Bug 1688583 - SELinux is preventing fprintd from using the 'dac_override' capabilities.
Summary: SELinux is preventing fprintd from using the 'dac_override' capabilities.
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: nss   
(Show other bugs)
Version: 29
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Daiki Ueno
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:f9c129aece3c9de71896e55d587...
Keywords:
: 1688581 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-14 03:16 UTC by Angie
Modified: 2019-03-21 15:43 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Angie 2019-03-14 03:16:54 UTC
Description of problem:
SELinux is preventing fprintd from using the 'dac_override' capabilities.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If you believe that fprintd should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'fprintd' --raw | audit2allow -M my-fprintd
# semodule -X 300 -i my-fprintd.pp

Additional Information:
Source Context                system_u:system_r:fprintd_t:s0
Target Context                system_u:system_r:fprintd_t:s0
Target Objects                Unknown [ capability ]
Source                        fprintd
Source Path                   fprintd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.2-49.fc29.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.20.13-200.fc29.x86_64 #1 SMP Wed
                              Feb 27 19:42:55 UTC 2019 x86_64 x86_64
Alert Count                   18
First Seen                    2019-03-02 18:38:59 PST
Last Seen                     2019-03-13 20:09:51 PDT
Local ID                      f04c099e-9ff2-43d7-93cf-224443c03275

Raw Audit Messages
type=AVC msg=audit(1552532991.268:673): avc:  denied  { dac_override } for  pid=26195 comm="fprintd" capability=1  scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:system_r:fprintd_t:s0 tclass=capability permissive=0


Hash: fprintd,fprintd_t,fprintd_t,capability,dac_override

Version-Release number of selected component:
selinux-policy-3.14.2-49.fc29.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.10.0
hashmarkername: setroubleshoot
kernel:         4.20.13-200.fc29.x86_64
type:           libreport

Comment 1 Lukas Vrabec 2019-03-14 10:03:34 UTC
*** Bug 1688581 has been marked as a duplicate of this bug. ***

Comment 2 Lukas Vrabec 2019-03-14 10:11:09 UTC
Hi All, 

Most probably this is bug in fprintd service. Attaching 2 articles how it could be solved: 

https://lukas-vrabec.com/index.php/2018/07/03/why-do-you-see-dac_override-selinux-denials/
https://lukas-vrabec.com/index.php/2018/07/16/how-to-enable-full-auditing-in-audit-daemon/

Thanks,
Lukas.

Comment 3 Bastien Nocera 2019-03-14 10:32:28 UTC
(In reply to Lukas Vrabec from comment #2)
> Hi All, 
> 
> Most probably this is bug in fprintd service. Attaching 2 articles how it
> could be solved: 
> 
> https://lukas-vrabec.com/index.php/2018/07/03/why-do-you-see-dac_override-
> selinux-denials/
> https://lukas-vrabec.com/index.php/2018/07/16/how-to-enable-full-auditing-in-
> audit-daemon/

Those articles explain nothing. They don't explain why this process might be trying
to get DAC_OVERRIDE capabilities, because I didn't add that requirement myself,
and I have no idea how to reproduce the problem.

https://danwalsh.livejournal.com/79643.html
is a better explanation.

How do I know which file it's trying to create? No idea :/

Comment 4 Bastien Nocera 2019-03-21 15:02:52 UTC
I drilled this down, as I managed to reproduce some AVCs on my system. This only seems
to happen with the uru4000 libfprint driver, and only when started through systemd,
which means with "ProtectHome=true".

The uru4000 driver uses NSS for some device encryption, which uses PKCS11.

$ grep ENOENT strace-output.txt | grep -v /etc | grep -v /lib | grep -v nscd
access("/sys/subsystem", F_OK)          = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/root/.config/pkcs11/pkcs11.conf", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/root/.config/pkcs11/modules", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such file or directory)

How would one disable those "/root/.config" accesses? Maybe the code
shouldn't try to access "home directory" configurations when running as root?

If not, let me know how to lock the search paths down and reassign to
libfprint.

Comment 5 Daiki Ueno 2019-03-21 15:12:45 UTC
(In reply to Bastien Nocera from comment #4)

> How would one disable those "/root/.config" accesses?

It's actually p11-kit (loaded through NSS) looking for the user configuration.  Set P11_KIT_NO_USER_CONFIG envvar to any value to disable that.

> Maybe the code
> shouldn't try to access "home directory" configurations when running as root?

Yes, that makes sense to me.

Comment 6 Bastien Nocera 2019-03-21 15:43:09 UTC
(In reply to Daiki Ueno from comment #5)
> (In reply to Bastien Nocera from comment #4)
> 
> > How would one disable those "/root/.config" accesses?
> 
> It's actually p11-kit (loaded through NSS) looking for the user
> configuration.  Set P11_KIT_NO_USER_CONFIG envvar to any value to disable
> that.

Perfect, I've added a work-around in libfprint upstream:
https://gitlab.freedesktop.org/libfprint/libfprint/merge_requests/48

I won't be cherry picking this into Fedora right now, as it's just a warning and
doesn't actually cause any problems.

> > Maybe the code
> > shouldn't try to access "home directory" configurations when running as root?
> 
> Yes, that makes sense to me.


Note You need to log in before you can comment on or make changes to this bug.