Description of problem: Printing, either by hp-setup or File->Print in Firefox is denied by selinux targeted policy. Version-Release number of selected component (if applicable): hplip-0.9.8-6 firefox-1.5.0.1-9 selinux-policy-targeted-2.2.23-15 How reproducible: Always Steps to Reproduce: 1. Run /usr/bin/hp-setup to try to setup a printer and print a test page 2. or, if a printer is setup 3. File->Print from Firefox Actual results: Output from hp-setup: [root@localhost ~]# hp-setup -m 192.168.1.199 HP Linux Imaging and Printing System (ver. 0.9.8) Printer/Fax Setup Utility ver. 0.7 Copyright (c) 2003-5 Hewlett-Packard Development Company, LP This software comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to distribute it under certain conditions. See COPYING file for more details. Found device: hp:/net/HP_Color_LaserJet_2840?ip=192.168.1.199 (Note: Defaults for each question are maked with a '*'. Press <enter> to accept the default.) PRINT QUEUE SETUP Please enter a name for this print queue (m=use model name:'HP_Color_LaserJet_2840'*, q=quit) ?m Using queue name: HP_Color_LaserJet_2840 Found a possible PPD file: /usr/share/foomatic/db/source/PPD/HP/color_laser/HP_Color_LaserJet_2800.ppd.gz Note: The model number may vary slightly from the actual model number on the device. Does this PPD file appear to be the correct one (y=yes*, n=no, q=quit) ?y Enter a location description for this printer (q=quit) ?MyNetwork Enter additonal information or notes for this printer (q=quit) ? Adding print queue to CUPS: Device URI: hp:/net/HP_Color_LaserJet_2840?ip=192.168.1.199 Queue name: HP_Color_LaserJet_2840 PPD file: /usr/share/foomatic/db/source/PPD/HP/color_laser/HP_Color_LaserJet_2800.ppd.gz Location: MyNetwork Information: Would you like to print a test page (y=yes*, n=no, q=quit) ?y Load plain paper into printer and press 'enter' ? [ERROR]: Unable to print to printer. Please check device and try again. FAX QUEUE SETUP Please enter a name for this fax queue (m=use model name:'HP_Color_LaserJet_2840_fax'*, q=quit) ? Using queue name: HP_Color_LaserJet_2840_fax [ERROR]: Unable to find HP fax PPD file! Please check you HPLIP installation and try again. Output from /var/log/messages (when running hp-setup): Mar 22 01:20:55 localhost python: [ERROR] Unable to print to printer. Please check device and try again. Mar 22 01:20:55 localhost kernel: audit(1143015655.808:12): avc: denied { net_raw } for pid=1960 comm="python" capability=13 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:system_r:hplip_t:s0 tclass=capability Mar 22 01:21:25 localhost python: [ERROR] Unable to find HP fax PPD file! Please check you HPLIP installation and try again. Output from /var/log/messages (when printing from firefox): Mar 22 01:21:56 localhost kernel: audit(1143015716.792:13): avc: denied { name_connect } for pid=2879 comm="hpiod" dest=9100 scontext=system_u:system_r:hplip_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket Mar 22 01:21:56 localhost hpiod: unable to connect to print port 9100 JetDirectChannel::Open: Permission denied Mar 22 01:21:57 localhost HP_Color_LaserJet_2840?ip=192.168.1.199: INFO: open print channel failed; will retry in 30 seconds... Expected results: Printing with no problems. Additional info: Modifying the selinux policy using system-config-securitylevel and disabling the 4 items related to printing does nothing to help the situation. Putting the system in permissive mode allows the print job to succeed. This was on a freshly installed system.
This is occuring in rawhide as well. Here is the audit2allow output. [root@localhost ~]# audit2allow -i /var/log/messages allow hplip_t port_t:tcp_socket name_connect;
You can fix this with semanage port -a -p tcp -t hplip_port_t 9100 I will add this to policy but this should fix it for you.
Fixed in selinux-policy-2.2.29-2.fc5
I tested the selinux-policy-2.2.29-2.fc5 in updates-testing and the problem seems to be resolved.