Bug 304321 - thinkfinger integration requires changes
thinkfinger integration requires changes
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-09-24 20:33 EDT by Ulrich Drepper
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-09-25 08:47:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ulrich Drepper 2007-09-24 20:33:32 EDT
Description of problem:
Wjen the thinkfinger package is used to support fingerprint readers several
programs need additional permissions.  So far I encountered pam_console_apply
and gdm.  Here are the AVCs:

avc: denied { getattr } for comm=pam_console_app dev=tmpfs egid=500 euid=0
exe=/sbin/pam_console_apply exit=-13 fsgid=500 fsuid=0 gid=500 items=0
path=/dev/input/uinput pid=5439
scontext=system_u:system_r:pam_console_t:s0-s0:c0.c1023 sgid=500
subj=system_u:system_r:pam_console_t:s0-s0:c0.c1023 suid=0 tclass=chr_file
tcontext=system_u:object_r:device_t:s0 tty=(none) uid=0 


avc: denied { write } for comm=gdm-binary dev=tmpfs name=uinput pid=2425
scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=chr_file

/dev/input/uinput is the device of the fingerprint reader, or at least the
device to read the data from.  Maybe this means /dev/input/uinput should get a
new label.  Allowing these programs to access all device_t objects seems to be
to relaxed.  Maybe create uintput_device_t.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.install F8t2
2.install thinkfinger on appropriate laptop
3.boot and login
Actual results:
above AVCs

Expected results:
No AVCs and working check-in via the fingerprint reader.

Additional info:
Comment 1 Daniel Walsh 2007-09-25 08:47:49 EDT
Fixed in selinux-policy-3.0.8-10

Note You need to log in before you can comment on or make changes to this bug.