Bug 301961 - selinux-policy breaks thinkfinger console and gdm login
selinux-policy breaks thinkfinger console and gdm login
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-22 21:22 EDT by Stuart Jansen
Modified: 2008-01-30 14:19 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 14:19:29 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
audit.log extract after switching to permissive and attemting fingerprint login (8.40 KB, text/plain)
2007-09-27 08:57 EDT, Stuart Jansen
no flags Details

  None (edit)
Description Stuart Jansen 2007-09-22 21:22:34 EDT
Description of problem:
gdm and login need access /dev/input/uinput in order to use fingerprint based
authentication with the pam_thinkfinger.so module.

Version-Release number of selected component (if applicable):
# rpm -q thinkfinger
thinkfinger-0.3-3.fc8
# rpm -q selinux-policy
selinux-policy-3.0.8-8.fc8

How reproducible:
always

Steps to Reproduce:
1. install thinkfinger on a machine with a fingerprint reader
2. reboot
3. attempt to log in to gdm or on the console


Actual results:

Summary
    SELinux is preventing /usr/sbin/gdm-binary (xdm_t) "write" access to device
    uinput.

Raw Audit Messages            

avc: denied { write } for comm=gdm-binary dev=tmpfs egid=0 euid=0 exe=/usr/sbin
/gdm-binary exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=uinput pid=3498
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=0 tclass=chr_file
tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0

Summary
    SELinux is preventing /bin/login (local_login_t) "write" access to device
    uinput.

Raw Audit Messages            

avc: denied { write } for comm=login dev=tmpfs egid=0 euid=0 exe=/bin/login
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=uinput pid=2909
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 suid=0 tclass=chr_file
tcontext=system_u:object_r:device_t:s0 tty=tty2 uid=0



Expected results:

Fingerprint based login like in Fedora 7.


Additional info:

/var/log/secure after adding debug flag to pam_thinkfinger:

Sep 22 18:13:59 simplicity gdm-binary[3498]: pam_thinkfinger(gdm:auth):
pam_sm_authenticate called.
Sep 22 18:14:02 simplicity gdm-binary[3498]: pam_thinkfinger(gdm:auth):
Initializing uinput failed: No such file or directory.
Sep 22 18:14:02 simplicity gdm-binary[3498]: pam_thinkfinger(gdm:auth):
pam_sm_authenticate returning '9': Authentication service cannot retrieve
authentication info.
Sep 22 18:14:16 simplicity login: pam_thinkfinger(login:auth):
pam_sm_authenticate called.
Sep 22 18:14:16 simplicity login: pam_thinkfinger(login:auth): Initializing
uinput failed: No such file or directory.
Sep 22 18:14:16 simplicity login: pam_thinkfinger(login:auth):
pam_sm_authenticate returning '9': Authentication service cannot retrieve
authentication info.
Comment 1 Daniel Walsh 2007-09-24 13:51:13 EDT
Fixed in selinux-policy-3.0.8-10.fc8
Comment 2 Stuart Jansen 2007-09-25 21:33:17 EDT
Doesn't look like it:

# rpm -q selinux-policy
selinux-policy-3.0.8-11.fc8

/var/log/secure
Sep 25 19:22:39 simplicity gdm-binary[3135]: pam_thinkfinger(gdm:auth):
pam_sm_authenticate called.
Sep 25 19:24:19 simplicity gdm-binary[3135]: pam_thinkfinger(gdm:auth):
Initializing uinput failed: No such file or directory.
Sep 25 19:24:19 simplicity gdm-binary[3135]: pam_thinkfinger(gdm:auth):
pam_sm_authenticate returning '9': Authentication service cannot retrieve
authentication info.

