1781696 – SELinux is preventing /usr/lib/systemd/systemd from 'setattr' accesses on the directory /var/lib/fprint.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1781696 - SELinux is preventing /usr/lib/systemd/systemd from 'setattr' accesses on the directory /var/lib/fprint.

Summary: SELinux is preventing /usr/lib/systemd/systemd from 'setattr' accesses on the...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.2
Hardware:	Unspecified
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	8.2
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1782446 (view as bug list)
Depends On:	1740752
Blocks:	1739559
TreeView+	depends on / blocked

Reported:	2019-12-10 12:22 UTC by Jiri Koten
Modified:	2020-04-28 16:42 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-04-28 16:41:41 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
audi log (2.03 KB, text/plain) 2019-12-11 16:01 UTC, Jiri Koten	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2020:1773	0	None	None	None	2020-04-28 16:42:05 UTC

Description Jiri Koten 2019-12-10 12:22:47 UTC

SELinux is preventing /usr/lib/systemd/systemd from 'setattr' accesses on the directory /var/lib/fprint.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that systemd should be allowed setattr access on the fprint directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '(fprintd)' --raw | audit2allow -M my-fprintd
# semodule -X 300 -i my-fprintd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:fprintd_var_lib_t:s0
Target Objects                /var/lib/fprint [ dir ]
Source                        (fprintd)
Source Path                   /usr/lib/systemd/systemd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           systemd-239-21.el8.x86_64
Target RPM Packages           fprintd-1.90.0-0.20191121gitf022902.el8.x86_64
Policy RPM                    selinux-policy-3.14.3-29.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.18.0-161.el8.x86_64 #1 SMP Fri
                              Dec 6 14:25:24 UTC 2019 x86_64 x86_64
Alert Count                   7
First Seen                    2019-12-10 12:37:22 CET
Last Seen                     2019-12-10 13:01:33 CET
Local ID                      255bc5df-d94e-4a74-ad4a-64de065cce5f

Raw Audit Messages
type=AVC msg=audit(1575979293.798:117): avc:  denied  { setattr } for  pid=4965 comm="(fprintd)" name="fprint" dev="dm-3" ino=126129365 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fprintd_var_lib_t:s0 tclass=dir permissive=0


type=SYSCALL msg=audit(1575979293.798:117): arch=x86_64 syscall=chmod success=no exit=EACCES a0=564a395d4820 a1=1ed a2=ffffffff a3=0 items=0 ppid=1 pid=4965 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=(fprintd) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null)

Hash: (fprintd),init_t,fprintd_var_lib_t,dir,setattr

Comment 1 Jiri Koten 2019-12-10 12:25:09 UTC

This is most likely related to rebase of fprintd - see rhbz#1740752

Comment 2 Milos Malik 2019-12-10 12:44:59 UTC

Can you tell me more about the situation which lead to the SELinux denial? What commands did you run?

Comment 3 Jiri Koten 2019-12-10 16:37:35 UTC

(In reply to Milos Malik from comment #2)
> Can you tell me more about the situation which lead to the SELinux denial?
> What commands did you run?

I haven't run any commands, this happens on my laptop right after I login to the GNOME session.

The fprintd is dbus service and actually failed to start because of this selinux denial. 
It starts fine with disabled selinux.

