Description of problem: No idea how this happens, I just use my Fedora as my main machine, with Cinnamon desktop environment. SELinux is preventing fprintd from 'write' accesses on the file persist. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that fprintd should be allowed write access on the persist file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'fprintd' --raw | audit2allow -M my-fprintd # semodule -X 300 -i my-fprintd.pp Additional Information: Source Context system_u:system_r:fprintd_t:s0 Target Context system_u:object_r:sysfs_t:s0 Target Objects persist [ file ] Source fprintd Source Path fprintd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-34.21-1.fc35.noarch Local Policy RPM selinux-policy-targeted-34.21-1.fc35.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.14.9-300.fc35.x86_64 #1 SMP Thu Sep 30 11:54:18 UTC 2021 x86_64 x86_64 Alert Count 18 First Seen 2021-10-04 20:25:02 CEST Last Seen 2021-10-05 17:52:34 CEST Local ID 4cfc6465-8ee0-4318-96a2-ba7457546c86 Raw Audit Messages type=AVC msg=audit(1633449154.386:744): avc: denied { write } for pid=20540 comm="fprintd" name="persist" dev="sysfs" ino=28365 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 Hash: fprintd,fprintd_t,sysfs_t,file,write Version-Release number of selected component: selinux-policy-targeted-34.21-1.fc35.noarch Additional info: component: selinux-policy reporter: libreport-2.15.2 hashmarkername: setroubleshoot kernel: 5.14.9-300.fc35.x86_64 type: libreport
Can confirm it on my system as well (F35 x86_64) Raw Audit Messages type=AVC msg=audit(1633462273.636:301): avc: denied { write } for pid=2980 comm="fprintd" name="persist" dev="sysfs" ino=23698 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 from the fprintd service log: ... fprintd[2980]: Failed to open /sys/bus/usb/devices/1-1.3/power/persist ... USB device is fingerprint reader in this case: Bus 001 Device 003: ID 147e:2016 Upek Biometric Touchchip/Touchstrip Fingerprint Sensor potentially related packages ------------ fprintd-1.92.0-2.fc35.x86_64 fprintd-pam-1.92.0-2.fc35.x86_64 selinux-policy-34.21-1.fc35.noarch selinux-policy-targeted-34.21-1.fc35.noarch libfprint-1.94.1-1.fc35.x86_64
Please run the following commands and let us know what their output is: # semanage permissive -a fprintd_t # systemctl restart fprintd.service # ausearch -m avc -m user_avc -m selinux_err -i -ts today The first command temporarily switches the fprintd policy to permissive. The following command switches the fprintd policy to enforcing again: # semanage permissive -d fprintd_t
For me I get following messages now when in permissive mode (I see some other messages which are unrelated to fprintd as well): ---- type=AVC msg=audit(13.10.2021. 09:28:48.298:204) : avc: denied { read } for pid=1343 comm=gdm-session-wor scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0 ---- type=AVC msg=audit(13.10.2021. 09:28:48.298:205) : avc: denied { read } for pid=1343 comm=gdm-session-wor scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0 ---- type=AVC msg=audit(13.10.2021. 11:14:07.988:202) : avc: denied { read } for pid=1479 comm=gdm-session-wor scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0 ---- type=AVC msg=audit(13.10.2021. 11:14:07.988:203) : avc: denied { read } for pid=1479 comm=gdm-session-wor scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0 ---- type=AVC msg=audit(13.10.2021. 11:16:52.778:282) : avc: denied { write } for pid=3552 comm=fprintd name=wakeup dev="sysfs" ino=23705 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 ---- type=AVC msg=audit(13.10.2021. 11:17:51.311:291) : avc: denied { write } for pid=3609 comm=fprintd name=wakeup dev="sysfs" ino=23705 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 ---- type=AVC msg=audit(13.10.2021. 