From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7 Description of problem: With the static ports defined in /etc/hp/hplip.conf printing works but the scanner still will not work with SELINUX=enforcing. I would provide more information but have not been able to find anything logged. Version-Release number of selected component (if applicable): hplip 0.9.6 How reproducible: Always Steps to Reproduce: 1.Applications->Accessories->HP Device Manager 2.Scan... 3. Actual Results: Get pop up dialog box with this error: Failed to open device 'hpaio:/net/Officejet_7300_serise?ip=10.2.2.10' Error during device I/O. Additional info:
Should have added the following information: 2.6.13-1.1532_FC4smp #1 SMP Thu Oct 20 01:42:06 EDT 2005 x86_64 x86_64 x86_64 GNU/Linux cat /etc/hp/hplip.conf # hplips.conf [hpiod] port=50000 (registered IP port) # port=0 (dynamic IP port) [hpssd] port=50002 # port=0 [hplip] version=0.9.6 # jdprobe=0 [dirs] home=/usr/share/hplip run=/var/run
Are you seeing avc messages in /var/log/messages or /var/log/audit/audit.log?
No, I did not see any avc messages in /var/log/messages. I looked around all the other files in the /var/log directory and could not find anything logged. I did run these tests: SANE_DEBUG_DLL=128 scanimage -L and it completed without finding any issues. But running scanimage: scanimage: open of device hpaio:/net/Officejet_7300_series?ip=10.2.2.10 failed: Error during device I/O
Does this work when you setenforce 0 ?
Since I'm now running in permissive mode I did a setenforce 1. Then ran scanimage and it failed. Then did a setenforce 0. Re-ran scanimage and it works. So I checked the /var/log/messages file and found: Oct 31 20:33:26 douglas dbus: avc: received setenforce notice (enforcing=1) Oct 31 20:33:26 douglas dbus: avc: received setenforce notice (enforcing=1) Oct 31 20:33:30 douglas su(pam_unix)[10344]: session closed for user root Oct 31 20:33:37 douglas hpiod: ParDevice::nibble_read failed: Input/output error Oct 31 20:33:38 douglas hpiod: unable to connect to scan err=13 port 9290 JetDirectChannel::Open: Permission denied Oct 31 20:33:39 douglas hpiod: device cleanup uri=hp:/net/Officejet_7300_series?ip=10.2.2.10 Oct 31 20:34:12 douglas su(pam_unix)[10427]: session opened for user root by (uid=1001) Oct 31 20:34:17 douglas dbus: avc: received setenforce notice (enforcing=0) Oct 31 20:34:17 douglas dbus: avc: received setenforce notice (enforcing=0)
Ok, can you install policy sources yum -y install selinux-policy-targeted-sources cd /etc/selinux/targeted/src/policy make enableaudit; make load setenforce 0 Try to scan. See if you have anything in /var/log/messages or /var/log/audit/audit.log When you are done testing you can do a make clean; make load
yum -y install selinux-policy-targeted-sources cd /etc/selinux/targeted/src/policy make enableaudit; make load setenforce 1 scanimage - which failed See if you have anything in /var/log/messages or /var/log/audit/audit.log type=SYSCALL msg=audit(1131166220.319:6823): arch=c000003e syscall=1 success=yes exit=6426822 a0=4 a1=2aaaae0c2010 a2=6210c6 a3=0 items=0 pid=32266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="load_policy" exe="/usr/sbin/load_policy" type=AVC msg=audit(1131166304.466:6824): avc: denied { name_connect } for pid=32350 comm="hpiod" dest=9290 scontext=system_u:system_r:hplip_t tcontext=system_u:object_r:port_t tclass=tcp_socket type=SYSCALL msg=audit(1131166304.466:6824): arch=c000003e syscall=42 success=no exit=-13 a0=5 a1=413fa850 a2=10 a3=0 items=0 pid=32350 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hpiod" exe="/usr/sbin/hpiod" type=SOCKADDR msg=audit(1131166304.466:6824): saddr=0200244A0A02020A0000000000000000
What is port 9290? Is this a standard port or is this a port set by the user? Dan
Looking at the code I see the following ./io/hpiod/jetdirect.cpp:static const int ScanPort0[] = { 0, 9290, 9291, 9292 }; So I will add these three ports. If you add the following lines to /etc/selinux/targeted/src/policy/domains/misc/local.te portcon tcp 9290 system_u:object_r:hplip_port_t portcon tcp 9291 system_u:object_r:hplip_port_t portcon tcp 9292 system_u:object_r:hplip_port_t Then do a mail load, it should allow the scanning to continue.
Closing due to lack of response. Looks like this was probably added, according to the last comment.