Comment 4 Jiri Koten 2019-12-10 16:38:44 UTC

$ sudo ausearch -m AVC -ts recent
----
time->Tue Dec 10 17:28:56 2019
type=PROCTITLE msg=audit(1575995336.675:301): proctitle="(fprintd)"
type=SYSCALL msg=audit(1575995336.675:301): arch=c000003e syscall=90 success=no exit=-13 a0=564a3969ae40 a1=1ed a2=ffffffff a3=0 items=0 ppid=1 pid=15931 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(fprintd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1575995336.675:301): avc:  denied  { setattr } for  pid=15931 comm="(fprintd)" name="fprint" dev="dm-3" ino=126129365 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fprintd_var_lib_t:s0 tclass=dir permissive=0
----
time->Tue Dec 10 17:31:49 2019
type=PROCTITLE msg=audit(1575995509.295:303): proctitle="(fprintd)"
type=SYSCALL msg=audit(1575995509.295:303): arch=c000003e syscall=90 success=no exit=-13 a0=564a396b24b0 a1=1ed a2=ffffffff a3=0 items=0 ppid=1 pid=17937 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(fprintd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1575995509.295:303): avc:  denied  { setattr } for  pid=17937 comm="(fprintd)" name="fprint" dev="dm-3" ino=126129365 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fprintd_var_lib_t:s0 tclass=dir permissive=0
----
time->Tue Dec 10 17:35:22 2019
type=PROCTITLE msg=audit(1575995722.868:316): proctitle="(fprintd)"
type=SYSCALL msg=audit(1575995722.868:316): arch=c000003e syscall=90 success=no exit=-13 a0=564a396b7ba0 a1=1ed a2=ffffffff a3=0 items=0 ppid=1 pid=20677 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(fprintd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1575995722.868:316): avc:  denied  { setattr } for  pid=20677 comm="(fprintd)" name="fprint" dev="dm-3" ino=126129365 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fprintd_var_lib_t:s0 tclass=dir permissive=0
----
time->Tue Dec 10 17:35:39 2019
type=PROCTITLE msg=audit(1575995739.042:332): proctitle="(fprintd)"
type=SYSCALL msg=audit(1575995739.042:332): arch=c000003e syscall=90 success=yes exit=0 a0=564a395d2050 a1=1ed a2=ffffffff a3=0 items=0 ppid=1 pid=20870 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(fprintd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1575995739.042:332): avc:  denied  { setattr } for  pid=20870 comm="(fprintd)" name="fprint" dev="dm-3" ino=126129365 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fprintd_var_lib_t:s0 tclass=dir permissive=1
----
time->Tue Dec 10 17:35:39 2019
type=PROCTITLE msg=audit(1575995739.042:333): proctitle="(fprintd)"
type=SYSCALL msg=audit(1575995739.042:333): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=564a395d2050 a2=f0000 a3=0 items=0 ppid=1 pid=20870 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="(fprintd)" exe="/usr/lib/systemd/systemd" subj=system_u:system_r:init_t:s0 key=(null)
type=AVC msg=audit(1575995739.042:333): avc:  denied  { read } for  pid=20870 comm="(fprintd)" name="fprint" dev="dm-3" ino=126129365 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fprintd_var_lib_t:s0 tclass=dir permissive=1

Comment 5 Jiri Koten 2019-12-10 16:43:41 UTC

Also it seems to freeze my lock screen as a result of that. The fprintd daemon is responsible for fingerprint reader which I have on my laptop.

Comment 6 Zdenek Pytela 2019-12-11 12:19:26 UTC

Jiri,

Would you be able to help with isolating the issue? For some reason, "chmod 755" is executed and denied, but it is not clear for which file.

# make the system permissive
setenforce 0
# save a timestamp
since=$(date +%T)
# enable full path auditing
auditctl -w /etc/shadow -p w

<reproduce the issue>

# list audit records
ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts "$since"  > /tmp/audit.out

# unset the changes
setenforce 1
auditctl -W /etc/shadow -p w
unset since

Comment 8 Zdenek Pytela 2019-12-11 14:12:47 UTC

Could you please also verify what is this file SELinux type?

ls -lZ /usr/libexec/fprintd
matchpathcon /usr/libexec/fprintd

Comment 9 Jiri Koten 2019-12-11 16:01:00 UTC

Created attachment 1644021 [details]
audi log

# ls -lZ /usr/libexec/fprintd
-rwxr-xr-x. 1 root root system_u:object_r:fprintd_exec_t:s0 63168 Nov 21 16:30 /usr/libexec/fprintd

# matchpathcon /usr/libexec/fprintd
/usr/libexec/fprintd    system_u:object_r:fprintd_exec_t:s0

Comment 10 Milos Malik 2019-12-12 08:33:30 UTC

I also see this on my RHEL-8.2 VM after logging into X session as unconfined user:
----
type=PROCTITLE msg=audit(12/12/2019 09:28:42.212:273) : proctitle=(fprintd) 
type=PATH msg=audit(12/12/2019 09:28:42.212:273) : item=0 name=/var/lib/fprint inode=162775 dev=08:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:fprintd_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(12/12/2019 09:28:42.212:273) : cwd=/ 
type=SYSCALL msg=audit(12/12/2019 09:28:42.212:273) : arch=x86_64 syscall=chmod success=no exit=EACCES(Permission denied) a0=0x557e7a7dcdd0 a1=0755 a2=0xffffffff a3=0x0 items=1 ppid=1 pid=3887 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(fprintd) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(12/12/2019 09:28:42.212:273) : avc:  denied  { setattr } for  pid=3887 comm=(fprintd) name=fprint dev="sda2" ino=162775 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fprintd_var_lib_t:s0 tclass=dir permissive=0 
----

# ls -dZ /var/lib/fprint
system_u:object_r:fprintd_var_lib_t:s0 /var/lib/fprint
# ls -ld /var/lib/fprint
drwxr-xr-x. 2 root root 6 Nov 21 16:30 /var/lib/fprint
#