11:18:56.833:303) : avc: denied { write } for pid=3698 comm=fprintd name=wakeup dev="sysfs" ino=23705 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 ---- type=AVC msg=audit(13.10.2021. 11:26:47.427:317) : avc: denied { write } for pid=3884 comm=fprintd name=wakeup dev="sysfs" ino=23705 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 also in journal: -- Journal begins at Sun 2021-01-03 09:35:33 CET, ends at Wed 2021-10-13 11:29:27 CEST. -- окт 13 11:16:52 fedora.linux systemd[1]: Starting Fingerprint Authentication Daemon... окт 13 11:16:52 fedora.linux fprintd[3552]: Failed to open /sys/bus/usb/devices/1-1.3/power/persist окт 13 11:16:52 fedora.linux systemd[1]: Started Fingerprint Authentication Daemon. окт 13 11:17:22 fedora.linux systemd[1]: fprintd.service: Deactivated successfully. окт 13 11:17:51 fedora.linux systemd[1]: Starting Fingerprint Authentication Daemon... окт 13 11:17:51 fedora.linux fprintd[3609]: Failed to open /sys/bus/usb/devices/1-1.3/power/persist окт 13 11:17:51 fedora.linux systemd[1]: Started Fingerprint Authentication Daemon. окт 13 11:18:24 fedora.linux systemd[1]: fprintd.service: Deactivated successfully. окт 13 11:18:56 fedora.linux systemd[1]: Starting Fingerprint Authentication Daemon... окт 13 11:18:56 fedora.linux fprintd[3698]: Failed to open /sys/bus/usb/devices/1-1.3/power/persist окт 13 11:18:56 fedora.linux systemd[1]: Started Fingerprint Authentication Daemon. окт 13 11:19:29 fedora.linux systemd[1]: fprintd.service: Deactivated successfully. окт 13 11:26:47 fedora.linux systemd[1]: Starting Fingerprint Authentication Daemon... окт 13 11:26:47 fedora.linux fprintd[3884]: Failed to open /sys/bus/usb/devices/1-1.3/power/persist окт 13 11:26:47 fedora.linux systemd[1]: Started Fingerprint Authentication Daemon. окт 13 11:27:17 fedora.linux systemd[1]: fprintd.service: Deactivated successfully.
Here's the result : # semanage permissive -a fprintd_t # systemctl restart fprintd.service # ausearch -m avc -m user_avc -m selinux_err -i -ts today ---- type=AVC msg=audit(10/13/2021 08:26:15.788:1148) : avc: denied { write } for pid=30272 comm=fprintd name=wakeup dev="sysfs" ino=76443 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 ---- type=AVC msg=audit(10/13/2021 08:26:15.788:1149) : avc: denied { write } for pid=30272 comm=fprintd name=persist dev="sysfs" ino=33477 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 ---- type=AVC msg=audit(10/13/2021 11:28:04.964:341) : avc: denied { write } for pid=2466 comm=fprintd name=wakeup dev="sysfs" ino=33188 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 ---- type=AVC msg=audit(10/13/2021 11:28:04.964:342) : avc: denied { write } for pid=2466 comm=fprintd name=persist dev="sysfs" ino=33181 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 ---- type=AVC msg=audit(10/13/2021 11:46:51.904:416) : avc: denied { write } for pid=6028 comm=fprintd name=wakeup dev="sysfs" ino=33188 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 ---- type=AVC msg=audit(10/13/2021 11:46:51.904:417) : avc: denied { write } for pid=6028 comm=fprintd name=persist dev="sysfs" ino=33181 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 ---- type=AVC msg=audit(10/13/2021 11:47:12.774:438) : avc: denied { write } for pid=6120 comm=fprintd name=wakeup dev="sysfs" ino=33188 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 ---- type=AVC msg=audit(10/13/2021 11:52:44.468:472) : avc: denied { write } for pid=6399 comm=fprintd name=wakeup dev="sysfs" ino=33188 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
Similar problem has been detected: Upgraded from Fedora 34 to 35, saw this on first login via SELinux Troubleshooter hashmarkername: setroubleshoot kernel: 5.14.14-300.fc35.x86_64 package: selinux-policy-targeted-35.3-1.20211019git94970fc.fc35.noarch reason: SELinux is preventing fprintd from 'write' accesses on the file persist. type: libreport
