Bug 730163

Summary: SELinux is preventing /usr/libexec/fprintd from 'getattr' accesses on the unix_stream_socket unix_stream_socket.
Product: [Fedora] Fedora Reporter: Frantisek Hanzlik <franta>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 15CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:8c981ded91232122dbbb18796b16fd718a4a2387eed46b35d450781e13e45e8c
Fixed In Version: selinux-policy-3.9.16-39.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-06 00:02:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Frantisek Hanzlik 2011-08-12 00:45:48 UTC 
SELinux is preventing /usr/libexec/fprintd from 'getattr' accesses on the unix_stream_socket unix_stream_socket.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that fprintd should be allowed getattr access on the unix_stream_socket unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep fprintd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:fprintd_t:s0-s0:c0.c1023
Target Context                system_u:system_r:init_t:s0
Target Objects                unix_stream_socket [ unix_stream_socket ]
Source                        fprintd
Source Path                   /usr/libexec/fprintd
Port                          <Neznámé>
Host                          (removed)
Source RPM Packages           fprintd-0.2.0-3.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-35.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 2.6.40-4.fc15.i686.PAE #1
                              SMP Fri Jul 29 18:47:58 UTC 2011 i686 i686
Alert Count                   17
First Seen                    Po 8. srpen 2011, 21:40:05 CEST
Last Seen                     Pá 12. srpen 2011, 02:41:21 CEST
Local ID                      e5104a07-61ac-4fb0-8732-1b9fdb6df821

Raw Audit Messages
type=AVC msg=audit(1313109681.843:163): avc:  denied  { getattr } for  pid=3621 comm="fprintd" path="socket:[17652]" dev=sockfs ino=17652 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket


type=SYSCALL msg=audit(1313109681.843:163): arch=i386 syscall=fstat64 success=yes exit=0 a0=1 a1=bffe1964 a2=4a877ff4 a3=4a878500 items=0 ppid=3620 pid=3621 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=fprintd exe=/usr/libexec/fprintd subj=system_u:system_r:fprintd_t:s0-s0:c0.c1023 key=(null)

Hash: fprintd,fprintd_t,init_t,unix_stream_socket,getattr

audit2allow

#============= fprintd_t ==============
allow fprintd_t init_t:unix_stream_socket getattr;

audit2allow -R

#============= fprintd_t ==============
allow fprintd_t init_t:unix_stream_socket getattr;
Comment 1 Daniel Walsh 2011-08-12 10:57:14 UTC 
Any idea of what you were doing when this happened?
Comment 2 Frantisek Hanzlik 2011-08-12 12:02:37 UTC 
This attempt is triggered always when I login into system (xfce DE), or when some command over sudo is entered.

At roughly same time are logged similar events:

Aug 12 02:41:21 (null) (null): audit(1313109681.838:162): avc: denied { read write } for pid=3621 comm=fprintd path="socket:[17652]" ino=17652 dev=sockfs scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket 


Aug 12 02:41:51 (null) (null): audit(1313109711.959:173): avc: denied { write } for pid=3621 comm=fprintd path="socket:[17652]" ino=17652 dev=sockfs scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket 

System is desktop PC without fingerprint sensor, thus there is no need for fprintd and uninstalling that package probably solve things. But on system with fingerprint reader it isn't acceptable solution.
Comment 3 Daniel Walsh 2011-08-15 12:12:45 UTC 
I dont audited these in F16.
Comment 4 Miroslav Grepl 2011-08-22 07:23:36 UTC 
Fixed in F15.
Comment 5 Fedora Update System 2011-09-08 08:11:41 UTC 
selinux-policy-3.9.16-39.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15
Comment 6 Fedora Update System 2011-09-09 05:27:56 UTC 
Package selinux-policy-3.9.16-39.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-39.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2011-10-06 00:02:08 UTC 
selinux-policy-3.9.16-39.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.