Bug 172053
Summary: | network scanning hplip fails | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | David Highley <david.m.highley> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 4 | CC: | twaugh |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-05-05 14:21:51 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
David Highley
2005-10-29 22:58:00 UTC
Should have added the following information: 2.6.13-1.1532_FC4smp #1 SMP Thu Oct 20 01:42:06 EDT 2005 x86_64 x86_64 x86_64 GNU/Linux cat /etc/hp/hplip.conf # hplips.conf [hpiod] port=50000 (registered IP port) # port=0 (dynamic IP port) [hpssd] port=50002 # port=0 [hplip] version=0.9.6 # jdprobe=0 [dirs] home=/usr/share/hplip run=/var/run Are you seeing avc messages in /var/log/messages or /var/log/audit/audit.log? No, I did not see any avc messages in /var/log/messages. I looked around all the other files in the /var/log directory and could not find anything logged. I did run these tests: SANE_DEBUG_DLL=128 scanimage -L and it completed without finding any issues. But running scanimage: scanimage: open of device hpaio:/net/Officejet_7300_series?ip=10.2.2.10 failed: Error during device I/O Does this work when you setenforce 0 ? Since I'm now running in permissive mode I did a setenforce 1. Then ran scanimage and it failed. Then did a setenforce 0. Re-ran scanimage and it works. So I checked the /var/log/messages file and found: Oct 31 20:33:26 douglas dbus: avc: received setenforce notice (enforcing=1) Oct 31 20:33:26 douglas dbus: avc: received setenforce notice (enforcing=1) Oct 31 20:33:30 douglas su(pam_unix)[10344]: session closed for user root Oct 31 20:33:37 douglas hpiod: ParDevice::nibble_read failed: Input/output error Oct 31 20:33:38 douglas hpiod: unable to connect to scan err=13 port 9290 JetDirectChannel::Open: Permission denied Oct 31 20:33:39 douglas hpiod: device cleanup uri=hp:/net/Officejet_7300_series?ip=10.2.2.10 Oct 31 20:34:12 douglas su(pam_unix)[10427]: session opened for user root by (uid=1001) Oct 31 20:34:17 douglas dbus: avc: received setenforce notice (enforcing=0) Oct 31 20:34:17 douglas dbus: avc: received setenforce notice (enforcing=0) Ok, can you install policy sources yum -y install selinux-policy-targeted-sources cd /etc/selinux/targeted/src/policy make enableaudit; make load setenforce 0 Try to scan. See if you have anything in /var/log/messages or /var/log/audit/audit.log When you are done testing you can do a make clean; make load yum -y install selinux-policy-targeted-sources cd /etc/selinux/targeted/src/policy make enableaudit; make load setenforce 1 scanimage - which failed See if you have anything in /var/log/messages or /var/log/audit/audit.log type=SYSCALL msg=audit(1131166220.319:6823): arch=c000003e syscall=1 success=yes exit=6426822 a0=4 a1=2aaaae0c2010 a2=6210c6 a3=0 items=0 pid=32266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="load_policy" exe="/usr/sbin/load_policy" type=AVC msg=audit(1131166304.466:6824): avc: denied { name_connect } for pid=32350 comm="hpiod" dest=9290 scontext=system_u:system_r:hplip_t tcontext=system_u:object_r:port_t tclass=tcp_socket type=SYSCALL msg=audit(1131166304.466:6824): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=413fa850 a2=10 a3=0 items=0 pid=32350 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hpiod" exe="/usr/sbin/hpiod" type=SOCKADDR msg=audit(1131166304.466:6824): saddr=0200244A0A02020A0000000000000000 What is port 9290? Is this a standard port or is this a port set by the user? Dan Looking at the code I see the following ./io/hpiod/jetdirect.cpp:static const int ScanPort0[] = { 0, 9290, 9291, 9292 }; So I will add these three ports. If you add the following lines to /etc/selinux/targeted/src/policy/domains/misc/local.te portcon tcp 9290 system_u:object_r:hplip_port_t portcon tcp 9291 system_u:object_r:hplip_port_t portcon tcp 9292 system_u:object_r:hplip_port_t Then do a mail load, it should allow the scanning to continue. Closing due to lack of response. Looks like this was probably added, according to the last comment. |