Bug 172053

Summary:	network scanning hplip fails
Product:	[Fedora] Fedora	Reporter:	David Highley <david.m.highley>
Component:	selinux-policy-targeted	Assignee:	Daniel Walsh <dwalsh>
Status:	CLOSED INSUFFICIENT_DATA	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	4	CC:	twaugh
Target Milestone:	---
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2006-05-05 14:21:51 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description David Highley 2005-10-29 22:58:00 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7

Description of problem:
With the static ports defined in /etc/hp/hplip.conf printing works but the scanner still will not work with SELINUX=enforcing. I would provide more information but have not been able to find anything logged.

Version-Release number of selected component (if applicable):
hplip 0.9.6

How reproducible:
Always

Steps to Reproduce:
1.Applications->Accessories->HP Device Manager
2.Scan...
3.
  

Actual Results:  Get pop up dialog box with this error:
Failed to open device 'hpaio:/net/Officejet_7300_serise?ip=10.2.2.10'
Error during device I/O.

Additional info:

Comment 1 David Highley 2005-10-30 02:01:40 UTC

Should have added the following information:
 2.6.13-1.1532_FC4smp #1 SMP Thu Oct 20 01:42:06 EDT 2005 x86_64 x86_64 x86_64
GNU/Linux

 cat /etc/hp/hplip.conf
# hplips.conf

[hpiod]
port=50000 (registered IP port)
# port=0 (dynamic IP port)

[hpssd]
port=50002
# port=0

[hplip]
version=0.9.6
# jdprobe=0

[dirs]
home=/usr/share/hplip
run=/var/run

Comment 2 Daniel Walsh 2005-10-31 15:32:53 UTC

Are you seeing avc messages in /var/log/messages or /var/log/audit/audit.log?

Comment 3 David Highley 2005-10-31 18:30:43 UTC

No, I did not see any avc messages in /var/log/messages. I looked around all the
other files in the /var/log directory and could not find anything logged.

I did run these tests:
SANE_DEBUG_DLL=128 scanimage -L and it completed without finding any issues. But
running scanimage: 
scanimage: open of device hpaio:/net/Officejet_7300_series?ip=10.2.2.10 failed:
Error during device I/O

Comment 4 Daniel Walsh 2005-10-31 19:17:36 UTC

Does this work when you 
setenforce 0
?

Comment 5 David Highley 2005-11-01 04:39:37 UTC

Since I'm now running in permissive mode I did a setenforce 1. Then ran
scanimage and it failed. Then did a setenforce 0. Re-ran scanimage and it works.
So I checked the /var/log/messages file and found:
Oct 31 20:33:26 douglas dbus: avc:  received setenforce notice (enforcing=1)
Oct 31 20:33:26 douglas dbus: avc:  received setenforce notice (enforcing=1)
Oct 31 20:33:30 douglas su(pam_unix)[10344]: session closed for user root
Oct 31 20:33:37 douglas hpiod: ParDevice::nibble_read failed: Input/output error
Oct 31 20:33:38 douglas hpiod: unable to connect to scan err=13 port 9290
JetDirectChannel::Open: Permission denied
Oct 31 20:33:39 douglas hpiod: device cleanup
uri=hp:/net/Officejet_7300_series?ip=10.2.2.10
Oct 31 20:34:12 douglas su(pam_unix)[10427]: session opened for user root by
(uid=1001)
Oct 31 20:34:17 douglas dbus: avc:  received setenforce notice (enforcing=0)
Oct 31 20:34:17 douglas dbus: avc:  received setenforce notice (enforcing=0)

Comment 6 Daniel Walsh 2005-11-03 14:24:08 UTC

Ok, can you install policy sources

yum -y install selinux-policy-targeted-sources
cd /etc/selinux/targeted/src/policy
make enableaudit; make load
setenforce 0
Try to scan.
See if you have anything in /var/log/messages or /var/log/audit/audit.log

When you are done testing you can do a 

make clean; make load

Comment 7 David Highley 2005-11-05 04:53:42 UTC

yum -y install selinux-policy-targeted-sources
cd /etc/selinux/targeted/src/policy
make enableaudit; make load
setenforce 1
scanimage - which failed
See if you have anything in /var/log/messages or /var/log/audit/audit.log
type=SYSCALL msg=audit(1131166220.319:6823): arch=c000003e syscall=1 success=yes
exit=6426822 a0=4 a1=2aaaae0c2010 a2=6210c6 a3=0 items=0 pid=32266
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="load_policy" exe="/usr/sbin/load_policy"
type=AVC msg=audit(1131166304.466:6824): avc:  denied  { name_connect } for 
pid=32350 comm="hpiod" dest=9290 scontext=system_u:system_r:hplip_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
type=SYSCALL msg=audit(1131166304.466:6824): arch=c000003e syscall=42 success=no
exit=-13 a0=5 a1=413fa850 a2=10 a3=0 items=0 pid=32350 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hpiod" exe="/usr/sbin/hpiod"
type=SOCKADDR msg=audit(1131166304.466:6824): saddr=0200244A0A02020A0000000000000000

Comment 8 Daniel Walsh 2005-11-07 15:36:29 UTC

What is port 9290?  Is this a standard port or is this a port set by the user?  

Dan

Comment 9 Daniel Walsh 2005-11-07 15:41:35 UTC

Looking at the code I see the following

./io/hpiod/jetdirect.cpp:static const int ScanPort0[] = { 0, 9290, 9291, 9292 };

So I will add these three ports.

If you add the following lines to 
/etc/selinux/targeted/src/policy/domains/misc/local.te

portcon tcp 9290 system_u:object_r:hplip_port_t
portcon tcp 9291 system_u:object_r:hplip_port_t
portcon tcp 9292 system_u:object_r:hplip_port_t

Then do a mail load, it should allow the scanning to continue.

Comment 10 John Thacker 2006-05-05 14:21:51 UTC

Closing due to lack of response.
Looks like this was probably added, according to the last comment.