Bug 234742

Summary: selinux blocks access for hpiod to talk to scanner (hp multifunction printer)
Product: [Fedora] Fedora Reporter: Bernard Johnson <bjohnson>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 6   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-04-12 12:53:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bernard Johnson 2007-04-01 10:31:23 UTC 
Description of problem:
selinux blocks access for hpiod to talk to scanner (hp multifunction printer).

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-46.fc6

How reproducible:
Always, just try using something xsane to scan.
  
Actual results:

Apr  1 04:19:41 snowflake kernel: audit(1175422781.500:10): avc:  denied  {
name_connect } for  pid=12550 comm="hpiod" dest=8290
scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:port_t:s0
tclass=tcp_socket
Comment 1 Daniel Walsh 2007-04-02 16:22:54 UTC 
Is this a normal port for hpiod to try to connect to?

hpiod is currently able to connect to

network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp,50000,s0,
tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0,
tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0,
tcp,9291,s0, tcp,9292,s0)

You can add this port by executing

semanage port -a -t hplip_port_t -P tcp 8290
Comment 2 Bernard Johnson 2007-04-02 16:49:02 UTC 
Honestly, I don't know if it's a normal port - but I have to assume it is.

I don't normally run with selinux on with this box because I use it for mock
builds and have unresolved selinux badness going on - but that's another story.

I just noticed this because the hard drive in the machine failed and I rebuilt
the machine and forgot to turn off selinux right away.

As far as I can tell, it's only the scanner that uses this port.
Comment 3 Daniel Walsh 2007-04-05 17:48:18 UTC 
Fixed in selinux-policy-2.4.6-52
Comment 4 Bernard Johnson 2007-04-11 21:43:56 UTC 
Verified.