Bug 235810 - selinux error connecting to samba cups printer (connectto denied)
selinux error connecting to samba cups printer (connectto denied)
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: samba (Show other bugs)
6
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Samba Maint Team
David Lawrence
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-04-10 06:01 EDT by Jason Salcido
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-04-10 10:21:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jason Salcido 2007-04-10 06:01:33 EDT
Description of problem:
Trying to connect a windows client to a samba server on fc6 with latest updates.
I get an selinux error message:

SELinux is preventing /usr/sbin/smbd (smbd_t) "connectto" access to
/var/run/cups/cups.sock (initrc_t).

Did restorecon on cups.sock but still get error.

Version-Release number of selected component (if applicable):
Using selinux-policy 2.4.6-49.fc6. 
cups 1.2.10-3.fc6
samba 3.0.24-3.fc6

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
samba config for printers:
[printers]
   comment = All Printers
   path = /usr/spool/samba
   browseable = yes
# Set public = yes to allow user 'guest account' to print
   public = yes
   guest ok = yes
   writable = no
   printable = yes

security context for cups.sock
user_u:object_r:cupsd_var_run_t  cups.sock

selinux alert info:
Source Context:  user_u:system_r:smbd_t
Target Context:  user_u:system_r:initrc_t:SystemLow-SystemHigh
Target Objects:  /var/run/cups/cups.sock [ unix_stream_socket ]
Affected RPM Packages:  samba-3.0.24-3.fc6 [application]
Policy RPM:  selinux-policy-2.4.6-49.fc6Selinux Enabled:  
TruePolicy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.disable_trans

avc: denied { connectto } for comm="smbd" egid=0 euid=0 exe="/usr/sbin/smbd"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="cups.sock"
path="/var/run/cups/cups.sock" pid=13535 scontext=user_u:system_r:smbd_t:s0
sgid=0 subj=user_u:system_r:smbd_t:s0 suid=0 tclass=unix_stream_socket
tcontext=user_u:system_r:initrc_t:s0-s0:c0.c1023 tty=(none) uid=0
Comment 1 Jason Salcido 2007-04-10 06:05:15 EDT
performed test by disabling selinux for smbd and connecting to server for
printers works with no denied errors from selinux. 
Comment 2 Daniel Walsh 2007-04-10 10:21:28 EDT
Did you disable trans on cups?  You should reenable it and add policy to fix why
every you disabled it in the first place.

Comment 3 Jason Salcido 2007-04-10 17:22:22 EDT
I had previously disabled selinux on cups because of numerous problems including
the fact that cups-pdf would not work without significant selinux tweaking.  I
enabled selinux for cupsd and for smbd to check your hypothesis and in fact the
client can see and use the printer queues.  However the client still sees an
"access denied" when viewing the queue despite being able to print to it.  This
seems odd that samba would require that cups selinux be enabled since it exposes
printing services through cups.  It seems more logical to have samba work
despite what selinux setting cups may have.  This still seems to me like a bug
because I cannot fix every dependency samba has on other subsystems and selinux.

Note You need to log in before you can comment on or make changes to this bug.