Bug 190897
Summary: | net_raw access (to network printer) is denied to (python) hp-info | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ross Tyler <rossetyler> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5 | CC: | dwalsh |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Current | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-03-28 20:06:27 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ross Tyler
2006-05-06 02:02:22 UTC
When running xsane as a non-root user, I get *** glibc detected *** xsane: munmap_chunk(): invalid pointer: 0x009c0097 *** ======= Backtrace: ========= /lib/libc.so.6(__libc_free+0x17b)[0x16851f] ... as well as the follwing in /var/log/messages May 6 12:39:43 localhost hpiod: ParDevice::nibble_read failed: Input/output error May 6 12:39:43 localhost kernel: audit(1146944383.808:542): avc: denied { name_connect } for pid=5480 comm="hpiod" dest=9290 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket May 6 12:39:43 localhost hpiod: unable to connect to scan err=13 port 9290 JetDirectChannel::Open: Permission denied May 6 12:39:44 localhost hpiod: device cleanup uri=hp:/net/Officejet_7300_series?ip=192.168.0.5 # Disabling SELinux entirely or just setting a SELinux boolean to only # Disable SELinux protection for cups hplip daemon # is a workaround to this problem. # This may be done from the system-config-securitylevel or with setsebool: setsebool -P hplip_disable_trans=1 service hplip restart Fix yum update to the latest policy version which fixes your net_raw problem. You can add the 9290 port to policy by executing semanage port -a -t hplip_port_t -p tcp 9290 I will add this port in selinux-policy-2.2.38-1.fc5 I ran yum update selinux-policy I then undid my workaround: setsebool -P hplip_disable_trans=1 and replaced it with yours semanage port -a -t hplip_port_t -p tcp 9290 I was able to recreate the print queue successfully, access the hp-toolbox and scan. I was _not_ able to use hp-unload to access the memory card reader. However, following your lead, I was able to fix this as well: semanage port -a -t hplip_port_t -p tcp 9220 Now everything seems to work. Can I expect that both of these changes will be added to selinux-policy-2.2.38-1.fc5? Thanks! Nope I missed 9220, I have updated rawhide with the following for hplib network_port(hplip, tcp,50000,s0, tcp,50002,s0, tcp,1782,s0, tcp,9100,s0, tcp,9102,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0) I think that covers them all. I will add this update to FC5 in about a week. Closing bugs |