Bug 1503980
| Summary: | SELinux is preventing fprintd from 'read' accesses on the katalog 00000000. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Michał <e.misiek> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 27 | CC: | acc-bugz-redhat, dwalsh, jlayton, lsm5, lvrabec, mgrepl, mp.x, plautrba, pmoore |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:56a9ccccb19f74c4ef42ac871add4714fa8211fb1aa0fb1934d62e9ee635ecfc;VARIANT_ID=workstation; | ||
| Fixed In Version: | selinux-policy-3.13.1-283.14.fc27 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-10-31 15:34:49 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
For some reason you have fprintd running as the init system label? What is the label of fprintd? ls -lZ PATHTO/fprintd Is fprintd on a file system with nosuid set? ls -lZ /usr/libexec/fprintd -rwxr-xr-x. 1 root root system_u:object_r:fprintd_exec_t:s0 49016 09-13 17:10 /usr/libexec/fprintd /dev/mapper/fedora-root on / type ext4 (rw,noatime,nodiratime,seclabel,data=ordered) Somehow it doesn't shows up anymore! Last time: 2017-10-19 13:49:51 CEST. Alert count: 11. Reason why fprintd runs as init_t is because of systemd security feature "NoNewPrivileges=true", I added fixes in the Rawhide and Fedora 27, it should be fixed in the latest selinux-policy build. Description of problem: Try to set up fingerprint access for a user under GNOME. Version-Release number of selected component: selinux-policy-3.13.1-283.10.fc27.noarch Additional info: reporter: libreport-2.9.2 hashmarkername: setroubleshoot kernel: 4.13.8-300.fc27.x86_64 type: libreport selinux-policy-3.13.1-283.13.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-b5e9ce60d2 Description of problem: I hopefully updated selinux policies... But... Trying to set fingerprint still gives error. Version-Release number of selected component: selinux-policy-3.13.1-283.10.fc27.noarch Additional info: reporter: libreport-2.9.2 hashmarkername: setroubleshoot kernel: 4.13.9-300.fc27.x86_64 type: libreport it should be fixed in .13/fc27.noarch. Description of problem: Please ignore previous comment... I hopefully updated selinux policies... But... Trying to set fingerprint still gives error. Version-Release number of selected component: selinux-policy-3.13.1-283.13.fc27.noarch Additional info: reporter: libreport-2.9.2 hashmarkername: setroubleshoot kernel: 4.13.9-300.fc27.x86_64 type: libreport Sorry, i was too late... I wasn't carefull enough clicking reports... selinux-policy-3.13.1-283.14.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-b5e9ce60d2 Still happens after update to newer version.
selinux-policy-3.13.1-283.14.fc27.noarch
type=AVC msg=audit(1509187020.924:475): avc: denied { read } for pid=8854 comm="fprintd" name="00000000" dev="dm-1" ino=3153734 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fprintd_var_lib_t:s0 tclass=dir permissive=0
This is in polish...
Pakiet RPM polityki selinux-policy-3.13.1-283.14.fc27.noarch
SELinux jest włączony True
Typ polityki targeted
Tryb wymuszania Enforcing
Nazwa komputera (removed)
Platforma Linux prime 4.13.9-300.fc27.x86_64 #1 SMP Mon Oct
23 13:41:58 UTC 2017 x86_64 x86_64
Liczba alarmów 19
Po raz pierwszy 2017-10-18 11:58:02 BST
Po raz ostatni 2017-10-28 11:37:00 BST
Lokalny identyfikator 0663575b-10d9-4b6c-a351-7f30e3dd39da
Surowe komunikaty audytu
type=AVC msg=audit(1509187020.924:475): avc: denied { read } for pid=8854 comm="fprintd" name="00000000" dev="dm-1" ino=3153734 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fprintd_var_lib_t:s0 tclass=dir permissive=0
Michal, Could you restart fprintd using systemctl? Lukas. I rebooted. Tried to set fingerprint. Exactly same error.
