Bug 1491808 - SELinux is preventing fprintd from 'map' accesses on the file /usr/libexec/fprintd.
Summary: SELinux is preventing fprintd from 'map' accesses on the file /usr/libexec/fp...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 27
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:8b57c5d1bd0a7a7d4437751683a...
: 1492359 (view as bug list)
Depends On:
Blocks: F27BetaFreezeException F27FinalBlocker
TreeView+ depends on / blocked
 
Reported: 2017-09-14 18:07 UTC by Joachim Frieben
Modified: 2017-09-20 15:26 UTC (History)
13 users (show)

Fixed In Version: selinux-policy-3.13.1-283.3.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-09-20 15:26:39 UTC
Type: ---


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1492359 None None None Never

Internal Links: 1492359

Description Joachim Frieben 2017-09-14 18:07:24 UTC
Description of problem:
SELinux is preventing fprintd from 'map' accesses on the file /usr/libexec/fprintd.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that fprintd should be allowed map access on the fprintd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'fprintd' --raw | audit2allow -M my-fprintd
# semodule -X 300 -i my-fprintd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:fprintd_exec_t:s0
Target Objects                /usr/libexec/fprintd [ file ]
Source                        fprintd
Source Path                   fprintd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           fprintd-0.8.0-1.fc27.x86_64
Policy RPM                    selinux-policy-3.13.1-283.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.13.1-302.fc27.x86_64 #1 SMP Tue
                              Sep 12 09:10:01 UTC 2017 x86_64 x86_64
Alert Count                   21
First Seen                    2017-09-14 15:19:24 CEST
Last Seen                     2017-09-14 20:03:24 CEST
Local ID                      9fb4687d-b23b-4cf5-b838-5416f166948d

Raw Audit Messages
type=AVC msg=audit(1505412204.468:441): avc:  denied  { map } for  pid=8278 comm="fprintd" path="/usr/libexec/fprintd" dev="dm-1" ino=23883 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fprintd_exec_t:s0 tclass=file permissive=0


Hash: fprintd,init_t,fprintd_exec_t,file,map

Version-Release number of selected component:
selinux-policy-3.13.1-283.fc27.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.2
hashmarkername: setroubleshoot
kernel:         4.13.1-302.fc27.x86_64
type:           libreport

Comment 1 Kamil Páral 2017-09-15 14:11:17 UTC
Description of problem:
Updated, rebooted, and logged in.

Version-Release number of selected component:
selinux-policy-3.13.1-283.fc27.noarch

Additional info:
reporter:       libreport-2.9.2
hashmarkername: setroubleshoot
kernel:         4.13.1-303.fc27.x86_64
type:           libreport

Comment 2 Kamil Páral 2017-09-15 14:14:34 UTC
Seems to violate:
"There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop. "
https://fedoraproject.org/wiki/Fedora_27_Final_Release_Criteria#SELinux_and_crash_notifications

This is a default system (VM).

Comment 3 b.gatessucks 2017-09-15 17:50:32 UTC
Description of problem:
1. open terminal (Konsole)
2. type "su -"

Version-Release number of selected component:
selinux-policy-3.13.1-283.fc27.noarch

Additional info:
reporter:       libreport-2.9.2
hashmarkername: setroubleshoot
kernel:         4.13.1-302.fc27.x86_64
type:           libreport

Comment 4 Pablo Estigarribia 2017-09-16 00:36:58 UTC
Got same issue, I have normal desktop without fingerprint device, so don't know why it is trying to use it. 

also su, sudo something or shell login is taking around 18s to promt for a password, don't know why yet but probably some pam module related to fingerprint could be delaying it... 

set 15 21:35:28 192.168.1.3 dbus-daemon[922]: [system] Failed to activate service 'net.reactivated.Fprint': timed out (service_start_timeout=25000ms)

Comment 5 Pablo Estigarribia 2017-09-16 00:39:25 UTC
the 18s delay to prompt password was definetively fprintd-pam module, I have removed all fprintd: dnf remove fprintd

===================================================================================================================================================================================================================
 Paquete                                           Arquitectura                                 Versión                                               Repositorio                                            Tamaño
===================================================================================================================================================================================================================
Eliminando:
 fprintd                                           x86_64                                       0.8.0-1.fc27                                          @updates-testing                                       403 k
Removing depended packages:
 fprintd-pam                                       x86_64                                       0.8.0-1.fc27                                          @updates-testing                                        25 k
Eliminando dependencias sin uso:
 libfprint                                         x86_64                                       0.7.0-3.fc27                                          @fedora                                                491 k


And now password promt is very fast!

Comment 6 Fedora Update System 2017-09-18 13:37:17 UTC
selinux-policy-3.13.1-283.3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-a1b4dab97d

Comment 7 Lukas Vrabec 2017-09-18 13:55:26 UTC
*** Bug 1492359 has been marked as a duplicate of this bug. ***

Comment 8 Fedora Update System 2017-09-18 22:23:27 UTC
selinux-policy-3.13.1-283.3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-a1b4dab97d

Comment 9 Kamil Páral 2017-09-19 09:20:07 UTC
The login prompt delay (gdm, sudo, su) seems to be gone with the update. Proposing as BetaFreezeException, the login delays are very very annoying.

Comment 10 Stephen Gallagher 2017-09-19 13:16:46 UTC
+1 FE

Comment 11 Petr Schindler 2017-09-19 13:20:08 UTC
I'm also +1 FE. Moving to accepted FE

Comment 12 Fedora Update System 2017-09-20 15:26:39 UTC
selinux-policy-3.13.1-283.3.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.