Bug 300811 - pam_console needs permission to set the owner of /dev/input/uinput for fingerprint readers to work
pam_console needs permission to set the owner of /dev/input/uinput for finger...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
7
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks: 246107
  Show dependency treegraph
 
Reported: 2007-09-21 13:05 EDT by Mike Bonnet
Modified: 2008-01-30 14:05 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 14:05:51 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Here's a selinux policy module that fixed the problem for me. Though if you added a new file context for /dev/input/uinput, that would probably be better. (218 bytes, text/plain)
2007-09-21 13:05 EDT, Mike Bonnet
no flags Details

  None (edit)
Description Mike Bonnet 2007-09-21 13:05:49 EDT
Description of problem:
pam_console needs to set the ownership of /dev/input/uinput to the currently
logged-in user on the console for fingerprint readers (as supported by the
thinkfinger package) to be able to operate correctly from a user session (so the
fingerprint reader can be used to unlock a locked screen, for example).  This
requirement will go away when ACL support is moved from hal to udev, but until
then this is the only way to have a working fingerprint reader.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.6.4-42.fc7

How reproducible:
always

Steps to Reproduce:
1. install thinkfinger on a machine with a fingerprint reader
2. reboot
3. log in to X

Actual results:
- see this AVC in the logs:
type=AVC msg=audit(1190154617.728:17): avc:  denied  { getattr } for  pid=2739
comm="pam_console_app" name="uinput" dev=tmpfs ino=6754
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
- /dev/input/uinput still owned

Expected results:
- no AVC
- /dev/input/uinput owned by the logged-in user

Additional info:
Comment 1 Mike Bonnet 2007-09-21 13:05:49 EDT
Created attachment 202611 [details]
Here's a selinux policy module that fixed the problem for me.  Though if you added a new file context for /dev/input/uinput, that would probably be better.
Comment 2 Daniel Walsh 2007-09-21 14:36:45 EDT
A better way to do this would be to set the file context

semanage fcontext -a -t scanner_device_t /dev/input/uinput

Fixed in selinux-policy-2.6.4-43.fc7.src.rpm
Comment 3 Mike Bonnet 2007-09-21 14:56:06 EDT
Note that /dev/input/uinput isn't really a scanner, and it's not specific to
fingerprint readers.  It's created by the uinput.ko kernel module, and is an
interface to allow userspace to interact with the kernel input layer.  It's used
to synthesize keyboard and mouse input programatically.  So there may be a
better content to use than scanner_device_t.

That being said, whatever works. :)
Comment 4 Daniel Walsh 2007-09-21 16:26:09 EDT
These are how we currently have /dev/input defined.

/dev/input/.*mouse.*	-c	gen_context(system_u:object_r:mouse_device_t,s0)
/dev/input/event.*	-c	gen_context(system_u:object_r:event_device_t,s0)
/dev/input/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
/dev/input/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
/dev/input/uimput	-c	gen_context(system_u:object_r:scanner_device_t,s0)

So we can create another device or if you know of an existing device that it
matches, we can change it to this.
Comment 5 Daniel Walsh 2007-09-21 16:27:10 EDT
mouse_device_t?
Comment 6 Mike Bonnet 2007-09-21 16:44:21 EDT
Of the existing types, I'd say event_device_t is probably the best fit, because
it can be used to generate keyboard, mouse, tablet, etc. events.

Also, looks like there's a typo in the path, it's /dev/input/uinput
Comment 7 Julian Sikorski 2007-09-22 05:24:30 EDT
Hmm, it is not fixed in the release mentioned. Judging from the changelogs,
looks like the fix made its way to the rawhide selinux only.
Comment 8 Daniel Walsh 2007-09-24 14:41:52 EDT
Fixed in selinux-policy-2.6.4-44.fc7.src.rpm
Comment 9 Julian Sikorski 2007-09-24 15:06:47 EDT
That fixes the problem, thanks. Would it be possible to push this update along
with thinkfinger? If not, I'll just wait.
Comment 10 Daniel Walsh 2008-01-30 14:05:51 EST
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.

Note You need to log in before you can comment on or make changes to this bug.