Similar problem has been detected: I got this warning at every system startup hashmarkername: setroubleshoot kernel: 5.14.14-300.fc35.x86_64 package: selinux-policy-targeted-35.3-1.20211019git94970fc.fc35.noarch reason: SELinux is preventing fprintd from 'write' accesses on the file persist. type: libreport
Similar problem has been detected: I have this issue since the fedora 35 update. I am using a fingerprint sensor to log in, my system is vanilla gnome. It seems to have already been reported there: https://github.com/fedora-selinux/selinux-policy/issues/840 I also have the same selinux report, but for writing to 'wakeup' file: time->Thu Nov 4 12:27:55 2021 type=AVC msg=audit(1636025275.058:437): avc: denied { write } for pid=6294 comm="fprintd" name="persist" dev="sysfs" ino=22511 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 ---- time->Thu Nov 4 12:31:29 2021 type=AVC msg=audit(1636025489.349:459): avc: denied { write } for pid=7466 comm="fprintd" name="wakeup" dev="sysfs" ino=38228 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 hashmarkername: setroubleshoot kernel: 5.14.14-300.fc35.x86_64 package: selinux-policy-targeted-35.3-1.20211019git94970fc.fc35.noarch reason: SELinux is preventing fprintd from 'write' accesses on the file persist. type: libreport
Similar problem has been detected: After the update to fedora 35 i got the problem hashmarkername: setroubleshoot kernel: 5.14.15-300.fc35.x86_64 package: selinux-policy-targeted-35.3-1.20211019git94970fc.fc35.noarch reason: SELinux is preventing fprintd from 'write' accesses on the file persist. type: libreport
Similar problem has been detected: This seems to happen every time I try to unlock my locked GNOME session using a fingerprint. hashmarkername: setroubleshoot kernel: 5.14.16-301.fc35.x86_64 package: selinux-policy-targeted-35.5-1.fc35.noarch reason: SELinux is preventing fprintd from 'write' accesses on the file persist. type: libreport
Similar problem has been detected: It seems that this problem happens every time I run a command with "sudo" (e.g., sudo dnf update). hashmarkername: setroubleshoot kernel: 5.14.16-301.fc35.x86_64 package: selinux-policy-targeted-35.5-1.fc35.noarch reason: SELinux is preventing fprintd from 'write' accesses on the file persist. type: libreport
Similar problem has been detected: I followed the suggestion from setrubleshoot: ausearch -c 'fprintd' --raw | audit2allow -M my-fprintd#012# semodule -X 300 -i my-fprintd.pp But it doesn't work either. Nov 10 17:13:47 localhost audit[81988]: USER_END pid=81988 uid=1000 auid=1000 ses=14 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/3 res=success' Nov 10 17:13:47 localhost audit[81988]: CRED_DISP pid=81988 uid=1000 auid=1000 ses=14 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/3 res=success' Nov 10 17:13:49 localhost audit: BPF prog-id=250 op=LOAD Nov 10 17:13:49 localhost audit: BPF prog-id=251 op=LOAD Nov 10 17:13:49 localhost systemd[1]: Starting Hostname Service... Nov 10 17:13:49 localhost systemd[1]: Started Hostname Service. Nov 10 17:13:49 localhost audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Nov 10 17:13:51 localhost audit: BPF prog-id=252 op=LOAD Nov 10 17:13:51 localhost systemd[1]: Starting Fingerprint Authentication Daemon... Nov 10 17:13:51 localhost systemd[1]: Started Fingerprint Authentication Daemon. Nov 10 17:13:51 localhost audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fprintd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Nov 10 17:13:54 localhost journal[82873]: Verify has failed: 502 Nov 10 17:13:54 localhost journal[82873]: Device reported an error during verify: Unexpected result from device 502 Here is the error from fprintd: Nov 10 17:14:26 localhost.localdomain systemd[1]: Started Fingerprint Authentication Daemon. Nov 10 17:14:28 localhost.localdomain fprintd[82979]: Verify has failed: 502 Nov 10 17:14:28 localhost.localdomain fprintd[82979]: Device reported an error during verify: Unexpected result from device 502 version: fprintd-1.94.1-1.fc35.x86_64 selinux-policy-35.5-1.fc35.noarch kernel-5.14.16-301.fc35.x86_64
