[sane-devel] I need SELinux help
ToddAndMargo
ToddAndMargo at zoho.com
Fri Jan 5 20:26:46 UTC 2018
On 12/22/2017 02:19 PM, ToddAndMargo wrote:
> Hi All,
>
> Fedora Core 27
>
> # rpm -qa sane\*
> sane-backends-libs-1.0.27-8.fc27.i686
> sane-backends-1.0.27-8.fc27.x86_64
> sane-backends-daemon-1.0.27-8.fc27.x86_64
> sane-backends-drivers-scanners-1.0.27-8.fc27.i686
> sane-backends-libs-1.0.27-8.fc27.x86_64
> sane-backends-drivers-scanners-1.0.27-8.fc27.x86_64
> sane-backends-drivers-cameras-1.0.27-8.fc27.i686
> sane-backends-drivers-cameras-1.0.27-8.fc27.x86_64
>
> I am trying to run
>
> # systemctl start saned.socket
>
> And SELinux is taking a shine to it. The commands that it
> says to run
> # ausearch -c 'systemd' --raw | audit2allow -M my-systemd
> # semodule -X 300 -i my-systemd.pp
> do not work and the same SELinux error keeps appearing
>
> Permission denied in the journalctl message
>
> # systemctl [re]start saned.socket
>
> starts perfectly with "setenforce Permissive" and nothing shows
> up in the "SELinux Alert Browser".
>
> Turn SELinux back on and the original problem comes back.
>
> Many thanks,
> -T
>
>
> This is the SELinux error:
>
>
> SELinux is preventing systemd from listen access on the tcp_socket port
> None.
>
> ***** Plugin catchall (100. confidence) suggests
> **************************
>
> If you believe that systemd should be allowed listen access on the port
> None tcp_socket by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # ausearch -c 'systemd' --raw | audit2allow -M my-systemd
> # semodule -X 300 -i my-systemd.pp
>
> Additional Information:
> Source Context system_u:system_r:init_t:s0
> Target Context system_u:system_r:unconfined_service_t:s0
> Target Objects port None [ tcp_socket ]
> Source systemd
> Source Path systemd
> Port <Unknown>
> Host rn4.xxx.local
> Source RPM Packages
> Target RPM Packages
> Policy RPM selinux-policy-3.13.1-283.18.fc27.noarch
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Host Name rn4.xx.local
> Platform Linux rn4.xxx.local 4.14.7-300.fc27.x86_64
> #1 SMP Mon Dec 18 16:06:12 UTC 2017
> x86_64 x86_64
> Alert Count 5
> First Seen 2017-12-20 13:35:43 PST
> Last Seen 2017-12-20 13:35:46 PST
> Local ID 0e806a1d-c379-4c0e-993b-286c5828ef2b
>
> Raw Audit Messages
> type=AVC msg=audit(1513805746.614:968): avc: denied { listen } for
> pid=1 comm="systemd" lport=6566 scontext=system_u:system_r:init_t:s0
> tcontext=system_u:system_r:unconfined_service_t:s0 tclass=tcp_socket
> permissive=0
>
>
> Hash: systemd,init_t,unconfined_service_t,tcp_socket,listen
>
>
>
> My systemctl scripts:
>
> saned.socket
>
> [Unit]
> Description=saned incoming socket
>
> [Socket]
> ListenStream=6566
> Accept=yes
> MaxConnections=1
>
> [Install]
> WantedBy=sockets.target
>
>
> saned at saned.service
>
> [Unit]
> Description=Scanner Service
> Requires=saned.socket
>
> [Service]
> ExecStart=/usr/sbin/saned
> User=saned
> Group=saned
> StandardInput=socket
> StandardOutput=syslog
> StandardError=syslog
> # Environment=SANE_CONFIG_DIR=/etc/sane.d
> Environment=SANE_CONFIG_DIR=/etc/sane.d SANE_DEBUG_DLL=255
> SANE_DEBUG_BJNP=5 SANE_DEBUG_NET=128
>
>
> [Install]
> Also=saned.socket
>
>
>
> What am I missing?
>
>
This is suppose to fix it. I have not verified it yet.
https://bugzilla.redhat.com/show_bug.cgi?id=1366968
https://koji.fedoraproject.org/koji/buildinfo?buildID=1013233
More information about the sane-devel
mailing list