So i did systemctl restart fprintd. Unfortunately same error:
Kernel: 4.13.9-300.fc27.x86_64
Selinux policy targeted: selinux-policy-3.13.1-283.14.fc27.noarch
type=AVC msg=audit(1509380286.133:508): avc: denied { read write } for pid=20740 comm="fprintd" name="003" dev="devtmpfs" ino=12234 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1509380278.689:505): avc: denied { read } for pid=20740 comm="fprintd" name="00000000" dev="dm-1" ino=3153734 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fprintd_var_lib_t:s0 tclass=dir permissive=0
How can I be more help to you? Do you need something else from me? I'm happy to help!
Oh, my installation is f26 upgraded through dnf system-upgrade to f27.
selinux-policy-3.13.1-283.14.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. Description of problem: The same outcome... Version-Release number of selected component: selinux-policy-3.13.1-283.14.fc27.noarch Additional info: reporter: libreport-2.9.2 hashmarkername: setroubleshoot kernel: 4.13.9-300.fc27.x86_64 type: libreport Description of problem: Like always... Nothing changes. Version-Release number of selected component: selinux-policy-3.13.1-283.14.fc27.noarch Additional info: reporter: libreport-2.9.2 hashmarkername: setroubleshoot kernel: 4.13.9-300.fc27.x86_64 type: libreport This issue is caused by "old" kernel in Fedora 27. Together with Paul Moore we're trying to push patches to Fedora 27 kernel. Description of problem: 1- open my computer 2- connect my phone with computer via usb, but gnome crashed and took me to login screen 3- disconnect my phone 4- write password and login with wayland 5- after login this selinux alert show Version-Release number of selected component: selinux-policy-3.13.1-283.21.fc27.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.13.9-300.fc27.x86_64 type: libreport Description of problem: I was just logged in and this SELinux message was appeared kernal version: 4.14.14-300.fc27.x86_64 Policy RPM: selinux-policy-3.13.1-283.21.fc27.noarch Version-Release number of selected component: selinux-policy-3.13.1-283.21.fc27.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.14.14-300.fc27.x86_64 type: libreport Description of problem: Login (gdm) using the fingerprint reader Version-Release number of selected component: selinux-policy-3.13.1-283.14.fc27.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.14.14-300.fc27.x86_64 type: libreport |
Description of problem: I've just updated from f26. It shows at random times, sometimes after resuming from sleep, other time after few minutes of using computer. SELinux is preventing fprintd from 'read' accesses on the katalog 00000000. ***** Plugin catchall (100. confidence) suggests ************************** If aby fprintd powinno mieć domyślnie read dostęp do 00000000 directory. Then proszę to zgłosić jako błąd. Można utworzyć lokalny moduł polityki, aby umożliwić ten dostęp. Do allow this access for now by executing: # ausearch -c 'fprintd' --raw | audit2allow -M my-fprintd # semodule -X 300 -i my-fprintd.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:fprintd_var_lib_t:s0 Target Objects 00000000 [ dir ] Source fprintd Source Path fprintd Port <Nieznane> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.10.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.13.6-300.fc27.x86_64 #1 SMP Thu Oct 12 16:10:48 UTC 2017 x86_64 x86_64 Alert Count 10 First Seen 2017-10-18 12:58:02 CEST Last Seen 2017-10-19 02:18:26 CEST Local ID 0663575b-10d9-4b6c-a351-7f30e3dd39da Raw Audit Messages type=AVC msg=audit(1508372306.423:297): avc: denied { read } for pid=4998 comm="fprintd" name="00000000" dev="dm-1" ino=3153734 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fprintd_var_lib_t:s0 tclass=dir permissive=0 Hash: fprintd,init_t,fprintd_var_lib_t,dir,read Version-Release number of selected component: selinux-policy-3.13.1-283.10.fc27.noarch Additional info: component: selinux-policy reporter: libreport-2.9.2 hashmarkername: setroubleshoot kernel: 4.13.6-300.fc27.x86_64 type: libreport