Description of problem: After 'dnf update' & reboot, trying to login to Gnome produced this SELinux alert. SELinux is preventing fprintd from using the 'sys_admin' capabilities. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that fprintd should have the sys_admin capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'fprintd' --raw | audit2allow -M my-fprintd # semodule -X 300 -i my-fprintd.pp Additional Information: Source Context system_u:system_r:fprintd_t:s0 Target Context system_u:system_r:fprintd_t:s0 Target Objects Unknown [ capability ] Source fprintd Source Path fprintd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.24.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.15.4-300.fc27.x86_64 #1 SMP Mon Feb 19 23:31:15 UTC 2018 x86_64 x86_64 Alert Count 1 First Seen 2018-02-26 17:08:22 PST Last Seen 2018-02-26 17:08:22 PST Local ID ce5d2bdd-15cd-491f-adfd-c51ba2d8e975 Raw Audit Messages type=AVC msg=audit(1519693702.189:344): avc: denied { sys_admin } for pid=10017 comm="fprintd" capability=21 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:system_r:fprintd_t:s0 tclass=capability permissive=0 Hash: fprintd,fprintd_t,fprintd_t,capability,sys_admin Version-Release number of selected component: selinux-policy-3.13.1-283.24.fc27.noarch Additional info: component: selinux-policy reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.15.4-300.fc27.x86_64 type: libreport
Description of problem: After logging in to Gnome, the SELinux alert repeated. Version-Release number of selected component: selinux-policy-3.13.1-283.24.fc27.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.15.4-300.fc27.x86_64 type: libreport
Any idea why fingerprint daemon needs sys_admin capability? Could I dontaudit this access? Thanks, Lukas.
(In reply to Lukas Vrabec from comment #2) > Any idea why fingerprint daemon needs sys_admin capability? Could I > dontaudit this access? It doesn't need this capability. getcap on fprintd or the libfprint library doesn't show any such capabilities requests. In fact, it drops loads of privileges it might have when launched via systemd: https://cgit.freedesktop.org/libfprint/fprintd/tree/data/fprintd.service.in Running fprintd manually in gdb under a root shell didn't show it calling out to capset(), nor did it print any SELinux warnings as above. I've been testing this on F27. Is there a way to make the application assert() when it gets denied this capability?
Description of problem: In Gnome3, lock the screen, unlock, an SELinux alert pops up. Version-Release number of selected component: selinux-policy-3.13.1-283.29.fc27.noarch Additional info: reporter: libreport-2.9.3 hashmarkername: setroubleshoot kernel: 4.15.13-300.fc27.x86_64 type: libreport
This also happens every time I issue a sudo command in Gnome Terminal and sudo needs to ask for a password. Successive sudo commands won't cause this AVC denial, only when sudo asks for a password: $ sudo -k $ sudo true && sleep 1 && sudo grep fprintd /var/log/audit/audit.log | grep denied | tail -1; date +%s [sudo] password for root: type=AVC msg=audit(1524961344.944:55451): avc: denied { sys_admin } for pid=27587 comm="fprintd" capability=21 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:system_r:fprintd_t:s0 tclass=capability permissive=0 1524961348 $ ls -lZ /usr/libexec/fprintd -rwxr-xr-x. 1 root root system_u:object_r:fprintd_exec_t:s0 49016 Sep 13 2017 /usr/libexec/fprintd $ rpm -qa | egrep 'fprint|selinux-pol' | sort fprintd-0.8.0-1.fc27.x86_64 fprintd-pam-0.8.0-1.fc27.x86_64 libfprint-0.7.0-3.fc27.x86_64 selinux-policy-3.13.1-283.32.fc27.noarch selinux-policy-targeted-3.13.1-283.32.fc27.noarch Since I don't have a fingerprint scanner installed anyway, uninstalling "fprintd" makes the warning go away. One could also unconfigure pam_fprintd.so in /etc/pam.d/{fingerprint,system}-auth{,-ac}, I guess.
Reassigning this to selinux-policy. It might be a problem in the kernel, but in the absence of any type of debugging tool to assert where/when this capability is supposedly requested, I can't do anything more.
Did you figure out why getcap was used?
selinux-policy-3.14.1-32.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-743a9247de
selinux-policy-3.14.1-32.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-743a9247de
selinux-policy-3.14.1-32.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.