# service fprintd status
Redirecting to /bin/systemctl status fprintd.service
● fprintd.service - Fingerprint Authentication Daemon
   Loaded: loaded (/usr/lib/systemd/system/fprintd.service; static; vendor preset: disabled)
   Active: failed (Result: exit-code) since Thu 2019-12-12 09:28:42 CET; 4min 5s ago
     Docs: man:fprintd(1)
  Process: 3887 ExecStart=/usr/libexec/fprintd (code=exited, status=238/STATE_DIRECTORY)
 Main PID: 3887 (code=exited, status=238/STATE_DIRECTORY)

Dec 12 09:28:42 localhost.localdomain systemd[1]: Starting Fingerprint Authentication Daemon...
Dec 12 09:28:42 localhost.localdomain systemd[1]: fprintd.service: Main process exited, code=exited, status=238/STATE_DIRECTORY
Dec 12 09:28:42 localhost.localdomain systemd[1]: fprintd.service: Failed with result 'exit-code'.
Dec 12 09:28:42 localhost.localdomain systemd[1]: Failed to start Fingerprint Authentication Daemon.
#

Comment 11 Milos Malik 2019-12-12 08:43:43 UTC

# ls -ld /var/lib/fprint
drwxr-xr-x. 2 root root 6 Nov 21 16:30 /var/lib/fprint
# ls -dZ /var/lib/fprint
system_u:object_r:fprintd_var_lib_t:s0 /var/lib/fprint
# service fprintd status
Redirecting to /bin/systemctl status fprintd.service
● fprintd.service - Fingerprint Authentication Daemon
   Loaded: loaded (/usr/lib/systemd/system/fprintd.service; static; vendor preset: disabled)
   Active: failed (Result: exit-code) since Thu 2019-12-12 09:37:11 CET; 12s ago
     Docs: man:fprintd(1)
  Process: 6889 ExecStart=/usr/libexec/fprintd (code=exited, status=238/STATE_DIRECTORY)
 Main PID: 6889 (code=exited, status=238/STATE_DIRECTORY)

Dec 12 09:37:11 localhost.localdomain systemd[1]: Starting Fingerprint Authentication Daemon...
Dec 12 09:37:11 localhost.localdomain systemd[1]: fprintd.service: Main process exited, code=exited, status=238/STATE_DIRECTORY
Dec 12 09:37:11 localhost.localdomain systemd[1]: fprintd.service: Failed with result 'exit-code'.
Dec 12 09:37:11 localhost.localdomain systemd[1]: Failed to start Fingerprint Authentication Daemon.
# setenforce 0
# service fprintd start
Redirecting to /bin/systemctl start fprintd.service
# service fprintd status
Redirecting to /bin/systemctl status fprintd.service
● fprintd.service - Fingerprint Authentication Daemon
   Loaded: loaded (/usr/lib/systemd/system/fprintd.service; static; vendor preset: disabled)
   Active: active (running) since Thu 2019-12-12 09:37:35 CET; 1s ago
     Docs: man:fprintd(1)
 Main PID: 6962 (fprintd)
    Tasks: 3
   Memory: 2.3M
   CGroup: /system.slice/fprintd.service
           └─6962 /usr/libexec/fprintd

Dec 12 09:37:35 localhost.localdomain systemd[1]: Starting Fingerprint Authentication Daemon...
Dec 12 09:37:35 localhost.localdomain systemd[1]: Started Fingerprint Authentication Daemon.

# 

----
type=PROCTITLE msg=audit(12/12/2019 09:37:35.606:585) : proctitle=(fprintd) 
type=PATH msg=audit(12/12/2019 09:37:35.606:585) : item=0 name=/var/lib/fprint inode=162775 dev=08:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:fprintd_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(12/12/2019 09:37:35.606:585) : cwd=/ 
type=SYSCALL msg=audit(12/12/2019 09:37:35.606:585) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x557e7a7938a0 a1=0755 a2=0xffffffff a3=0x0 items=1 ppid=1 pid=6962 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(fprintd) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(12/12/2019 09:37:35.606:585) : avc:  denied  { setattr } for  pid=6962 comm=(fprintd) name=fprint dev="sda2" ino=162775 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fprintd_var_lib_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(12/12/2019 09:37:35.606:586) : proctitle=(fprintd) 
type=PATH msg=audit(12/12/2019 09:37:35.606:586) : item=0 name=/var/lib/fprint inode=162775 dev=08:02 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:fprintd_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(12/12/2019 09:37:35.606:586) : cwd=/ 
type=SYSCALL msg=audit(12/12/2019 09:37:35.606:586) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x557e7a7938a0 a2=O_RDONLY|O_DIRECTORY|O_NOFOLLOW|O_NOATIME|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=6962 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(fprintd) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(12/12/2019 09:37:35.606:586) : avc:  denied  { read } for  pid=6962 comm=(fprintd) name=fprint dev="sda2" ino=162775 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fprintd_var_lib_t:s0 tclass=dir permissive=1 
----

# ls -ld /var/lib/fprint
drwxr-xr-x. 2 root root 6 Nov 21 16:30 /var/lib/fprint
# ls -dZ /var/lib/fprint
system_u:object_r:fprintd_var_lib_t:s0 /var/lib/fprint
#

Comment 12 Milos Malik 2019-12-12 09:00:10 UTC

Unfortunately, I don't know why syscall=chmod is used. Permissions and ownership of /var/lib/fprint look the same way in enforcing and permissive mode (before and after).

