Bug 1075929 - selinux-policy prevents pcscd from accessing polkit
Summary: selinux-policy prevents pcscd from accessing polkit
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-03-13 08:48 UTC by Nikos Mavrogiannopoulos
Modified: 2014-03-13 09:11 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2014-03-13 09:11:54 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
warnings from sealert (20.00 KB, application/x-tar)
2014-03-13 08:48 UTC, Nikos Mavrogiannopoulos
no flags Details

Description Nikos Mavrogiannopoulos 2014-03-13 08:48:29 UTC
Created attachment 873845 [details]
warnings from sealert

Description of problem:
The new pcsc-lite in rawhide uses polkit to decide on user access on smart cards. However, selinux-policy prevents that from happening resulting to rejection of any policy decision.

The daemon reports:
Mar 13 09:22:23 dhcp-2-127.brq.redhat.com pcscd[16052]: 03738058 auth.c:116:IsClientAuthorized() Error in authorization: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_call", sender=":1.3871" (uid=0 pid=16052 comm="/usr/sbin/pcscd --foreground --auto-exit ") interface="org.freedesktop.PolicyKit1.Authority" member="CheckAuthorization" error name="(unset)" requested_reply="0" destination=":1.405" (uid=999 pid=5932 comm="/usr/lib/polkit-1/polkitd --no-debug ")


How reproducible:
Steps to Reproduce:
1. Install pcsc-lite from rawhide
2. Insert a smart card and try running opensc-tool --list

Actual results:
No smart cards found.


Expected results:
Smart cards should be listed.

Additional info:
Attached is the output of sealert tool.

Comment 1 Miroslav Grepl 2014-03-13 09:11:54 UTC
Should be fixed in the latest release.

#============= pcscd_t ==============

#!!!! This avc is allowed in the current policy
allow pcscd_t unconfined_t:dir search;


Note You need to log in before you can comment on or make changes to this bug.