Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 235810 - selinux error connecting to samba cups printer (connectto denied)
Summary: selinux error connecting to samba cups printer (connectto denied)
Alias: None
Product: Fedora
Classification: Fedora
Component: samba
Version: 6
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Samba Maint Team
QA Contact: David Lawrence
Depends On:
TreeView+ depends on / blocked
Reported: 2007-04-10 10:01 UTC by Jason Salcido
Modified: 2007-11-30 22:12 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-04-10 14:21:28 UTC

Attachments (Terms of Use)

Description Jason Salcido 2007-04-10 10:01:33 UTC
Description of problem:
Trying to connect a windows client to a samba server on fc6 with latest updates.
I get an selinux error message:

SELinux is preventing /usr/sbin/smbd (smbd_t) "connectto" access to
/var/run/cups/cups.sock (initrc_t).

Did restorecon on cups.sock but still get error.

Version-Release number of selected component (if applicable):
Using selinux-policy 2.4.6-49.fc6. 
cups 1.2.10-3.fc6
samba 3.0.24-3.fc6

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:
samba config for printers:
   comment = All Printers
   path = /usr/spool/samba
   browseable = yes
# Set public = yes to allow user 'guest account' to print
   public = yes
   guest ok = yes
   writable = no
   printable = yes

security context for cups.sock
user_u:object_r:cupsd_var_run_t  cups.sock

selinux alert info:
Source Context:  user_u:system_r:smbd_t
Target Context:  user_u:system_r:initrc_t:SystemLow-SystemHigh
Target Objects:  /var/run/cups/cups.sock [ unix_stream_socket ]
Affected RPM Packages:  samba-3.0.24-3.fc6 [application]
Policy RPM:  selinux-policy-2.4.6-49.fc6Selinux Enabled:  
TruePolicy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  plugins.disable_trans

avc: denied { connectto } for comm="smbd" egid=0 euid=0 exe="/usr/sbin/smbd"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="cups.sock"
path="/var/run/cups/cups.sock" pid=13535 scontext=user_u:system_r:smbd_t:s0
sgid=0 subj=user_u:system_r:smbd_t:s0 suid=0 tclass=unix_stream_socket
tcontext=user_u:system_r:initrc_t:s0-s0:c0.c1023 tty=(none) uid=0

Comment 1 Jason Salcido 2007-04-10 10:05:15 UTC
performed test by disabling selinux for smbd and connecting to server for
printers works with no denied errors from selinux. 

Comment 2 Daniel Walsh 2007-04-10 14:21:28 UTC
Did you disable trans on cups?  You should reenable it and add policy to fix why
every you disabled it in the first place.

Comment 3 Jason Salcido 2007-04-10 21:22:22 UTC
I had previously disabled selinux on cups because of numerous problems including
the fact that cups-pdf would not work without significant selinux tweaking.  I
enabled selinux for cupsd and for smbd to check your hypothesis and in fact the
client can see and use the printer queues.  However the client still sees an
"access denied" when viewing the queue despite being able to print to it.  This
seems odd that samba would require that cups selinux be enabled since it exposes
printing services through cups.  It seems more logical to have samba work
despite what selinux setting cups may have.  This still seems to me like a bug
because I cannot fix every dependency samba has on other subsystems and selinux.

Note You need to log in before you can comment on or make changes to this bug.