Bug 304321
| Summary: | thinkfinger integration requires changes | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Ulrich Drepper <drepper> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | rawhide | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-09-25 12:47:49 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Fixed in selinux-policy-3.0.8-10 |
Description of problem: Wjen the thinkfinger package is used to support fingerprint readers several programs need additional permissions. So far I encountered pam_console_apply and gdm. Here are the AVCs: avc: denied { getattr } for comm=pam_console_app dev=tmpfs egid=500 euid=0 exe=/sbin/pam_console_apply exit=-13 fsgid=500 fsuid=0 gid=500 items=0 path=/dev/input/uinput pid=5439 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023 sgid=500 subj=system_u:system_r:pam_console_t:s0-s0:c0.c1023 suid=0 tclass=chr_file tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0 and avc: denied { write } for comm=gdm-binary dev=tmpfs name=uinput pid=2425 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=chr_file tcontext=system_u:object_r:device_t:s0 /dev/input/uinput is the device of the fingerprint reader, or at least the device to read the data from. Maybe this means /dev/input/uinput should get a new label. Allowing these programs to access all device_t objects seems to be to relaxed. Maybe create uintput_device_t. Version-Release number of selected component (if applicable): selinux-policy-3.0.8-8.fc8.noarch How reproducible: always Steps to Reproduce: 1.install F8t2 2.install thinkfinger on appropriate laptop 3.boot and login Actual results: above AVCs Expected results: No AVCs and working check-in via the fingerprint reader. Additional info: