Bug 1503980 - SELinux is preventing fprintd from 'read' accesses on the katalog 00000000.
Summary: SELinux is preventing fprintd from 'read' accesses on the katalog 00000000.
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 27
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:56a9ccccb19f74c4ef42ac871ad...
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-10-19 08:20 UTC by Michał
Modified: 2018-02-01 17:26 UTC (History)
9 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2017-10-31 15:34:49 UTC


Attachments (Terms of Use)

Description Michał 2017-10-19 08:20:55 UTC
Description of problem:
I've just updated from f26. It shows at random times, sometimes after resuming from sleep, other time after few minutes of using computer.
SELinux is preventing fprintd from 'read' accesses on the katalog 00000000.

*****  Plugin catchall (100. confidence) suggests   **************************

If aby fprintd powinno mieć domyślnie read dostęp do 00000000 directory.
Then proszę to zgłosić jako błąd.
Można utworzyć lokalny moduł polityki, aby umożliwić ten dostęp.
Do
allow this access for now by executing:
# ausearch -c 'fprintd' --raw | audit2allow -M my-fprintd
# semodule -X 300 -i my-fprintd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:fprintd_var_lib_t:s0
Target Objects                00000000 [ dir ]
Source                        fprintd
Source Path                   fprintd
Port                          <Nieznane>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-283.10.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.13.6-300.fc27.x86_64 #1 SMP Thu
                              Oct 12 16:10:48 UTC 2017 x86_64 x86_64
Alert Count                   10
First Seen                    2017-10-18 12:58:02 CEST
Last Seen                     2017-10-19 02:18:26 CEST
Local ID                      0663575b-10d9-4b6c-a351-7f30e3dd39da

Raw Audit Messages
type=AVC msg=audit(1508372306.423:297): avc:  denied  { read } for  pid=4998 comm="fprintd" name="00000000" dev="dm-1" ino=3153734 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fprintd_var_lib_t:s0 tclass=dir permissive=0


Hash: fprintd,init_t,fprintd_var_lib_t,dir,read

Version-Release number of selected component:
selinux-policy-3.13.1-283.10.fc27.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.2
hashmarkername: setroubleshoot
kernel:         4.13.6-300.fc27.x86_64
type:           libreport

Comment 1 Daniel Walsh 2017-10-21 11:08:06 UTC
For some reason you have fprintd running as the init system label?  What is the label of fprintd?  

ls -lZ PATHTO/fprintd

Is fprintd on a file system with nosuid set?

Comment 2 Michał 2017-10-22 11:33:27 UTC
ls -lZ /usr/libexec/fprintd

-rwxr-xr-x. 1 root root system_u:object_r:fprintd_exec_t:s0 49016 09-13 17:10 /usr/libexec/fprintd


/dev/mapper/fedora-root on / type ext4 (rw,noatime,nodiratime,seclabel,data=ordered)

Comment 3 Michał 2017-10-22 11:37:14 UTC
Somehow it doesn't shows up anymore! Last time: 2017-10-19 13:49:51 CEST. Alert count: 11.

Comment 4 Lukas Vrabec 2017-10-22 13:26:18 UTC
Reason why fprintd runs as init_t is because of systemd security feature "NoNewPrivileges=true", I added fixes in the Rawhide and Fedora 27, it should be fixed in the latest selinux-policy build.

Comment 5 Jeff Layton 2017-10-23 00:51:30 UTC
Description of problem:
Try to set up fingerprint access for a user under GNOME.

Version-Release number of selected component:
selinux-policy-3.13.1-283.10.fc27.noarch

Additional info:
reporter:       libreport-2.9.2
hashmarkername: setroubleshoot
kernel:         4.13.8-300.fc27.x86_64
type:           libreport

Comment 6 Fedora Update System 2017-10-25 10:11:51 UTC
selinux-policy-3.13.1-283.13.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-b5e9ce60d2

Comment 7 Michał 2017-10-26 14:39:23 UTC
Description of problem:
I hopefully updated selinux policies... But... Trying to set fingerprint still gives error.

Version-Release number of selected component:
selinux-policy-3.13.1-283.10.fc27.noarch

Additional info:
reporter:       libreport-2.9.2
hashmarkername: setroubleshoot
kernel:         4.13.9-300.fc27.x86_64
type:           libreport

Comment 8 Lukas Vrabec 2017-10-26 14:40:33 UTC
it should be fixed in .13/fc27.noarch.

Comment 9 Michał 2017-10-26 14:44:46 UTC
Description of problem:
Please ignore previous comment...

I hopefully updated selinux policies... But... Trying to set fingerprint still gives error.

Version-Release number of selected component:
selinux-policy-3.13.1-283.13.fc27.noarch

Additional info:
reporter:       libreport-2.9.2
hashmarkername: setroubleshoot
kernel:         4.13.9-300.fc27.x86_64
type:           libreport

Comment 10 Michał 2017-10-26 14:47:00 UTC
Sorry, i was too late... I wasn't carefull enough clicking reports...