Sep 25 19:24:36 simplicity login: pam_thinkfinger(login:auth):
pam_sm_authenticate called.
Sep 25 19:24:36 simplicity login: pam_thinkfinger(login:auth): Initializing
uinput failed: No such file or directory.
Sep 25 19:24:36 simplicity login: pam_thinkfinger(login:auth):
pam_sm_authenticate returning '9': Authentication service cannot retrieve
authentication info.


/var/log/message
Sep 25 19:24:22 simplicity setroubleshoot: #012    SELinux is preventing
/usr/sbin/gdm-binary (xdm_t) "write" to uinput (event_device_t).#012     For
complete SELinux messages. run sealert -l c023447d-1ba0-401c-b66a-da25e6ae897b
Sep 25 19:24:29 simplicity setroubleshoot: #012    SELinux is preventing
/bin/login (local_login_t) "write" to uinput (event_device_t).#012     For
complete SELinux messages. run sealert -l 4313664a-78fd-493a-8595-38bf43f83b49
Comment 3 Daniel Walsh 2007-09-26 09:39:49 EDT
Could you run in permissive mode an gather all of the avc messages?

Comment 4 Daniel Walsh 2007-09-26 09:43:07 EDT
Adding dev_rw_input_dev(xdm_t)


Fixed in selinux-policy-3.0.8-14.fc8.src.rpm
Comment 5 Stuart Jansen 2007-09-27 08:57:15 EDT
Created attachment 208401 [details]
audit.log extract after switching to permissive and attemting fingerprint login
Comment 6 Stuart Jansen 2007-09-27 08:58:18 EDT
After yum updating, I made sure a relabel would occur and rebooted. Until I
switched to permissive mode, I still couldn't login using the fingerprint reader.

# getenforce
Permissive
# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.0.8-14.fc8
# ls -Z /dev/input/uinput
crw-------  sjansen root system_u:object_r:event_device_t:s0 /dev/input/uinput
# ps -eZ | grep gdm
system_u:system_r:xdm_t:s0-s0:c0.c1023 2996 ?  00:00:00 gdm-binary
system_u:system_r:xdm_t:s0-s0:c0.c1023 3060 ?  00:00:00 gdm-binary


Sep 27 06:37:14 simplicity kernel: input: Virtual ThinkFinger Keyboard as
/class/input/input10
Sep 27 06:37:16 simplicity setroubleshoot: #012    SELinux is preventing
gdm-binary (xdm_t) "read write" to <Unknown> (usb_device_t).#012     For
complete SELinux messages. run sealert -l c143adba-5492-469e-a44b-b6e45e4026db
Sep 27 06:37:16 simplicity setroubleshoot: #012    SELinux is preventing
gdm-binary (xdm_t) "read" to <Unknown> (usb_device_t).#012     For complete
SELinux messages. run sealert -l d009e276-d130-4585-9ca0-b43c918461ef


Sep 27 06:38:06 simplicity kernel: input: Virtual ThinkFinger Keyboard as
/class/input/input12
Sep 27 06:38:08 simplicity setroubleshoot: #012    SELinux is preventing
/bin/login (local_login_t) "write" to <Unknown> (event_device_t).#012     For
complete SELinux messages. run sealert -l 69a7599c-c6b1-4233-8546-2e61ca9312a4
Sep 27 06:38:08 simplicity setroubleshoot: #012    SELinux is preventing
/bin/login (local_login_t) "ioctl" to /dev/input/uinput (event_device_t).#012  
  For complete SELinux messages. run sealert -l bd8c0143-0433-43d8-bea1-4227f11ef8b0
Comment 7 Stuart Jansen 2007-09-27 10:10:43 EDT
If it helps, here's how I setup my fingerprint reader:
http://www.thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader_with_ThinkFinger
Comment 8 Stuart Jansen 2007-10-04 01:01:15 EDT
login and gdm are working again! All other programs appear to still be working
correctly.

# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.0.8-16.fc8
Comment 9 Daniel Walsh 2008-01-30 14:19:29 EST
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.

Note You need to log in before you can comment on or make changes to this bug.