Description of problem: Wjen the thinkfinger package is used to support fingerprint readers several programs need additional permissions. So far I encountered pam_console_apply and gdm. Here are the AVCs: avc: denied { getattr } for comm=pam_console_app dev=tmpfs egid=500 euid=0 exe=/sbin/pam_console_apply exit=-13 fsgid=500 fsuid=0 gid=500 items=0 path=/dev/input/uinput pid=5439 scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023 sgid=500 subj=system_u:system_r:pam_console_t:s0-s0:c0.c1023 suid=0 tclass=chr_file tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0 and avc: denied { write } for comm=gdm-binary dev=tmpfs name=uinput pid=2425 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=chr_file tcontext=system_u:object_r:device_t:s0 /dev/input/uinput is the device of the fingerprint reader, or at least the device to read the data from. Maybe this means /dev/input/uinput should get a new label. Allowing these programs to access all device_t objects seems to be to relaxed. Maybe create uintput_device_t. Version-Release number of selected component (if applicable): selinux-policy-3.0.8-8.fc8.noarch How reproducible: always Steps to Reproduce: 1.install F8t2 2.install thinkfinger on appropriate laptop 3.boot and login Actual results: above AVCs Expected results: No AVCs and working check-in via the fingerprint reader. Additional info:
Fixed in selinux-policy-3.0.8-10