard Fernandes 2006-11-10 04:31:59 EST
Created attachment 140871 [details]
SELinux troubleshooter output
Comment 2 Gerard Fernandes 2006-11-10 04:33:19 EST
On a default FC6 installation it is possible to access SMB shares on a Windows
ADS network with no configuration. Printing should work in a simillar way.
Comment 3 Daniel Walsh 2006-11-10 08:21:44 EST
Fixed in selinux-policy-2.4.3-9
Comment 4 Gerard Fernandes 2006-11-13 05:02:04 EST
The latest stable one seems to be 2.4.2-3. How do I get 2.4.3-9?
Comment 5 Daniel Walsh 2006-11-13 11:50:40 EST
selinux-policy-2.4.3-10.fc6 is in Fedora Testing today.  Should be released to
updates by end of week.
Comment 6 Gerard Fernandes 2006-11-21 04:28:34 EST
Created attachment 141742 [details]
Comment 7 Gerard Fernandes 2006-11-21 04:29:06 EST
Created attachment 141743 [details]
Print of the SELinux error
Comment 8 Gerard Fernandes 2006-11-21 04:34:35 EST
Updated today to selinux-policy-targeted-2.4.3-10.fc6. Now when trying to attach
to a Windows ADS network printer, a new error - "trying to access mislabeled
files" - happens. It then seems to go into a loop, tries some 50 odd times
before giving up.

The SELinux Troubleshoot browser window fills up with these failure messages
until it gives up.

Attached: SELinux Troubleshoot Browser screenshot and error output printed to PDF.
Comment 9 Daniel Walsh 2006-11-21 15:11:48 EST
Any idea which app is creating the tmp files?

Comment 10 Daniel Walsh 2006-11-21 15:13:09 EST
You can just grab the audit messages out of the auditlogs.

ausearch -m avc
Comment 11 Gerard Fernandes 2006-11-22 05:55:28 EST
Here is the last audit message from the results of "ausearch -m avc" - please
let me know if you need more information (and the command that will get it for
you :):

time->Tue Nov 21 09:17:59 2006

type=AVC_PATH msg=audit(1164100679.044:290):  path="/tmp/tmpfeaa5f0.tmp"
type=SYSCALL msg=audit(1164100679.044:290): arch=40000003 syscall=195 success=no
exit=-13 a0=bf9cb402 a1=bf9cb39c a2=309ff4 a3=bf9cb39c items=0 ppid=2169
pid=3137 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7
tty=(none) comm="smb" exe="/usr/bin/smbspool"
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1164100679.044:290): avc:  denied  { getattr } for  pid=3137
comm="smb" name="tmpfeaa5f0.tmp" dev=dm-0 ino=2550999
tcontext=user_u:object_r:tmp_t:s0 tclass=file
Comment 12 Tim Waugh 2006-11-22 06:04:51 EST
Daniel: smbspool seems to be iterating through all existing tmp files. (At
least, it does for me.)
Comment 13 Daniel Walsh 2006-11-27 13:51:38 EST
Ok, is the printing working?  Can I just dontaudit these denials?
Comment 14 Daniel Walsh 2006-11-28 16:22:49 EST
FIxed in selinux-policy-2.4.5-5
Comment 15 Gerard Fernandes 2006-11-30 09:08:23 EST
Fixed - no more warnings/errors in SELinux. Printing is still not working - but
thats probably a driver issue.

Note You need to log in before you can comment on or make changes to this bug.