172053 – network scanning hplip fails

Bug 172053 - network scanning hplip fails

Summary: network scanning hplip fails

Keywords:
Status:	CLOSED INSUFFICIENT_DATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	4
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-10-29 22:58 UTC by David Highley
Modified:	2007-11-30 22:11 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2006-05-05 14:21:51 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description David Highley 2005-10-29 22:58:00 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7

Description of problem:
With the static ports defined in /etc/hp/hplip.conf printing works but the scanner still will not work with SELINUX=enforcing. I would provide more information but have not been able to find anything logged.

Version-Release number of selected component (if applicable):
hplip 0.9.6

How reproducible:
Always

Steps to Reproduce:
1.Applications->Accessories->HP Device Manager
2.Scan...
3.
  

Actual Results:  Get pop up dialog box with this error:
Failed to open device 'hpaio:/net/Officejet_7300_serise?ip=10.2.2.10'
Error during device I/O.

Additional info:

Comment 1 David Highley 2005-10-30 02:01:40 UTC

Should have added the following information:
 2.6.13-1.1532_FC4smp #1 SMP Thu Oct 20 01:42:06 EDT 2005 x86_64 x86_64 x86_64
GNU/Linux

 cat /etc/hp/hplip.conf
# hplips.conf

[hpiod]
port=50000 (registered IP port)
# port=0 (dynamic IP port)

[hpssd]
port=50002
# port=0

[hplip]
version=0.9.6
# jdprobe=0

[dirs]
home=/usr/share/hplip
run=/var/run

Comment 2 Daniel Walsh 2005-10-31 15:32:53 UTC

Are you seeing avc messages in /var/log/messages or /var/log/audit/audit.log?

Comment 3 David Highley 2005-10-31 18:30:43 UTC

No, I did not see any avc messages in /var/log/messages. I looked around all the
other files in the /var/log directory and could not find anything logged.

I did run these tests:
SANE_DEBUG_DLL=128 scanimage -L and it completed without finding any issues. But
running scanimage: 
scanimage: open of device hpaio:/net/Officejet_7300_series?ip=10.2.2.10 failed:
Error during device I/O

Comment 4 Daniel Walsh 2005-10-31 19:17:36 UTC

Does this work when you 
setenforce 0
?

Comment 5 David Highley 2005-11-01 04:39:37 UTC

Since I'm now running in permissive mode I did a setenforce 1. Then ran
scanimage and it failed. Then did a setenforce 0. Re-ran scanimage and it works.
So I checked the /var/log/messages file and found:
Oct 31 20:33:26 douglas dbus: avc:  received setenforce notice (enforcing=1)
Oct 31 20:33:26 douglas dbus: avc:  received setenforce notice (enforcing=1)
Oct 31 20:33:30 douglas su(pam_unix)[10344]: session closed for user root
Oct 31 20:33:37 douglas hpiod: ParDevice::nibble_read failed: Input/output error
Oct 31 20:33:38 douglas hpiod: unable to connect to scan err=13 port 9290
JetDirectChannel::Open: Permission denied
Oct 31 20:33:39 douglas hpiod: device cleanup
uri=hp:/net/Officejet_7300_series?ip=10.2.2.10
Oct 31 20:34:12 douglas su(pam_unix)[10427]: session opened for user root by
(uid=1001)
Oct 31 20:34:17 douglas dbus: avc:  received setenforce notice (enforcing=0)
Oct 31 20:34:17 douglas dbus: avc:  received setenforce notice (enforcing=0)

Comment 6 Daniel Walsh 2005-11-03 14:24:08 UTC

Ok, can you install policy sources

yum -y install selinux-policy-targeted-sources
cd /etc/selinux/targeted/src/policy
make enableaudit; make load
setenforce 0
Try to scan.
See if you have anything in /var/log/messages or /var/log/audit/audit.log

When you are done testing you can do a 

make clean; make load

Comment 7 David Highley 2005-11-05 04:53:42 UTC

yum -y install selinux-policy-targeted-sources
cd /etc/selinux/targeted/src/policy
make enableaudit; make load
setenforce 1
scanimage - which failed
See if you have anything in /var/log/messages or /var/log/audit/audit.log
type=SYSCALL msg=audit(1131166220.319:6823): arch=c000003e syscall=1 success=yes
exit=6426822 a0=4 a1=2aaaae0c2010 a2=6210c6 a3=0 items=0 pid=32266
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="load_policy" exe="/usr/sbin/load_policy"
type=AVC msg=audit(1131166304.466:6824): avc:  denied  { name_connect } for 
pid=32350 comm="hpiod" dest=9290 scontext=system_u:system_r:hplip_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
type=SYSCALL msg=audit(1131166304.466:6824): arch=c000003e syscall=42 success=no
exit=-13 a0=5 a1=413fa850 a2=10 a3=0 items=0 pid=32350 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hpiod" exe="/usr/sbin/hpiod"
type=SOCKADDR msg=audit(1131166304.466:6824): saddr=0200244A0A02020A0000000000000000

Comment 8 Daniel Walsh 2005-11-07 15:36:29 UTC

What is port 9290?  Is this a standard port or is this a port set by the user?  

Dan

Comment 9 Daniel Walsh 2005-11-07 15:41:35 UTC

Looking at the code I see the following

./io/hpiod/jetdirect.cpp:static const int ScanPort0[] = { 0, 9290, 9291, 9292 };

So I will add these three ports.

If you add the following lines to 
/etc/selinux/targeted/src/policy/domains/misc/local.te

portcon tcp 9290 system_u:object_r:hplip_port_t
portcon tcp 9291 system_u:object_r:hplip_port_t
portcon tcp 9292 system_u:object_r:hplip_port_t

Then do a mail load, it should allow the scanning to continue.

Comment 10 John Thacker 2006-05-05 14:21:51 UTC

Closing due to lack of response.
Looks like this was probably added, according to the last comment.

Note You need to log in before you can comment on or make changes to this bug.