Red Hat Bugzilla – Bug 214953
SELinux is preventing /usr/bin/smbspool (cupsd_t) "search" access to samba (samba_etc_t)
Last modified: 2007-11-30 17:11:48 EST
Description of problem: Can not connect to a Windows network shared printer over SMB because of this SELinux denial. Version-Release number of selected component (if applicable): Latest updated FC6 as of today. How reproducible: Always Steps to Reproduce: 1. Configure a network printer 2. Attempt to print test page Actual results: SELinux denial Expected results: Should be able to print to a network printer. Additional info: The "cupsd_t" should be granted enough rights by default to be able to access a Printer shared on a Windows network.
Created attachment 140871 [details] SELinux troubleshooter output
On a default FC6 installation it is possible to access SMB shares on a Windows ADS network with no configuration. Printing should work in a simillar way.
Fixed in selinux-policy-2.4.3-9
The latest stable one seems to be 2.4.2-3. How do I get 2.4.3-9?
selinux-policy-2.4.3-10.fc6 is in Fedora Testing today. Should be released to updates by end of week.
Created attachment 141742 [details] Screenshot
Created attachment 141743 [details] Print of the SELinux error
Updated today to selinux-policy-targeted-2.4.3-10.fc6. Now when trying to attach to a Windows ADS network printer, a new error - "trying to access mislabeled files" - happens. It then seems to go into a loop, tries some 50 odd times before giving up. The SELinux Troubleshoot browser window fills up with these failure messages until it gives up. Attached: SELinux Troubleshoot Browser screenshot and error output printed to PDF.
Any idea which app is creating the tmp files?
You can just grab the audit messages out of the auditlogs. ausearch -m avc
Here is the last audit message from the results of "ausearch -m avc" - please let me know if you need more information (and the command that will get it for you :): time->Tue Nov 21 09:17:59 2006 type=AVC_PATH msg=audit(1164100679.044:290): path="/tmp/tmpfeaa5f0.tmp" type=SYSCALL msg=audit(1164100679.044:290): arch=40000003 syscall=195 success=no exit=-13 a0=bf9cb402 a1=bf9cb39c a2=309ff4 a3=bf9cb39c items=0 ppid=2169 pid=3137 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) comm="smb" exe="/usr/bin/smbspool" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1164100679.044:290): avc: denied { getattr } for pid=3137 comm="smb" name="tmpfeaa5f0.tmp" dev=dm-0 ino=2550999 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=user_u:object_r:tmp_t:s0 tclass=file
Daniel: smbspool seems to be iterating through all existing tmp files. (At least, it does for me.)
Ok, is the printing working? Can I just dontaudit these denials?
FIxed in selinux-policy-2.4.5-5
Fixed - no more warnings/errors in SELinux. Printing is still not working - but thats probably a driver issue.