Bug 301961 - selinux-policy breaks thinkfinger console and gdm login
Summary: selinux-policy breaks thinkfinger console and gdm login
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
(Show other bugs)
Version: 8
Hardware: All Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-09-23 01:22 UTC by Stuart Jansen
Modified: 2008-01-30 19:19 UTC (History)
0 users

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-30 19:19:29 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
audit.log extract after switching to permissive and attemting fingerprint login (8.40 KB, text/plain)
2007-09-27 12:57 UTC, Stuart Jansen
no flags Details

Description Stuart Jansen 2007-09-23 01:22:34 UTC
Description of problem:
gdm and login need access /dev/input/uinput in order to use fingerprint based
authentication with the pam_thinkfinger.so module.

Version-Release number of selected component (if applicable):
# rpm -q thinkfinger
thinkfinger-0.3-3.fc8
# rpm -q selinux-policy
selinux-policy-3.0.8-8.fc8

How reproducible:
always

Steps to Reproduce:
1. install thinkfinger on a machine with a fingerprint reader
2. reboot
3. attempt to log in to gdm or on the console


Actual results:

Summary
    SELinux is preventing /usr/sbin/gdm-binary (xdm_t) "write" access to device
    uinput.

Raw Audit Messages            

avc: denied { write } for comm=gdm-binary dev=tmpfs egid=0 euid=0 exe=/usr/sbin
/gdm-binary exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=uinput pid=3498
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023 suid=0 tclass=chr_file
tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0

Summary
    SELinux is preventing /bin/login (local_login_t) "write" access to device
    uinput.

Raw Audit Messages            

avc: denied { write } for comm=login dev=tmpfs egid=0 euid=0 exe=/bin/login
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=uinput pid=2909
scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 sgid=0
subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 suid=0 tclass=chr_file
tcontext=system_u:object_r:device_t:s0 tty=tty2 uid=0



Expected results:

Fingerprint based login like in Fedora 7.


Additional info:

/var/log/secure after adding debug flag to pam_thinkfinger:

Sep 22 18:13:59 simplicity gdm-binary[3498]: pam_thinkfinger(gdm:auth):
pam_sm_authenticate called.
Sep 22 18:14:02 simplicity gdm-binary[3498]: pam_thinkfinger(gdm:auth):
Initializing uinput failed: No such file or directory.
Sep 22 18:14:02 simplicity gdm-binary[3498]: pam_thinkfinger(gdm:auth):
pam_sm_authenticate returning '9': Authentication service cannot retrieve
authentication info.
Sep 22 18:14:16 simplicity login: pam_thinkfinger(login:auth):
pam_sm_authenticate called.
Sep 22 18:14:16 simplicity login: pam_thinkfinger(login:auth): Initializing
uinput failed: No such file or directory.
Sep 22 18:14:16 simplicity login: pam_thinkfinger(login:auth):
pam_sm_authenticate returning '9': Authentication service cannot retrieve
authentication info.

Comment 1 Daniel Walsh 2007-09-24 17:51:13 UTC
Fixed in selinux-policy-3.0.8-10.fc8

Comment 2 Stuart Jansen 2007-09-26 01:33:17 UTC
Doesn't look like it:

# rpm -q selinux-policy
selinux-policy-3.0.8-11.fc8

/var/log/secure
Sep 25 19:22:39 simplicity gdm-binary[3135]: pam_thinkfinger(gdm:auth):
pam_sm_authenticate called.
Sep 25 19:24:19 simplicity gdm-binary[3135]: pam_thinkfinger(gdm:auth):
Initializing uinput failed: No such file or directory.
Sep 25 19:24:19 simplicity gdm-binary[3135]: pam_thinkfinger(gdm:auth):
pam_sm_authenticate returning '9': Authentication service cannot retrieve
authentication info.

Sep 25 19:24:36 simplicity login: pam_thinkfinger(login:auth):
pam_sm_authenticate called.
Sep 25 19:24:36 simplicity login: pam_thinkfinger(login:auth): Initializing
uinput failed: No such file or directory.
Sep 25 19:24:36 simplicity login: pam_thinkfinger(login:auth):
pam_sm_authenticate returning '9': Authentication service cannot retrieve
authentication info.


