Bug 1119993
| Summary: | SELinux is preventing /usr/libexec/fprintd from 'execute' accesses on the file . | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | redmonk <abhisheksharma.er> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 20 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:b19e8e51d0bf822b2185fc6982ac19c79f8156ba88b553b3ce6c15a62cb946c0 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-07-16 07:01:38 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
You need to add either labeling for /opt/microchip/mplabcomm1.0/libusb-1.0.so.0.0.0 or just allow it using a local policy to make it working. # semanage fcontext -a -t lib_t "/opt/microchip/mplabcomm1.0/.*\.so(\.[^/]*)*" I added
commit 4f0dbf4acc6351b62bc439f9a9929f3bbc301805
Author: Miroslav Grepl <mgrepl>
Date: Wed Jul 16 08:57:15 2014 +0200
Allow fprintd to execute usr_t/bin_t
|
Description of problem: SELinux is preventing /usr/libexec/fprintd from 'execute' accesses on the file . ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow fprintd to have execute access on the file Then you need to change the label on $FIX_TARGET_PATH Do # semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH' where FILE_TYPE is one of the following: abrt_helper_exec_t, fprintd_exec_t, ld_so_t, lib_t, policykit_auth_exec_t, prelink_exec_t, textrel_shlib_t. Then execute: restorecon -v '$FIX_TARGET_PATH' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that fprintd should be allowed execute access on the file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep fprintd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:fprintd_t:s0 Target Context unconfined_u:object_r:usr_t:s0 Target Objects [ file ] Source fprintd Source Path /usr/libexec/fprintd Port <Unknown> Host (removed) Source RPM Packages fprintd-0.5.1-1.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-176.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.15.4-200.fc20.x86_64 #1 SMP Mon Jul 7 14:24:41 UTC 2014 x86_64 x86_64 Alert Count 60 First Seen 2014-07-14 16:15:16 IST Last Seen 2014-07-16 09:53:13 IST Local ID 552c7b16-72c1-46c1-9d48-eca938081424 Raw Audit Messages type=AVC msg=audit(1405484593.970:694): avc: denied { execute } for pid=16479 comm="fprintd" path="/opt/microchip/mplabcomm1.0/libusb-1.0.so.0.0.0" dev="dm-1" ino=1459614 scontext=system_u:system_r:fprintd_t:s0 tcontext=unconfined_u:object_r:usr_t:s0 tclass=file type=SYSCALL msg=audit(1405484593.970:694): arch=x86_64 syscall=mmap success=no exit=EACCES a0=0 a1=20d2d0 a2=5 a3=802 items=0 ppid=1 pid=16479 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=fprintd exe=/usr/libexec/fprintd subj=system_u:system_r:fprintd_t:s0 key=(null) Hash: fprintd,fprintd_t,usr_t,file,execute Additional info: reporter: libreport-2.2.2 hashmarkername: setroubleshoot kernel: 3.15.4-200.fc20.x86_64 type: libreport