[sane-devel] xinetd fails to start saned

Terry Spearman tnspearman at twc.com
Wed Feb 13 04:02:02 GMT 2019 

I think I may have solved it:

I ran: cat/var/log/messages | grep "SELinux is preventing"

to get a list of things that were being blocked by SELinux and suggested fixes
Zeroing in on messages discussing preventing /usr/sbin/xinetd from name_bind access on the tcp_socket_port 6566,

I ran: semanage port -a -t inet_child_port_t -p tcp 6566
Followed by:
setsebool -P nis_enabled 1  (I'm not sure this was necessary)

At this stage when I restarted xinetd and then checked its status, I was no longer seeing an error message, but scanimage -L was detecting the scanner but not the network version.

I then ran:

ausearch -c 'xinetd' --raw | audit2allow -M my-xinetd
semodule -i my-xinetd.pp

At this stage, I was still not able to scan from Windows Fax and Scan on my Windows 10 desktop, and when I checked the status of xinetd, it said saned was exiting.

I ran: cat/var/log/messages | grep "SELinux is preventing" again, and this time saw a message about how SELinux was preventing /usr/sbin/saned from create access on the netlink_kobject_uevent_socket labelled inetd_child-t

Following the suggestion I ran:

ausearch -c 'saned' --raw | audit2allow -M my-saned
semodule -i my-saned.pp

After this, network scanning from Windows via Windows Fax and Scan is working as intended.  My only worry at this point is related to the wording of the messages resulting from running cat/var/log/messages | grep "SELinux is preventing"  It says "you can generate a local policy to allow this access. Allow this access for now by executing

ausearch -c 'xinetd' --raw | audit2allow -M my-xinetd
semodule -i my-xinetd.pp

I worry about the "for now".  I have not yet determined whether these changes will survive a server reboot.


-----Original Message-----
From: sane-devel [mailto:sane-devel-bounces+tnspearman=twc.com at alioth-lists.debian.net] On Behalf Of Terry Spearman
Sent: Tuesday, February 12, 2019 12:56 PM
To: 'Olaf Meeuwissen'
Cc: sane-devel at alioth-lists.debian.net
Subject: Re: [sane-devel] xinetd fails to start saned

[tnspearman at server ~]$ cut -d: -f1 /etc/passwd /etc/group | grep saned
saned
saned

Looks like I have both a saned user and saned group on my system.

Doing some searching, it seems errno = 13 has more to do with the
permissions of the user than the permissions of the file being executed, so
I rebooted the server and logged on as root, but got the same result.

I have previously had issues caused by SELinux, so I tried temporarily
disabling it:

[tnspearman at server ~]$ sudo setenforce 0

I then restarted xinetd:

[tnspearman at server ~]$ sudo systemctl restart xinetd

Then checked its status:

[tnspearman at server ~]$ sudo systemctl status  xinetd
● xinetd.service - Xinetd A Powerful Replacement For Inetd
   Loaded: loaded (/usr/lib/systemd/system/xinetd.service; enabled; vendor
preset: enabled)
   Active: active (running) since Tue 2019-02-12 12:46:03 EST; 8min ago
  Process: 7647 ExecStart=/usr/sbin/xinetd -stayalive -pidfile
/var/run/xinetd.pid $EXTRAOPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 7648 (xinetd)
   CGroup: /system.slice/xinetd.service
           └─7648 /usr/sbin/xinetd -stayalive -pidfile /var/run/xinetd.pid

Feb 12 12:46:03 server xinetd[7648]: removing daytime
Feb 12 12:46:03 server xinetd[7648]: removing discard
Feb 12 12:46:03 server xinetd[7648]: removing discard
Feb 12 12:46:03 server xinetd[7648]: removing echo
Feb 12 12:46:03 server xinetd[7648]: removing echo
Feb 12 12:46:03 server xinetd[7648]: removing tcpmux
Feb 12 12:46:03 server xinetd[7648]: removing time
Feb 12 12:46:03 server xinetd[7648]: removing time
Feb 12 12:46:03 server xinetd[7648]: xinetd Version 2.3.15 started with
libwrap loadavg labeled-networking options compiled in.
Feb 12 12:46:03 server xinetd[7648]: Started working: 1 available service

So it appears to be an issue with SELinux.  I'd prefer not to permanently
disable it, so my problem now is to figure out how to get xinetd to start
saned with SELinux enabled.

