Description of problem: I think I restarted the (virtual) machine with an Aladding eToken USB dongle inserted. Actually, I'm not really sure whether this is a bug. I use an Aladdin eToken with their proprietary drivers. SELinux is preventing gsd-smartcard from 'write' accesses on the sock_file SACSrv. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that gsd-smartcard should be allowed write access on the SACSrv sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'gsd-smartcard' --raw | audit2allow -M my-gsdsmartcard # semodule -X 300 -i my-gsdsmartcard.pp Additional Information: Source Context system_u:system_r:xdm_t:s0-s0:c0.c1023 Target Context system_u:object_r:initrc_tmp_t:s0 Target Objects SACSrv [ sock_file ] Source gsd-smartcard Source Path gsd-smartcard Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-42.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.19.2-301.fc29.x86_64 #1 SMP Sat Nov 17 17:58:01 UTC 2018 x86_64 x86_64 Alert Count 38 First Seen 2018-11-22 13:05:50 CET Last Seen 2018-11-22 13:06:09 CET Local ID 49caba8e-adbe-4c66-b909-46896240565e Raw Audit Messages type=AVC msg=audit(1542888369.249:296): avc: denied { write } for pid=1506 comm="pool" name="SACSrv" dev="tmpfs" ino=25716 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=sock_file permissive=0 Hash: gsd-smartcard,xdm_t,initrc_tmp_t,sock_file,write Version-Release number of selected component: selinux-policy-3.14.2-42.fc29.noarch Additional info: component: selinux-policy reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.19.2-301.fc29.x86_64 type: libreport
Description of problem: This happens when I start a Fedora 29 (VM) with a Aladding USB eToken inserted. I'm running the proprietary SafenetAuthenticationClient software provided by Comodo. Version-Release number of selected component: selinux-policy-3.14.2-42.fc29.noarch Additional info: reporter: libreport-2.9.6 hashmarkername: setroubleshoot kernel: 4.19.4-300.fc29.x86_64 type: libreport
Hi, I'm not sure whats going on here, but if you're using 3rd party software, could you please fix this by creating custom SELinux moudule? Tutorial how to it, is in your report: ***** Plugin catchall (100. confidence) suggests ************************** If you believe that gsd-smartcard should be allowed write access on the SACSrv sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'gsd-smartcard' --raw | audit2allow -M my-gsdsmartcard # semodule -X 300 -i my-gsdsmartcard.pp Thanks, Lukas.