Similar problem has been detected: directly after booting to xfce desktop hashmarkername: setroubleshoot kernel: 5.14.16-301.fc35.x86_64 package: selinux-policy-targeted-35.5-1.fc35.noarch reason: SELinux is preventing fprintd from 'write' accesses on the Datei persist. type: libreport
Similar problem has been detected: sudo dnf install htop hashmarkername: setroubleshoot kernel: 5.14.17-301.fc35.x86_64 package: selinux-policy-targeted-35.5-1.fc35.noarch reason: SELinux is preventing fprintd from 'write' accesses on the файл persist. type: libreport
Similar problem has been detected: Started receiving this SELinux alert after upgrading from Fedora 34 to 35. fprintd is not allowed write permissions to its persist.img file. hashmarkername: setroubleshoot kernel: 5.14.17-301.fc35.x86_64 package: selinux-policy-targeted-35.5-1.fc35.noarch reason: SELinux is preventing fprintd from 'write' accesses on the file persist. type: libreport
My problem might be related: https://ask.fedoraproject.org/t/fringerprint-reader-problem-on-thinkpad-x1c9/18494
Similar problem has been detected: I installed texlive-scheme-full and ran $ sudo updmap-sys --syncwithtrees hashmarkername: setroubleshoot kernel: 5.14.18-300.fc35.x86_64 package: selinux-policy-targeted-35.5-1.fc35.noarch reason: SELinux is preventing fprintd from 'write' accesses on the file persist. type: libreport
Similar problem has been detected: any sudo command hashmarkername: setroubleshoot kernel: 5.15.3-301.fc35.x86_64 package: selinux-policy-targeted-35.5-1.fc35.noarch reason: SELinux is preventing fprintd from 'write' accesses on the file persist. type: libreport
Similar problem has been detected: Upgrade F34 to F35. Happens now whenever I use the fingerprint device. hashmarkername: setroubleshoot kernel: 5.14.18-300.fc35.x86_64 package: selinux-policy-targeted-35.5-1.fc35.noarch reason: SELinux is preventing fprintd from 'write' accesses on the file persist. type: libreport
*** Bug 2027469 has been marked as a duplicate of this bug. ***
Similar problem has been detected: Logged in from opening the laptop lid. hashmarkername: setroubleshoot kernel: 5.15.4-201.fc35.x86_64 package: selinux-policy-targeted-35.5-1.fc35.noarch reason: SELinux is preventing fprintd from 'write' accesses on the file persist. type: libreport
I see the same issue after upgrading to F35: ---- type=AVC msg=audit(12/01/2021 06:52:58.482:305) : avc: denied { write } for pid=2784 comm=fprintd name=wakeup dev="sysfs" ino=36110 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 ---- type=AVC msg=audit(12/01/2021 06:52:58.482:306) : avc: denied { write } for pid=2784 comm=fprintd name=persist dev="sysfs" ino=36103 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 ---- type=AVC msg=audit(12/01/2021 07:12:47.628:368) : avc: denied { write } for pid=5556 comm=fprintd name=wakeup dev="sysfs" ino=36110 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 ---- type=AVC msg=audit(12/01/2021 07:12:47.628:369) : avc: denied { write } for pid=5556 comm=fprintd name=persist dev="sysfs" ino=36103 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 ---- type=AVC msg=audit(12/01/2021 08:09:04.508:400) : avc: denied { write } for pid=9332 comm=fprintd name=wakeup dev="sysfs" ino=36110 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 SELinux Policy RPM selinux-policy-targeted-35.5-1.fc35.noarch
After installing Fedora 35 Xfce spin I see this alert over and over again. Updating to the latest packages did not help. It is really annoying.