Comment 13 Milos Malik 2019-12-12 09:13:33 UTC

# grep -i state /usr/lib/systemd/system/fprintd.service 
StateDirectory=fprint
#

Maybe some systemd magic is involved.

Comment 14 Milos Malik 2019-12-12 09:22:58 UTC

One thing is sure. The fprintd service does not start in enforcing mode if following rule is missing:

allow init_t fprintd_var_lib_t:dir { read setattr };

Comment 16 Tomas Pelka 2019-12-12 09:53:15 UTC

*** Bug 1782446 has been marked as a duplicate of this bug. ***

Comment 17 Zdenek Pytela 2019-12-12 10:43:48 UTC

I rather suspect this line:

NoNewPrivileges=true

fprintd runs in init_t domain instead of a transition to its own. If the transition gets done, the permissios are granted:

# sesearch -A -s fprintd_t -t fprintd_var_lib_t -c dir -p read,setattr
allow fprintd_t fprintd_var_lib_t:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink write };

Comment 18 Zdenek Pytela 2019-12-12 11:36:10 UTC

Michale,

It looks like "chmod 755 /var/lib/fprint"-equivalent syscall and subsequent read was executed when starting fprintd service:

----
type=PROCTITLE msg=audit(12/11/2019 16:58:20.123:843) : proctitle=(fprintd) 
type=PATH msg=audit(12/11/2019 16:58:20.123:843) : item=0 name=/var/lib/fprint inode=126129365 dev=fd:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:fprintd_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(12/11/2019 16:58:20.123:843) : cwd=/ 
type=SYSCALL msg=audit(12/11/2019 16:58:20.123:843) : arch=x86_64 syscall=chmod success=yes exit=0 a0=0x564a3972ad00 a1=0755 a2=0xffffffff a3=0x0 items=1 ppid=1 pid=6906 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(fprintd) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(12/11/2019 16:58:20.123:843) : avc:  denied  { setattr } for  pid=6906 comm=(fprintd) name=fprint dev="dm-3" ino=126129365 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fprintd_var_lib_t:s0 tclass=dir permissive=1 
----
type=PROCTITLE msg=audit(12/11/2019 16:58:20.123:844) : proctitle=(fprintd) 
type=PATH msg=audit(12/11/2019 16:58:20.123:844) : item=0 name=/var/lib/fprint inode=126129365 dev=fd:03 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:fprintd_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(12/11/2019 16:58:20.123:844) : cwd=/ 
type=SYSCALL msg=audit(12/11/2019 16:58:20.123:844) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x564a3972ad00 a2=O_RDONLY|O_DIRECTORY|O_NOFOLLOW|O_NOATIME|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=6906 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(fprintd) exe=/usr/lib/systemd/systemd subj=system_u:system_r:init_t:s0 key=(null) 
type=AVC msg=audit(12/11/2019 16:58:20.123:844) : avc:  denied  { read } for  pid=6906 comm=(fprintd) name=fprint dev="dm-3" ino=126129365 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fprintd_var_lib_t:s0 tclass=dir permissive=1
----

still in the systemd's init_t context. The syscall were denied per current policy settings, but chmod actually does not seem to have any effect since the directory mode is 0755 both before and after. Is this a result of some service settings? Is it systemd which calls the syscalls? It started to happen lately, may be a result of the package rebase in RHEL 8.2.

[Service]
Type=dbus
BusName=net.reactivated.Fprint
ExecStart=/usr/libexec/fprintd

# Filesystem lockdown
ProtectSystem=strict
ProtectKernelTunables=true
ProtectControlGroups=true
# This always corresponds to /var/lib/fprint
StateDirectory=fprint
ProtectHome=true
PrivateTmp=true

# Network
PrivateNetwork=true
RestrictAddressFamilies=AF_UNIX AF_LOCAL AF_NETLINK

# Execute Mappings
MemoryDenyWriteExecute=true

# Modules
ProtectKernelModules=true

# Real-time
RestrictRealtime=true

# Privilege escalation
NoNewPrivileges=true

Comment 26 Joachim Frieben 2020-04-28 08:57:24 UTC

Issue seen under current CentOS 8 Stream including selinux-policy-3.14.3-20.el8.

Comment 27 errata-xmlrpc 2020-04-28 16:41:41 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1773

Note You need to log in before you can comment on or make changes to this bug.