Bug 214953 - SELinux is preventing /usr/bin/smbspool (cupsd_t) "search" access to samba (samba_etc_t)
Summary: SELinux is preventing /usr/bin/smbspool (cupsd_t) "search" access to samba (s...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 6
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-11-10 09:31 UTC by Gerard Fernandes
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version: Current
Clone Of:
Environment:
Last Closed: 2006-11-30 17:45:22 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
SELinux troubleshooter output (77.64 KB, application/pdf)
2006-11-10 09:31 UTC, Gerard Fernandes
no flags Details
Screenshot (208.26 KB, image/png)
2006-11-21 09:28 UTC, Gerard Fernandes
no flags Details
Print of the SELinux error (51.52 KB, application/pdf)
2006-11-21 09:29 UTC, Gerard Fernandes
no flags Details

Description Gerard Fernandes 2006-11-10 09:31:58 UTC
Description of problem: Can not connect to a Windows network shared printer over
SMB because of this SELinux denial.


Version-Release number of selected component (if applicable): Latest updated FC6
as of today.


How reproducible: Always


Steps to Reproduce:
1. Configure a network printer
2. Attempt to print test page
  
Actual results: SELinux denial


Expected results: Should be able to print to a network printer.


Additional info: The "cupsd_t" should be granted enough rights by default to be
able to access a Printer shared on a Windows network.

Comment 1 Gerard Fernandes 2006-11-10 09:31:59 UTC
Created attachment 140871 [details]
SELinux troubleshooter output

Comment 2 Gerard Fernandes 2006-11-10 09:33:19 UTC
On a default FC6 installation it is possible to access SMB shares on a Windows
ADS network with no configuration. Printing should work in a simillar way.

Comment 3 Daniel Walsh 2006-11-10 13:21:44 UTC
Fixed in selinux-policy-2.4.3-9

Comment 4 Gerard Fernandes 2006-11-13 10:02:04 UTC
The latest stable one seems to be 2.4.2-3. How do I get 2.4.3-9?

Comment 5 Daniel Walsh 2006-11-13 16:50:40 UTC
selinux-policy-2.4.3-10.fc6 is in Fedora Testing today.  Should be released to
updates by end of week.

Comment 6 Gerard Fernandes 2006-11-21 09:28:34 UTC
Created attachment 141742 [details]
Screenshot

Comment 7 Gerard Fernandes 2006-11-21 09:29:06 UTC
Created attachment 141743 [details]
Print of the SELinux error

Comment 8 Gerard Fernandes 2006-11-21 09:34:35 UTC
Updated today to selinux-policy-targeted-2.4.3-10.fc6. Now when trying to attach
to a Windows ADS network printer, a new error - "trying to access mislabeled
files" - happens. It then seems to go into a loop, tries some 50 odd times
before giving up.

The SELinux Troubleshoot browser window fills up with these failure messages
until it gives up.

Attached: SELinux Troubleshoot Browser screenshot and error output printed to PDF.

Comment 9 Daniel Walsh 2006-11-21 20:11:48 UTC
Any idea which app is creating the tmp files?



Comment 10 Daniel Walsh 2006-11-21 20:13:09 UTC
You can just grab the audit messages out of the auditlogs.

ausearch -m avc

Comment 11 Gerard Fernandes 2006-11-22 10:55:28 UTC
Here is the last audit message from the results of "ausearch -m avc" - please
let me know if you need more information (and the command that will get it for
you :):


time->Tue Nov 21 09:17:59 2006

type=AVC_PATH msg=audit(1164100679.044:290):  path="/tmp/tmpfeaa5f0.tmp"
type=SYSCALL msg=audit(1164100679.044:290): arch=40000003 syscall=195 success=no
exit=-13 a0=bf9cb402 a1=bf9cb39c a2=309ff4 a3=bf9cb39c items=0 ppid=2169
pid=3137 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7
tty=(none) comm="smb" exe="/usr/bin/smbspool"
subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1164100679.044:290): avc:  denied  { getattr } for  pid=3137
comm="smb" name="tmpfeaa5f0.tmp" dev=dm-0 ino=2550999
scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023
tcontext=user_u:object_r:tmp_t:s0 tclass=file


Comment 12 Tim Waugh 2006-11-22 11:04:51 UTC
Daniel: smbspool seems to be iterating through all existing tmp files. (At
least, it does for me.)

Comment 13 Daniel Walsh 2006-11-27 18:51:38 UTC
Ok, is the printing working?  Can I just dontaudit these denials?

Comment 14 Daniel Walsh 2006-11-28 21:22:49 UTC
FIxed in selinux-policy-2.4.5-5

Comment 15 Gerard Fernandes 2006-11-30 14:08:23 UTC
Fixed - no more warnings/errors in SELinux. Printing is still not working - but
thats probably a driver issue.


Note You need to log in before you can comment on or make changes to this bug.