Bug 172053 - network scanning hplip fails
network scanning hplip fails
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
4
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-10-29 18:58 EDT by David Highley
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-05 10:21:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Highley 2005-10-29 18:58:00 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc4 Firefox/1.0.7

Description of problem:
With the static ports defined in /etc/hp/hplip.conf printing works but the scanner still will not work with SELINUX=enforcing. I would provide more information but have not been able to find anything logged.

Version-Release number of selected component (if applicable):
hplip 0.9.6

How reproducible:
Always

Steps to Reproduce:
1.Applications->Accessories->HP Device Manager
2.Scan...
3.
  

Actual Results:  Get pop up dialog box with this error:
Failed to open device 'hpaio:/net/Officejet_7300_serise?ip=10.2.2.10'
Error during device I/O.

Additional info:
Comment 1 David Highley 2005-10-29 22:01:40 EDT
Should have added the following information:
 2.6.13-1.1532_FC4smp #1 SMP Thu Oct 20 01:42:06 EDT 2005 x86_64 x86_64 x86_64
GNU/Linux

 cat /etc/hp/hplip.conf
# hplips.conf

[hpiod]
port=50000 (registered IP port)
# port=0 (dynamic IP port)

[hpssd]
port=50002
# port=0

[hplip]
version=0.9.6
# jdprobe=0

[dirs]
home=/usr/share/hplip
run=/var/run
Comment 2 Daniel Walsh 2005-10-31 10:32:53 EST
Are you seeing avc messages in /var/log/messages or /var/log/audit/audit.log?
Comment 3 David Highley 2005-10-31 13:30:43 EST
No, I did not see any avc messages in /var/log/messages. I looked around all the
other files in the /var/log directory and could not find anything logged.

I did run these tests:
SANE_DEBUG_DLL=128 scanimage -L and it completed without finding any issues. But
running scanimage: 
scanimage: open of device hpaio:/net/Officejet_7300_series?ip=10.2.2.10 failed:
Error during device I/O
Comment 4 Daniel Walsh 2005-10-31 14:17:36 EST
Does this work when you 
setenforce 0
?
Comment 5 David Highley 2005-10-31 23:39:37 EST
Since I'm now running in permissive mode I did a setenforce 1. Then ran
scanimage and it failed. Then did a setenforce 0. Re-ran scanimage and it works.
So I checked the /var/log/messages file and found:
Oct 31 20:33:26 douglas dbus: avc:  received setenforce notice (enforcing=1)
Oct 31 20:33:26 douglas dbus: avc:  received setenforce notice (enforcing=1)
Oct 31 20:33:30 douglas su(pam_unix)[10344]: session closed for user root
Oct 31 20:33:37 douglas hpiod: ParDevice::nibble_read failed: Input/output error
Oct 31 20:33:38 douglas hpiod: unable to connect to scan err=13 port 9290
JetDirectChannel::Open: Permission denied
Oct 31 20:33:39 douglas hpiod: device cleanup
uri=hp:/net/Officejet_7300_series?ip=10.2.2.10
Oct 31 20:34:12 douglas su(pam_unix)[10427]: session opened for user root by
(uid=1001)
Oct 31 20:34:17 douglas dbus: avc:  received setenforce notice (enforcing=0)
Oct 31 20:34:17 douglas dbus: avc:  received setenforce notice (enforcing=0)
Comment 6 Daniel Walsh 2005-11-03 09:24:08 EST
Ok, can you install policy sources

yum -y install selinux-policy-targeted-sources
cd /etc/selinux/targeted/src/policy
make enableaudit; make load
setenforce 0
Try to scan.
See if you have anything in /var/log/messages or /var/log/audit/audit.log

When you are done testing you can do a 

make clean; make load
Comment 7 David Highley 2005-11-04 23:53:42 EST
yum -y install selinux-policy-targeted-sources
cd /etc/selinux/targeted/src/policy
make enableaudit; make load
setenforce 1
scanimage - which failed
See if you have anything in /var/log/messages or /var/log/audit/audit.log
type=SYSCALL msg=audit(1131166220.319:6823): arch=c000003e syscall=1 success=yes
exit=6426822 a0=4 a1=2aaaae0c2010 a2=6210c6 a3=0 items=0 pid=32266
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="load_policy" exe="/usr/sbin/load_policy"
type=AVC msg=audit(1131166304.466:6824): avc:  denied  { name_connect } for 
pid=32350 comm="hpiod" dest=9290 scontext=system_u:system_r:hplip_t
tcontext=system_u:object_r:port_t tclass=tcp_socket
type=SYSCALL msg=audit(1131166304.466:6824): arch=c000003e syscall=42 success=no
exit=-13 a0=5 a1=413fa850 a2=10 a3=0 items=0 pid=32350 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="hpiod" exe="/usr/sbin/hpiod"
type=SOCKADDR msg=audit(1131166304.466:6824): saddr=0200244A0A02020A0000000000000000
Comment 8 Daniel Walsh 2005-11-07 10:36:29 EST
What is port 9290?  Is this a standard port or is this a port set by the user?  

Dan
Comment 9 Daniel Walsh 2005-11-07 10:41:35 EST
Looking at the code I see the following

./io/hpiod/jetdirect.cpp:static const int ScanPort0[] = { 0, 9290, 9291, 9292 };

So I will add these three ports.

If you add the following lines to 
/etc/selinux/targeted/src/policy/domains/misc/local.te

portcon tcp 9290 system_u:object_r:hplip_port_t
portcon tcp 9291 system_u:object_r:hplip_port_t
portcon tcp 9292 system_u:object_r:hplip_port_t

Then do a mail load, it should allow the scanning to continue.
Comment 10 John Thacker 2006-05-05 10:21:51 EDT
Closing due to lack of response.
Looks like this was probably added, according to the last comment.

Note You need to log in before you can comment on or make changes to this bug.