Comment 11 Fedora Update System 2017-10-27 18:45:07 UTC
selinux-policy-3.13.1-283.14.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-b5e9ce60d2

Comment 12 Michał 2017-10-28 10:44:55 UTC
Still happens after update to newer version.

selinux-policy-3.13.1-283.14.fc27.noarch


type=AVC msg=audit(1509187020.924:475): avc:  denied  { read } for  pid=8854 comm="fprintd" name="00000000" dev="dm-1" ino=3153734 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fprintd_var_lib_t:s0 tclass=dir permissive=0



This is in polish...
Pakiet RPM polityki           selinux-policy-3.13.1-283.14.fc27.noarch
SELinux jest włączony         True
Typ polityki                  targeted
Tryb wymuszania               Enforcing
Nazwa komputera               (removed)
Platforma                     Linux prime 4.13.9-300.fc27.x86_64 #1 SMP Mon Oct
                              23 13:41:58 UTC 2017 x86_64 x86_64
Liczba alarmów                19
Po raz pierwszy               2017-10-18 11:58:02 BST
Po raz ostatni                2017-10-28 11:37:00 BST
Lokalny identyfikator         0663575b-10d9-4b6c-a351-7f30e3dd39da

Surowe komunikaty audytu
type=AVC msg=audit(1509187020.924:475): avc:  denied  { read } for  pid=8854 comm="fprintd" name="00000000" dev="dm-1" ino=3153734 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fprintd_var_lib_t:s0 tclass=dir permissive=0

Comment 13 Lukas Vrabec 2017-10-30 15:33:37 UTC
Michal, 

Could you restart fprintd using systemctl? 

Lukas.

Comment 14 Michał 2017-10-30 16:25:31 UTC
I rebooted. Tried to set fingerprint. Exactly same error.
So i did systemctl restart fprintd. Unfortunately same error:

Kernel: 4.13.9-300.fc27.x86_64
Selinux policy targeted: selinux-policy-3.13.1-283.14.fc27.noarch

type=AVC msg=audit(1509380286.133:508): avc:  denied  { read write } for  pid=20740 comm="fprintd" name="003" dev="devtmpfs" ino=12234 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=0

type=AVC msg=audit(1509380278.689:505): avc:  denied  { read } for  pid=20740 comm="fprintd" name="00000000" dev="dm-1" ino=3153734 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fprintd_var_lib_t:s0 tclass=dir permissive=0

How can I be more help to you? Do you need something else from me? I'm happy to help! 
Oh, my installation is f26 upgraded through dnf system-upgrade to f27.

Comment 15 Fedora Update System 2017-10-31 15:34:49 UTC
selinux-policy-3.13.1-283.14.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 16 Michał 2017-11-01 10:03:06 UTC
Description of problem:
The same outcome...

Version-Release number of selected component:
selinux-policy-3.13.1-283.14.fc27.noarch

Additional info:
reporter:       libreport-2.9.2
hashmarkername: setroubleshoot
kernel:         4.13.9-300.fc27.x86_64
type:           libreport

Comment 17 Michał 2017-11-06 08:32:41 UTC
Description of problem:
Like always... Nothing changes.

Version-Release number of selected component:
selinux-policy-3.13.1-283.14.fc27.noarch

Additional info:
reporter:       libreport-2.9.2
hashmarkername: setroubleshoot
kernel:         4.13.9-300.fc27.x86_64
type:           libreport

Comment 18 Lukas Vrabec 2017-11-07 08:05:25 UTC
This issue is caused by "old" kernel in Fedora 27. Together with Paul Moore we're trying to push patches to Fedora 27 kernel.

Comment 19 ALI-S0 2018-01-28 17:37:37 UTC
Description of problem:
1- open my computer
2- connect my phone with computer via usb, but gnome crashed and took me to login screen
3- disconnect my phone
4- write password and login with wayland
5- after login this selinux alert show

Version-Release number of selected component:
selinux-policy-3.13.1-283.21.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.13.9-300.fc27.x86_64
type:           libreport

Comment 20 ALI-S0 2018-01-31 10:36:21 UTC
Description of problem:
I was just logged in and this SELinux message was appeared
kernal version: 4.14.14-300.fc27.x86_64
Policy RPM: selinux-policy-3.13.1-283.21.fc27.noarch

Version-Release number of selected component:
selinux-policy-3.13.1-283.21.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.14.14-300.fc27.x86_64
type:           libreport

Comment 21 tuxor 2018-02-01 17:26:19 UTC
Description of problem:
Login (gdm) using the fingerprint reader

Version-Release number of selected component:
selinux-policy-3.13.1-283.14.fc27.noarch

Additional info:
reporter:       libreport-2.9.3
hashmarkername: setroubleshoot
kernel:         4.14.14-300.fc27.x86_64
type:           libreport


Note You need to log in before you can comment on or make changes to this bug.