Similar problem has been detected: Rebooted and logged into GNOME (on Xorg if that matters). hashmarkername: setroubleshoot kernel: 5.15.6-200.fc35.x86_64 package: selinux-policy-targeted-35.6-1.fc35.noarch reason: SELinux is preventing fprintd from 'write' accesses on the file persist. type: libreport
As a workaround, I got rid of fprintd, as I do not use the fingerprint reader: sudo systemctl stop fprintd sudo dnf remove fprintd
As a workaround, I just pressed "Ignore" in the Selinux Alert Browser. Using the fingerprint reader and it works fine. Still, I think for a good Fedora experience, that issue should be fixed in fprintd or the selinux policy. Let me know if I can help with that.
Similar problem has been detected: Computer had been locked from being idle overnight. Upon logging in this message was seen and its timing lined up with the login. hashmarkername: setroubleshoot kernel: 5.15.6-200.fc35.x86_64 package: selinux-policy-targeted-35.6-1.fc35.noarch reason: SELinux is preventing fprintd from 'write' accesses on the file persist. type: libreport
(In reply to Milos Malik from comment #2) > Please run the following commands and let us know what their output is: > > # semanage permissive -a fprintd_t > # systemctl restart fprintd.service > # ausearch -m avc -m user_avc -m selinux_err -i -ts today > > The first command temporarily switches the fprintd policy to permissive. > The following command switches the fprintd policy to enforcing again: > > # semanage permissive -d fprintd_t [root@carbonbean ~]# semanage permissive -a fprintd_t [root@carbonbean ~]# systemctl restart fprintd.service [root@carbonbean ~]# ausearch -m avc -m user_avc -m selinux_err -i -ts today ---- type=AVC msg=audit(12/15/2021 08:44:58.497:320) : avc: denied { write } for pid=131700 comm=fprintd name=wakeup dev="sysfs" ino=29857 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 ---- type=AVC msg=audit(12/15/2021 08:44:58.497:321) : avc: denied { write } for pid=131700 comm=fprintd name=persist dev="sysfs" ino=29850 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 ---- type=AVC msg=audit(12/15/2021 08:50:33.895:335) : avc: denied { write } for pid=133879 comm=fprintd name=wakeup dev="sysfs" ino=29857 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 ---- type=AVC msg=audit(12/15/2021 08:50:33.895:336) : avc: denied { write } for pid=133879 comm=fprintd name=persist dev="sysfs" ino=29850 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 ---- type=AVC msg=audit(12/15/2021 08:50:54.971:354) : avc: denied { write } for pid=133960 comm=fprintd name=wakeup dev="sysfs" ino=29857 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 [root@carbonbean ~]# semanage permissive -d fprintd_t libsemanage.semanage_direct_remove_key: Removing last permissive_fprintd_t module (no other permissive_fprintd_t module exists at another priority).
Similar problem has been detected: Recently upgraded to F35. have been configured for kscreenlock (and most things with system-auth) to use fingerprint. I now get this selinux violation consistently when running sudo from a terminal. The error is usually against a file called "persist" but is also, maybe 30% of the time, against a file called "wakeup". I strongly suspect it is trying to write to "persist" and/or "wakeup" under: /sys/devices/pci0000:00/0000:00:14.0/usb1/1-9/power/ because that's my fingerprint reader. I guess if fprintd wants to adjust the wakeup and persist of the fingerprint reader, SeLinux should allow that? hashmarkername: setroubleshoot kernel: 5.15.8-200.fc35.x86_64 package: selinux-policy-targeted-35.6-1.fc35.noarch reason: SELinux is preventing fprintd from 'write' accesses on the file persist. type: libreport
Similar problem has been detected: Not sure what caused this. hashmarkername: setroubleshoot kernel: 5.15.6-200.fc35.x86_64 package: selinux-policy-targeted-35.6-1.fc35.noarch reason: SELinux is preventing fprintd from 'write' accesses on the file persist. type: libreport
Similar problem has been detected: each time a command with 'sudo' is run this message pops up hashmarkername: setroubleshoot kernel: 5.15.11-200.fc35.x86_64 package: selinux-policy-targeted-35.7-1.fc35.noarch reason: SELinux is preventing fprintd from 'write' accesses on the file persist. type: libreport
