Bug 300811 - pam_console needs permission to set the owner of /dev/input/uinput for fingerprint readers to work
Summary: pam_console needs permission to set the owner of /dev/input/uinput for finger...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 7
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks: 246107
TreeView+ depends on / blocked
 
Reported: 2007-09-21 17:05 UTC by Mike Bonnet
Modified: 2008-01-30 19:05 UTC (History)
1 user (show)

Fixed In Version: Current
Clone Of:
Environment:
Last Closed: 2008-01-30 19:05:51 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
Here's a selinux policy module that fixed the problem for me. Though if you added a new file context for /dev/input/uinput, that would probably be better. (218 bytes, text/plain)
2007-09-21 17:05 UTC, Mike Bonnet
no flags Details

Description Mike Bonnet 2007-09-21 17:05:49 UTC
Description of problem:
pam_console needs to set the ownership of /dev/input/uinput to the currently
logged-in user on the console for fingerprint readers (as supported by the
thinkfinger package) to be able to operate correctly from a user session (so the
fingerprint reader can be used to unlock a locked screen, for example).  This
requirement will go away when ACL support is moved from hal to udev, but until
then this is the only way to have a working fingerprint reader.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.6.4-42.fc7

How reproducible:
always

Steps to Reproduce:
1. install thinkfinger on a machine with a fingerprint reader
2. reboot
3. log in to X

Actual results:
- see this AVC in the logs:
type=AVC msg=audit(1190154617.728:17): avc:  denied  { getattr } for  pid=2739
comm="pam_console_app" name="uinput" dev=tmpfs ino=6754
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=chr_file
- /dev/input/uinput still owned

Expected results:
- no AVC
- /dev/input/uinput owned by the logged-in user

Additional info:

Comment 1 Mike Bonnet 2007-09-21 17:05:49 UTC
Created attachment 202611 [details]
Here's a selinux policy module that fixed the problem for me.  Though if you added a new file context for /dev/input/uinput, that would probably be better.

Comment 2 Daniel Walsh 2007-09-21 18:36:45 UTC
A better way to do this would be to set the file context

semanage fcontext -a -t scanner_device_t /dev/input/uinput

Fixed in selinux-policy-2.6.4-43.fc7.src.rpm

Comment 3 Mike Bonnet 2007-09-21 18:56:06 UTC
Note that /dev/input/uinput isn't really a scanner, and it's not specific to
fingerprint readers.  It's created by the uinput.ko kernel module, and is an
interface to allow userspace to interact with the kernel input layer.  It's used
to synthesize keyboard and mouse input programatically.  So there may be a
better content to use than scanner_device_t.

That being said, whatever works. :)


Comment 4 Daniel Walsh 2007-09-21 20:26:09 UTC
These are how we currently have /dev/input defined.

/dev/input/.*mouse.*	-c	gen_context(system_u:object_r:mouse_device_t,s0)
/dev/input/event.*	-c	gen_context(system_u:object_r:event_device_t,s0)
/dev/input/mice		-c	gen_context(system_u:object_r:mouse_device_t,s0)
/dev/input/js.*		-c	gen_context(system_u:object_r:mouse_device_t,s0)
/dev/input/uimput	-c	gen_context(system_u:object_r:scanner_device_t,s0)

So we can create another device or if you know of an existing device that it
matches, we can change it to this.

Comment 5 Daniel Walsh 2007-09-21 20:27:10 UTC
mouse_device_t?

Comment 6 Mike Bonnet 2007-09-21 20:44:21 UTC
Of the existing types, I'd say event_device_t is probably the best fit, because
it can be used to generate keyboard, mouse, tablet, etc. events.

Also, looks like there's a typo in the path, it's /dev/input/uinput


Comment 7 Julian Sikorski 2007-09-22 09:24:30 UTC
Hmm, it is not fixed in the release mentioned. Judging from the changelogs,
looks like the fix made its way to the rawhide selinux only.

Comment 8 Daniel Walsh 2007-09-24 18:41:52 UTC
Fixed in selinux-policy-2.6.4-44.fc7.src.rpm

Comment 9 Julian Sikorski 2007-09-24 19:06:47 UTC
That fixes the problem, thanks. Would it be possible to push this update along
with thinkfinger? If not, I'll just wait.

Comment 10 Daniel Walsh 2008-01-30 19:05:51 UTC
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.


Note You need to log in before you can comment on or make changes to this bug.