/var/log/message
Sep 25 19:24:22 simplicity setroubleshoot: #012    SELinux is preventing
/usr/sbin/gdm-binary (xdm_t) "write" to uinput (event_device_t).#012     For
complete SELinux messages. run sealert -l c023447d-1ba0-401c-b66a-da25e6ae897b
Sep 25 19:24:29 simplicity setroubleshoot: #012    SELinux is preventing
/bin/login (local_login_t) "write" to uinput (event_device_t).#012     For
complete SELinux messages. run sealert -l 4313664a-78fd-493a-8595-38bf43f83b49


Comment 3 Daniel Walsh 2007-09-26 13:39:49 UTC
Could you run in permissive mode an gather all of the avc messages?



Comment 4 Daniel Walsh 2007-09-26 13:43:07 UTC
Adding dev_rw_input_dev(xdm_t)


Fixed in selinux-policy-3.0.8-14.fc8.src.rpm


Comment 5 Stuart Jansen 2007-09-27 12:57:15 UTC
Created attachment 208401 [details]
audit.log extract after switching to permissive and attemting fingerprint login

Comment 6 Stuart Jansen 2007-09-27 12:58:18 UTC
After yum updating, I made sure a relabel would occur and rebooted. Until I
switched to permissive mode, I still couldn't login using the fingerprint reader.

# getenforce
Permissive
# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.0.8-14.fc8
# ls -Z /dev/input/uinput
crw-------  sjansen root system_u:object_r:event_device_t:s0 /dev/input/uinput
# ps -eZ | grep gdm
system_u:system_r:xdm_t:s0-s0:c0.c1023 2996 ?  00:00:00 gdm-binary
system_u:system_r:xdm_t:s0-s0:c0.c1023 3060 ?  00:00:00 gdm-binary


Sep 27 06:37:14 simplicity kernel: input: Virtual ThinkFinger Keyboard as
/class/input/input10
Sep 27 06:37:16 simplicity setroubleshoot: #012    SELinux is preventing
gdm-binary (xdm_t) "read write" to <Unknown> (usb_device_t).#012     For
complete SELinux messages. run sealert -l c143adba-5492-469e-a44b-b6e45e4026db
Sep 27 06:37:16 simplicity setroubleshoot: #012    SELinux is preventing
gdm-binary (xdm_t) "read" to <Unknown> (usb_device_t).#012     For complete
SELinux messages. run sealert -l d009e276-d130-4585-9ca0-b43c918461ef


Sep 27 06:38:06 simplicity kernel: input: Virtual ThinkFinger Keyboard as
/class/input/input12
Sep 27 06:38:08 simplicity setroubleshoot: #012    SELinux is preventing
/bin/login (local_login_t) "write" to <Unknown> (event_device_t).#012     For
complete SELinux messages. run sealert -l 69a7599c-c6b1-4233-8546-2e61ca9312a4
Sep 27 06:38:08 simplicity setroubleshoot: #012    SELinux is preventing
/bin/login (local_login_t) "ioctl" to /dev/input/uinput (event_device_t).#012  
  For complete SELinux messages. run sealert -l bd8c0143-0433-43d8-bea1-4227f11ef8b0

Comment 7 Stuart Jansen 2007-09-27 14:10:43 UTC
If it helps, here's how I setup my fingerprint reader:
http://www.thinkwiki.org/wiki/How_to_enable_the_fingerprint_reader_with_ThinkFinger

Comment 8 Stuart Jansen 2007-10-04 05:01:15 UTC
login and gdm are working again! All other programs appear to still be working
correctly.

# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.0.8-16.fc8


Comment 9 Daniel Walsh 2008-01-30 19:19:29 UTC
Bulk closing all bugs in Fedora updates in the modified state.  If you bug is
not fixed, please reopen.


Note You need to log in before you can comment on or make changes to this bug.