Similar problem has been detected: I'm not sure why this happened. hashmarkername: setroubleshoot kernel: 5.14.17-301.fc35.x86_64 package: selinux-policy-targeted-35.5-1.fc35.noarch reason: SELinux is preventing fprintd from 'write' accesses on the file persist. type: libreport
Similar problem has been detected: Executed "su" in a terminal shell. hashmarkername: setroubleshoot kernel: 5.15.11-200.fc35.x86_64 package: selinux-policy-targeted-35.7-1.fc35.noarch reason: SELinux is preventing fprintd from 'write' accesses on the file persist. type: libreport
Similar problem has been detected: when attemp of log in after sleep, selinux reported that fprintd attempt to access, and said that if I believe it should be able to than I need to submit a bug. so it is the case hashmarkername: setroubleshoot kernel: 5.15.12-200.fc35.x86_64 package: selinux-policy-targeted-35.7-1.fc35.noarch reason: SELinux is preventing fprintd from 'write' accesses on the file wakeup. type: libreport
Similar problem has been detected: Automatically appears after a startup is finished hashmarkername: setroubleshoot kernel: 5.15.13-200.fc35.x86_64 package: selinux-policy-targeted-35.8-1.fc35.noarch reason: SELinux is preventing fprintd from 'write' accesses on the file persist. type: libreport
Similar problem has been detected: Me aparece al iniciar sesion. hashmarkername: setroubleshoot kernel: 5.15.12-200.fc35.x86_64 package: selinux-policy-targeted-35.7-1.fc35.noarch reason: SELinux is preventing fprintd from 'write' accesses on the archivo persist. type: libreport
*** Bug 2046579 has been marked as a duplicate of this bug. ***
Similar problem has been detected: Clicked on a notification. hashmarkername: setroubleshoot kernel: 5.14.17-301.fc35.x86_64 package: selinux-policy-targeted-35.5-1.fc35.noarch reason: SELinux is preventing fprintd from 'write' accesses on the file persist. type: libreport
Similar problem has been detected: Just after system startup hashmarkername: setroubleshoot kernel: 5.15.17-200.fc35.x86_64 package: selinux-policy-targeted-35.11-1.fc35.noarch reason: SELinux is preventing fprintd from 'write' accesses on the Datei persist. type: libreport
Similar problem has been detected: Occurs at login; fprintd is using hardware 06cb:00bd (Synaptics). Running on fedora 5.16.5-200.fc35. hashmarkername: setroubleshoot kernel: 5.16.5-200.fc35.x86_64 package: selinux-policy-targeted-35.13-1.fc35.noarch reason: SELinux is preventing fprintd from 'write' accesses on the file wakeup. type: libreport
Similar problem has been detected: Happens when I use sudo hashmarkername: setroubleshoot kernel: 5.16.5-200.fc35.x86_64 package: selinux-policy-targeted-35.13-1.fc35.noarch reason: SELinux is preventing fprintd from 'write' accesses on the file persist. type: libreport
*** Bug 2053522 has been marked as a duplicate of this bug. ***
Similar problem has been detected: After every boot (maybe login) after FC35 install from scratch on Laptop with "fingerprint" reader. It is crasily unbelievable, how "BAD" testing is made prior to releasing. Every time again, SE-Linux rules are missing! Please, remember to include it to the check-list. hashmarkername: setroubleshoot kernel: 5.16.9-200.fc35.x86_64 package: selinux-policy-targeted-35.15-1.fc35.noarch reason: SELinux is preventing fprintd from 'write' accesses on the Datei persist. type: libreport
Similar problem has been detected: This problem came up after locking the screen, returning, and unlocking the screen with password. hashmarkername: setroubleshoot kernel: 5.16.8-200.fc35.x86_64 package: selinux-policy-targeted-35.13-1.fc35.noarch reason: SELinux is preventing fprintd from 'write' accesses on the file persist. type: libreport
Note that this is a pretty harmless warning. fprintd/libfprint tries to configure the device to make suspend/resume work properly. But, for this to actually be useful, the lock screen would need to keep fingerprint authentication running while the laptop is suspended. And, I don't think we ever got to that point.
