Bug 501365

Summary: avc with fingerprint readers
Product: [Fedora] Fedora Reporter: Jeremy Katz <katzj>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: bnocera, dwalsh, jkubin, mgrepl, stickster, wwoods
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-05-20 21:02:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 446452    

Description Jeremy Katz 2009-05-18 18:33:44 UTC
Getting the following from setroubleshoot whenever the fingerprint reader pops up to authenticate
   SELinux is preventing fprintd (fprintd_t) "sys_ptrace" fprintd_t

Given that fingerprint enrollment is one of the features we've advertised with F11, we really don't want it to be giving SELinux errors every time, thus putting on the blocker list

Comment 1 Daniel Walsh 2009-05-18 18:43:51 UTC
allow fprintd_t self:capability sys_ptrace;
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.12-38.fc11.noarch

Comment 2 Paul W. Frields 2009-05-18 20:26:34 UTC
This is a dupe of bug 500872, but since it's on the blocker list I didn't want to close it as a dupe.

Comment 3 Jeremy Katz 2009-05-18 20:30:36 UTC
*** Bug 500872 has been marked as a duplicate of this bug. ***

Comment 4 Jeremy Katz 2009-05-18 20:35:58 UTC
Did the duping the other way.  Also, -38 failed to build so reopening

Comment 5 Daniel Walsh 2009-05-19 01:17:40 UTC
fingerd policy is a permissive domain,  So actually fingerd should not be blocked by SELinux at all.  If you look at the AVC you will see a success=yes, which means the sys_ptrace was not actually blocked.

-38 is built now.

Comment 6 Will Woods 2009-05-20 21:02:57 UTC
-39 has been tagged for F11 and should appear in tomorrow's Rawhide. I've tested and confirmed the fix.