I think I may have solved it: I ran: cat/var/log/messages | grep "SELinux is preventing"
to get a list of things that were being blocked by SELinux and suggested fixes Zeroing in on messages discussing preventing /usr/sbin/xinetd from name_bind access on the tcp_socket_port 6566, I ran: semanage port -a -t inet_child_port_t -p tcp 6566 Followed by: setsebool -P nis_enabled 1 (I'm not sure this was necessary) At this stage when I restarted xinetd and then checked its status, I was no longer seeing an error message, but scanimage -L was detecting the scanner but not the network version. I then ran: ausearch -c 'xinetd' --raw | audit2allow -M my-xinetd semodule -i my-xinetd.pp At this stage, I was still not able to scan from Windows Fax and Scan on my Windows 10 desktop, and when I checked the status of xinetd, it said saned was exiting. I ran: cat/var/log/messages | grep "SELinux is preventing" again, and this time saw a message about how SELinux was preventing /usr/sbin/saned from create access on the netlink_kobject_uevent_socket labelled inetd_child-t Following the suggestion I ran: ausearch -c 'saned' --raw | audit2allow -M my-saned semodule -i my-saned.pp After this, network scanning from Windows via Windows Fax and Scan is working as intended. My only worry at this point is related to the wording of the messages resulting from running cat/var/log/messages | grep "SELinux is preventing" It says "you can generate a local policy to allow this access. Allow this access for now by executing ausearch -c 'xinetd' --raw | audit2allow -M my-xinetd semodule -i my-xinetd.pp I worry about the "for now". I have not yet determined whether these changes will survive a server reboot. -----Original Message----- From: sane-devel [mailto:[email protected]] On Behalf Of Terry Spearman Sent: Tuesday, February 12, 2019 12:56 PM To: 'Olaf Meeuwissen' Cc: [email protected] Subject: Re: [sane-devel] xinetd fails to start saned [tnspearman@server ~]$ cut -d: -f1 /etc/passwd /etc/group | grep saned saned saned Looks like I have both a saned user and saned group on my system. Doing some searching, it seems errno = 13 has more to do with the permissions of the user than the permissions of the file being executed, so I rebooted the server and logged on as root, but got the same result. I have previously had issues caused by SELinux, so I tried temporarily disabling it: [tnspearman@server ~]$ sudo setenforce 0 I then restarted xinetd: [tnspearman@server ~]$ sudo systemctl restart xinetd Then checked its status: [tnspearman@server ~]$ sudo systemctl status xinetd ● xinetd.service - Xinetd A Powerful Replacement For Inetd Loaded: loaded (/usr/lib/systemd/system/xinetd.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2019-02-12 12:46:03 EST; 8min ago Process: 7647 ExecStart=/usr/sbin/xinetd -stayalive -pidfile /var/run/xinetd.pid $EXTRAOPTIONS (code=exited, status=0/SUCCESS) Main PID: 7648 (xinetd) CGroup: /system.slice/xinetd.service └─7648 /usr/sbin/xinetd -stayalive -pidfile /var/run/xinetd.pid Feb 12 12:46:03 server xinetd[7648]: removing daytime Feb 12 12:46:03 server xinetd[7648]: removing discard Feb 12 12:46:03 server xinetd[7648]: removing discard Feb 12 12:46:03 server xinetd[7648]: removing echo Feb 12 12:46:03 server xinetd[7648]: removing echo Feb 12 12:46:03 server xinetd[7648]: removing tcpmux Feb 12 12:46:03 server xinetd[7648]: removing time Feb 12 12:46:03 server xinetd[7648]: removing time Feb 12 12:46:03 server xinetd[7648]: xinetd Version 2.3.15 started with libwrap loadavg labeled-networking options compiled in. Feb 12 12:46:03 server xinetd[7648]: Started working: 1 available service So it appears to be an issue with SELinux. I'd prefer not to permanently disable it, so my problem now is to figure out how to get xinetd to start saned with SELinux enabled. -----Original Message----- From: Olaf Meeuwissen [mailto:[email protected]] Sent: Tuesday, February 12, 2019 6:04 AM To: Terry Spearman Cc: [email protected] Subject: Re: [sane-devel] xinetd fails to start saned Hi Terry, Terry Spearman writes: > I can scan on the network if I run saned on the server first. After the > scan, saned bails out, and I have to run saned on the server again if I want > to do a second scan. My understanding is that xinetd is supposed to load > saned and keep it running in the background listening for scanner requests. > Following the recommendations in > http://www.sane-project.org/man/saned.8.html, > > I have added the following to /etc/xinetd.conf: > > # default = off > # description: The sane server accepts requests > # for network access to a local scanner via the network > > service sane-port > { > port = 6566 > socket_type = stream > wait = no > user = saned > group = saned > server = /usr/sbin/saned > } You do have a saned user and group on your system, right? Use cut -d: -f1 /etc/passwd /etc/group | grep saned You should see saned *twice*. > Checking the status of xinetd I see: > > $ systemctl status xinetd -l > ● xinetd.service - Xinetd A Powerful Replacement For Inetd > Loaded: loaded (/usr/lib/systemd/system/xinetd.service; enabled; vendor preset: enabled) > Active: active (running) since Mon 2019-02-11 13:31:04 EST; 1min 46s ago > Process: 6974 ExecStart=/usr/sbin/xinetd -stayalive -pidfile /var/run/xinetd.pid $EXTRAOPTIONS (code=exited, status=0/SUCCESS) > Main PID: 6982 (xinetd) > CGroup: /system.slice/xinetd.service > └─6982 /usr/sbin/xinetd -stayalive -pidfile /var/run/xinetd.pid > Feb 11 13:31:04 server xinetd[6982]: removing discard > Feb 11 13:31:04 server xinetd[6982]: removing echo > Feb 11 13:31:04 server xinetd[6982]: removing echo > Feb 11 13:31:04 server xinetd[6982]: removing tcpmux > Feb 11 13:31:04 server xinetd[6982]: removing time > Feb 11 13:31:04 server xinetd[6982]: removing time > Feb 11 13:31:04 server xinetd[6982]: bind failed (Permission denied (errno = 13)). service = sane-port 13? That's bad luck ;-) I think that would be EACCES (sic) which would indeed point to a permissions issue. > Feb 11 13:31:04 server xinetd[6982]: Service sane-port failed to start and is deactivated. > Feb 11 13:31:04 server xinetd[6982]: xinetd Version 2.3.15 started with libwrap loadavg labeled-networking options compiled in. > Feb 11 13:31:04 server xinetd[6982]: Started working: 0 available services > > I changed the group of /usr/bin/saned to saned and the permissions to 777: Permission of 0755 should be good enough. No point in allowing any idiot on your system to modify saned ;-) # FTR, I'm the biggest idiot on my own systems ;-) > ls -l /usr/sbin/saned > -rwxrwxrwx. 1 root saned 48552 Oct 30 12:46 /usr/sbin/saned So, you do have a saned group. What about a saned user? > I still get the same message when I run systemctl status xinetd > > Any suggestions/help greatly appreciated Hope this helps, -- Olaf Meeuwissen, LPIC-2 FSF Associate Member since 2004-01-27 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13 F43E B8A4 A88A F84A 2DD9 Support Free Software https://my.fsf.org/donate Join the Free Software Foundation https://my.fsf.org/join -- sane-devel mailing list: [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/sane-devel Unsubscribe: Send mail with subject "unsubscribe your_password" to [email protected] -- sane-devel mailing list: [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/sane-devel Unsubscribe: Send mail with subject "unsubscribe your_password" to [email protected]