Hey Benjamin, it may be pretty harmless but it's still pretty annoying. Do you imply that this could be fixed by disabling this functionality in fprind/libfprint? If it's not useful we might as well disable it, right? For me the easiest/fastest way to make this warning go away would be the best way. (But it should not be a workaround that each user has to find and apply on their own.)
To get temporarily rid of the warning I used this mount option: context=system_u:object_r:fusefs_t:s0 I basically give it the same settings as ntfs-3g. I am not sure if that is wise, but it works for me for two weeks now.
sorry, wrong post :(
I can't imagine that the required selinux policy changes are complicated. Considering how long we already have been shipping with this situation, I am not very inclined to work around it by disabling a good-to-have feature in libfprint. What I could offer though is trying to avoid the write in libfprint. i.e. read the attribute first, and only write() if we are actually changing the value. On F36, that would avoid the warnings already. Not on F35, as systemd doesn't handle turning off the persist feature yet. Really, it would be good to just get the policy updated.
Similar problem has been detected: Simply happened on reboot, multiple times. I followed the recommended local fix but haven't yet determined if it fixes it: sudo ausearch -c fprintd --raw | audit2allow -M my-fprintd sudo semodule -X 300 -i my-fprintd.pp hashmarkername: setroubleshoot kernel: 5.16.9-200.fc35.x86_64 package: selinux-policy-targeted-35.15-1.fc35.noarch reason: SELinux is preventing fprintd from 'write' accesses on the file persist. type: libreport
Similar problem has been detected: At every System restart (maybe user login) in Gnome 41, FC35 hashmarkername: setroubleshoot kernel: 5.16.12-200.fc35.x86_64 package: selinux-policy-targeted-35.15-1.fc35.noarch reason: SELinux is preventing fprintd from 'write' accesses on the Datei persist. type: libreport
*** Bug 2064792 has been marked as a duplicate of this bug. ***
Similar problem has been detected: Ran `sudo -i` which accesses the finger print sensor for authentication. hashmarkername: setroubleshoot kernel: 5.16.15-201.fc35.x86_64 package: selinux-policy-targeted-35.15-1.fc35.noarch reason: SELinux is preventing fprintd from 'write' accesses on the file persist. type: libreport
(In reply to Benjamin Berg from comment #48) > I can't imagine that the required selinux policy changes are complicated. > Considering how long we already have been shipping with this situation, I am > not very inclined to work around it by disabling a good-to-have feature in > libfprint. > > What I could offer though is trying to avoid the write in libfprint. i.e. > read the attribute first, and only write() if we are actually changing the > value. On F36, that would avoid the warnings already. Not on F35, as systemd > doesn't handle turning off the persist feature yet. > > Really, it would be good to just get the policy updated. @bberg and other maintainers: I think the proposed solution here (read "persist" and "wakeup", and only write to them if the value needs to change) is the right way to go. I understand it won't make the noise go away until F36, but that's totally fine with me. My only other thought is this: when libfprint actually does need to update the value of "persist" or "wakeup", is that actually a violation? I feel like it isn't. So if the right thing to do is to update the selinux policy, perhaps it is a waste of time to make the change in libfprint. Regardless, seeing this fixed in the F36 timeline would be good.
Not writing the file is a micro-optimization that happens to work around the lack of an updated SELinux policy. At the end, I just submitted https://gitlab.freedesktop.org/libfprint/libfprint/-/merge_requests/353 upstream, because I don't want to deal with selinux policies. That'll probably make its way into F36 eventually.
*** Bug 2069876 has been marked as a duplicate of this bug. ***
*** Bug 2038702 has been marked as a duplicate of this bug. ***
FEDORA-2022-9681e66715 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-9681e66715
FEDORA-2022-9681e66715 has been pushed to the Fedora 35 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-9681e66715` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-9681e66715 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-9681e66715 has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report.