Bug 1688583
Summary: | SELinux is preventing fprintd from using the 'dac_override' capabilities. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Angie <angelapuget> |
Component: | p11-kit | Assignee: | Daiki Ueno <dueno> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 29 | CC: | bnocera, crypto-team, dueno, dwalsh, elio.maldonado.batiz, kdudka, kengert, lvrabec, mpreisle, plautrba, stefw, tmraz, zpytela |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:f9c129aece3c9de71896e55d587dd390bfc7bc97af1bc829ff0884c9135e6377;VARIANT_ID=workstation; | ||
Fixed In Version: | p11-kit-0.23.16.1-1.fc30 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-05-25 01:05:20 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Angie
2019-03-14 03:16:54 UTC
*** Bug 1688581 has been marked as a duplicate of this bug. *** Hi All, Most probably this is bug in fprintd service. Attaching 2 articles how it could be solved: https://lukas-vrabec.com/index.php/2018/07/03/why-do-you-see-dac_override-selinux-denials/ https://lukas-vrabec.com/index.php/2018/07/16/how-to-enable-full-auditing-in-audit-daemon/ Thanks, Lukas. (In reply to Lukas Vrabec from comment #2) > Hi All, > > Most probably this is bug in fprintd service. Attaching 2 articles how it > could be solved: > > https://lukas-vrabec.com/index.php/2018/07/03/why-do-you-see-dac_override- > selinux-denials/ > https://lukas-vrabec.com/index.php/2018/07/16/how-to-enable-full-auditing-in- > audit-daemon/ Those articles explain nothing. They don't explain why this process might be trying to get DAC_OVERRIDE capabilities, because I didn't add that requirement myself, and I have no idea how to reproduce the problem. https://danwalsh.livejournal.com/79643.html is a better explanation. How do I know which file it's trying to create? No idea :/ I drilled this down, as I managed to reproduce some AVCs on my system. This only seems to happen with the uru4000 libfprint driver, and only when started through systemd, which means with "ProtectHome=true". The uru4000 driver uses NSS for some device encryption, which uses PKCS11. $ grep ENOENT strace-output.txt | grep -v /etc | grep -v /lib | grep -v nscd access("/sys/subsystem", F_OK) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/root/.config/pkcs11/pkcs11.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/root/.config/pkcs11/modules", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory) How would one disable those "/root/.config" accesses? Maybe the code shouldn't try to access "home directory" configurations when running as root? If not, let me know how to lock the search paths down and reassign to libfprint. (In reply to Bastien Nocera from comment #4) > How would one disable those "/root/.config" accesses? It's actually p11-kit (loaded through NSS) looking for the user configuration. Set P11_KIT_NO_USER_CONFIG envvar to any value to disable that. > Maybe the code > shouldn't try to access "home directory" configurations when running as root? Yes, that makes sense to me. (In reply to Daiki Ueno from comment #5) > (In reply to Bastien Nocera from comment #4) > > > How would one disable those "/root/.config" accesses? > > It's actually p11-kit (loaded through NSS) looking for the user > configuration. Set P11_KIT_NO_USER_CONFIG envvar to any value to disable > that. Perfect, I've added a work-around in libfprint upstream: https://gitlab.freedesktop.org/libfprint/libfprint/merge_requests/48 I won't be cherry picking this into Fedora right now, as it's just a warning and doesn't actually cause any problems. > > Maybe the code > > shouldn't try to access "home directory" configurations when running as root? > > Yes, that makes sense to me. p11-kit-0.23.16.1-1.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-29385faaa3 p11-kit-0.23.16.1-1.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-29385faaa3 p11-kit-0.23.16.1-1.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. |