-----Original Message-----
From: Olaf Meeuwissen [mailto:paddy-hack at member.fsf.org]
Sent: Tuesday, February 12, 2019 6:04 AM
To: Terry Spearman
Cc: sane-devel at alioth-lists.debian.net
Subject: Re: [sane-devel] xinetd fails to start saned

Hi Terry,

Terry Spearman writes:

> I can scan on the network if I run saned on the server  first.  After the
> scan, saned bails out, and I have to run saned on the server again if I
want
> to do a second scan.  My understanding is that xinetd is supposed to load
> saned and keep it running in the background listening for scanner
requests.
> Following the recommendations in
> http://www.sane-project.org/man/saned.8.html,
>
> I have added the following to /etc/xinetd.conf:
>
> # default = off
> # description: The sane server accepts requests
> # for network access to a local scanner via the network
>
> service sane-port
> {
>         port        = 6566
>         socket_type = stream
>         wait        = no
>         user        = saned
>         group       = saned
>         server      = /usr/sbin/saned
> }

You do have a saned user and group on your system, right?
Use

  cut -d: -f1 /etc/passwd /etc/group | grep saned

You should see saned *twice*.

> Checking the status of xinetd I see:
>
> $ systemctl status xinetd -l
> ● xinetd.service - Xinetd A Powerful Replacement For Inetd
>    Loaded: loaded (/usr/lib/systemd/system/xinetd.service; enabled; vendor
preset: enabled)
>    Active: active (running) since Mon 2019-02-11 13:31:04 EST; 1min 46s
ago
>   Process: 6974 ExecStart=/usr/sbin/xinetd -stayalive -pidfile
/var/run/xinetd.pid $EXTRAOPTIONS (code=exited, status=0/SUCCESS)
> Main PID: 6982 (xinetd)
>    CGroup: /system.slice/xinetd.service
>            └─6982 /usr/sbin/xinetd -stayalive -pidfile
/var/run/xinetd.pid
> Feb 11 13:31:04 server xinetd[6982]: removing discard
> Feb 11 13:31:04 server xinetd[6982]: removing echo
> Feb 11 13:31:04 server xinetd[6982]: removing echo
> Feb 11 13:31:04 server xinetd[6982]: removing tcpmux
> Feb 11 13:31:04 server xinetd[6982]: removing time
> Feb 11 13:31:04 server xinetd[6982]: removing time
> Feb 11 13:31:04 server xinetd[6982]: bind failed (Permission denied (errno
= 13)). service = sane-port

13?  That's bad luck ;-)

I think that would be EACCES (sic) which would indeed point to a
permissions issue.

> Feb 11 13:31:04 server xinetd[6982]: Service sane-port failed to start and
is deactivated.
> Feb 11 13:31:04 server xinetd[6982]: xinetd Version 2.3.15 started with
libwrap loadavg labeled-networking options compiled in.
> Feb 11 13:31:04 server xinetd[6982]: Started working: 0 available services
>
> I changed the group of /usr/bin/saned  to saned and the permissions to
777:

Permission of 0755 should be good enough.  No point in allowing any
idiot on your system to modify saned ;-)

# FTR, I'm the biggest idiot on my own systems ;-)

> ls -l /usr/sbin/saned
> -rwxrwxrwx. 1 root saned 48552 Oct 30 12:46 /usr/sbin/saned

So, you do have a saned group.  What about a saned user?

> I still get the same message when I run systemctl status xinetd
>
> Any suggestions/help greatly appreciated

Hope this helps,
--
Olaf Meeuwissen, LPIC-2            FSF Associate Member since 2004-01-27
 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13  F43E B8A4 A88A F84A 2DD9
 Support Free Software                        https://my.fsf.org/donate
 Join the Free Software Foundation              https://my.fsf.org/join


-- 
sane-devel mailing list: sane-devel at alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/sane-devel
Unsubscribe: Send mail with subject "unsubscribe your_password"
             to sane-devel-request at lists.alioth.debian.org

More information about the sane-devel mailing list