1089484 – SELinux is preventing /usr/libexec/fprintd from 'read' accesses on the directory .

Bug 1089484 - SELinux is preventing /usr/libexec/fprintd from 'read' accesses on the directory .

Summary: SELinux is preventing /usr/libexec/fprintd from 'read' accesses on the direct...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	20
Hardware:	i686
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:9d936ca491ebb0c6725acb09b9c...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-04-19 15:25 UTC by Seb L.
Modified:	2014-05-01 22:29 UTC (History)
CC List:	4 users (show)
Fixed In Version:	selinux-policy-3.12.1-158.fc20
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-05-01 22:29:22 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Seb L. 2014-04-19 15:25:53 UTC

Description of problem:
SELinux is preventing /usr/libexec/fprintd from 'read' accesses on the directory .

*****  Plugin catchall (100. confidence) suggests   **************************

If vous pensez que fprintd devrait être autorisé à accéder read sur  directory par défaut.
Then vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet accès.
Do
autoriser cet accès pour le moment en exécutant :
# grep fprintd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:fprintd_t:s0
Target Context                system_u:object_r:tmp_t:s0
Target Objects                 [ dir ]
Source                        fprintd
Source Path                   /usr/libexec/fprintd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           fprintd-0.5.1-1.fc20.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-149.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.13.10-200.fc20.i686+PAE #1 SMP
                              Mon Apr 14 20:47:16 UTC 2014 i686 i686
Alert Count                   5
First Seen                    2014-04-19 17:18:32 CEST
Last Seen                     2014-04-19 17:19:51 CEST
Local ID                      12171a26-de05-4bc3-afc1-7692dba40a0d

Raw Audit Messages
type=AVC msg=audit(1397920791.868:382): avc:  denied  { read } for  pid=1669 comm="fprintd" name="tmp" dev="dm-1" ino=786534 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir


type=SYSCALL msg=audit(1397920791.868:382): arch=i386 syscall=open success=no exit=EACCES a0=449d53e9 a1=0 a2=1b6 a3=899bc30 items=0 ppid=1 pid=1669 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=fprintd exe=/usr/libexec/fprintd subj=system_u:system_r:fprintd_t:s0 key=(null)

Hash: fprintd,fprintd_t,tmp_t,dir,read

Additional info:
reporter:       libreport-2.2.1
hashmarkername: setroubleshoot
kernel:         3.13.10-200.fc20.i686+PAE
type:           libreport

Potential duplicate: bug 665749

Comment 1 Lukas Vrabec 2014-04-22 08:17:00 UTC

Hi,
I added dontaudit rule like in bug #665749.

commit 953c4d67d2b25d624b82d15f26952b46699f14ea
Author: Lukas Vrabec <lvrabec>
Date:   Tue Apr 22 10:08:40 2014 +0200

    Added fprintd dontaudit tmp dirs rule

Comment 2 Fedora Update System 2014-04-25 12:43:49 UTC

selinux-policy-3.12.1-158.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-158.fc20

Comment 3 Fedora Update System 2014-04-26 09:24:25 UTC

Package selinux-policy-3.12.1-158.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-158.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-5660/selinux-policy-3.12.1-158.fc20
then log in and leave karma (feedback).

Comment 4 Fedora Update System 2014-05-01 22:29:22 UTC

selinux-policy-3.12.1-158.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.