Description of problem: SELinux is preventing fprintd from using the 'dac_override' capabilities. ***** Plugin dac_override (91.4 confidence) suggests ********************** If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system Then turn on full auditing to get path information about the offending file and generate the error again. Do Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent If you see PATH record check ownership/permissions on file, and fix it, otherwise report as a bugzilla. ***** Plugin catchall (9.59 confidence) suggests ************************** If you believe that fprintd should have the dac_override capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'fprintd' --raw | audit2allow -M my-fprintd # semodule -X 300 -i my-fprintd.pp Additional Information: Source Context system_u:system_r:fprintd_t:s0 Target Context system_u:system_r:fprintd_t:s0 Target Objects Unknown [ capability ] Source fprintd Source Path fprintd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.2-49.fc29.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.20.13-200.fc29.x86_64 #1 SMP Wed Feb 27 19:42:55 UTC 2019 x86_64 x86_64 Alert Count 18 First Seen 2019-03-02 18:38:59 PST Last Seen 2019-03-13 20:09:51 PDT Local ID f04c099e-9ff2-43d7-93cf-224443c03275 Raw Audit Messages type=AVC msg=audit(1552532991.268:673): avc: denied { dac_override } for pid=26195 comm="fprintd" capability=1 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:system_r:fprintd_t:s0 tclass=capability permissive=0 Hash: fprintd,fprintd_t,fprintd_t,capability,dac_override Version-Release number of selected component: selinux-policy-3.14.2-49.fc29.noarch Additional info: component: selinux-policy reporter: libreport-2.10.0 hashmarkername: setroubleshoot kernel: 4.20.13-200.fc29.x86_64 type: libreport
*** Bug 1688581 has been marked as a duplicate of this bug. ***
Hi All, Most probably this is bug in fprintd service. Attaching 2 articles how it could be solved: https://lukas-vrabec.com/index.php/2018/07/03/why-do-you-see-dac_override-selinux-denials/ https://lukas-vrabec.com/index.php/2018/07/16/how-to-enable-full-auditing-in-audit-daemon/ Thanks, Lukas.
(In reply to Lukas Vrabec from comment #2) > Hi All, > > Most probably this is bug in fprintd service. Attaching 2 articles how it > could be solved: > > https://lukas-vrabec.com/index.php/2018/07/03/why-do-you-see-dac_override- > selinux-denials/ > https://lukas-vrabec.com/index.php/2018/07/16/how-to-enable-full-auditing-in- > audit-daemon/ Those articles explain nothing. They don't explain why this process might be trying to get DAC_OVERRIDE capabilities, because I didn't add that requirement myself, and I have no idea how to reproduce the problem. https://danwalsh.livejournal.com/79643.html is a better explanation. How do I know which file it's trying to create? No idea :/
I drilled this down, as I managed to reproduce some AVCs on my system. This only seems to happen with the uru4000 libfprint driver, and only when started through systemd, which means with "ProtectHome=true". The uru4000 driver uses NSS for some device encryption, which uses PKCS11. $ grep ENOENT strace-output.txt | grep -v /etc | grep -v /lib | grep -v nscd access("/sys/subsystem", F_OK) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/root/.config/pkcs11/pkcs11.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/root/.config/pkcs11/modules", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory) How would one disable those "/root/.config" accesses? Maybe the code shouldn't try to access "home directory" configurations when running as root? If not, let me know how to lock the search paths down and reassign to libfprint.
(In reply to Bastien Nocera from comment #4) > How would one disable those "/root/.config" accesses? It's actually p11-kit (loaded through NSS) looking for the user configuration. Set P11_KIT_NO_USER_CONFIG envvar to any value to disable that. > Maybe the code > shouldn't try to access "home directory" configurations when running as root? Yes, that makes sense to me.
(In reply to Daiki Ueno from comment #5) > (In reply to Bastien Nocera from comment #4) > > > How would one disable those "/root/.config" accesses? > > It's actually p11-kit (loaded through NSS) looking for the user > configuration. Set P11_KIT_NO_USER_CONFIG envvar to any value to disable > that. Perfect, I've added a work-around in libfprint upstream: https://gitlab.freedesktop.org/libfprint/libfprint/merge_requests/48 I won't be cherry picking this into Fedora right now, as it's just a warning and doesn't actually cause any problems. > > Maybe the code > > shouldn't try to access "home directory" configurations when running as root? > > Yes, that makes sense to me.
p11-kit-0.23.16.1-1.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-29385faaa3
p11-kit-0.23.16.1-1.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-29385faaa3
p11-kit-0.23.16.1-1.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.