Description of problem: When I use the finger print reader with sudo, I see the following # ls -lZ /proc/self/fd lr-x------ root root staff_u:unconfined_r:unconfined_t:s0 0 -> /dev/pts/0 lrwx------ root root staff_u:unconfined_r:unconfined_t:s0 1 -> /dev/pts/0 lrwx------ root root staff_u:unconfined_r:unconfined_t:s0 2 -> /dev/pts/0 lr-x------ root root staff_u:unconfined_r:unconfined_t:s0 3 -> /proc/19270/fd lr-x------ root root staff_u:unconfined_r:unconfined_t:s0 4 -> pipe:[890982] l-wx------ root root staff_u:unconfined_r:unconfined_t:s0 5 -> pipe:[890982] If I remove the finger print reader and become root I see # ls -lZ /proc/self/fd lr-x------ root root staff_u:unconfined_r:unconfined_t:s0 0 -> /dev/pts/0 lrwx------ root root staff_u:unconfined_r:unconfined_t:s0 1 -> /dev/pts/0 lrwx------ root root staff_u:unconfined_r:unconfined_t:s0 2 -> /dev/pts/0 lr-x------ root root staff_u:unconfined_r:unconfined_t:s0 3 -> /proc/19942/fd This is causing avc messes when running with confined users in SELinux # aud #============= consoletype_t ============== allow consoletype_t staff_sudo_t:fifo_file { write read }; #============= httpd_t ============== allow httpd_t staff_sudo_t:fifo_file { write read }; This is a potential security problem depending on whether access to this fifo_file should be denied. And it is a damn nuisance for SELinux. The fifo_file should be closed on exec fcntl(fd, F_SETFD, FD_CLOEXEC) Not sure if this is a bug in pam_fprint or libfprint or libusb.
libusb seems to be at fault here from the first POV. It is possibly caused by bug #273901 and the "openat" patch. Please try these packages: http://koji.fedoraproject.org/koji/taskinfo?taskID=993823 We are sure the leak originates from there if these packages don't leak any descriptors. I will fix it as soon as you confirm to me the leak is gone with the new packages.
Tried it but it did not fix the problem. # rpm -q libusb libusb-0.1.12-21.fc10.x86_64 # ls -lZ /proc/self/fd lr-x------ root root staff_u:unconfined_r:unconfined_t:s0 0 -> /dev/pts/4 lrwx------ root root staff_u:unconfined_r:unconfined_t:s0 1 -> /dev/pts/4 lrwx------ root root staff_u:unconfined_r:unconfined_t:s0 2 -> /dev/pts/4 lr-x------ root root staff_u:unconfined_r:unconfined_t:s0 3 -> /proc/29662/fd lr-x------ root root staff_u:unconfined_r:unconfined_t:s0 4 -> pipe:[1015128] l-wx------ root root staff_u:unconfined_r:unconfined_t:s0 5 -> pipe:[1015128]
Do you use pam_fprint, or pam_fprintd? I plugged a few leaks in pam_fprintd. pam_fprint is dead in rawhide. If you use pam_fprint, please use pam_fprintd (there's support for it in authconfig), otherwise please try: http://koji.fedoraproject.org/koji/taskinfo?taskID=1003496
Ok I will switch to this product and try it out, if it has problems I will open a new bug. Of course I can not check fprintd on Rawhide yet... # fprintd-enroll Using device /net/reactivated/Fprint/Device/0 Enrolling right index finger. ** ERROR **: EnrollStart failed: net.reactivated.fprint.device.enroll no <-- (action, result) aborting... Trace/breakpoint trap
It doesn't crash, it aborts on purpose. You need to be at the console, and you probably need to restart your machine, as PolicyKit (and likely D-Bus) won't notice new configuration files when installed. Let me know if it still happens when your machine's been restarted. You can also use the "About me" preference to enroll your fingerprints.
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle. Changing version to '11'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
No answer for > 6 months, closing.
Bastien, Can we re-open this? I am seeing the same error with Fedora 11: # fprintd-enroll Using device /net/reactivated/Fprint/Device/0 Enrolling right index finger. ** ERROR **: EnrollStart failed: net.reactivated.fprint.device.enroll no <-- (action, result) aborting... Aborted when I first become root and then try to enroll root. Be happy to give you whatever info you need.
(In reply to comment #8) > Bastien, > > Can we re-open this? I am seeing the same error with Fedora 11: > > # fprintd-enroll > Using device /net/reactivated/Fprint/Device/0 > Enrolling right index finger. > > ** ERROR **: EnrollStart failed: net.reactivated.fprint.device.enroll no <-- > (action, result) > aborting... > Aborted > > when I first become root and then try to enroll root. Be happy to give you > whatever info you need. That's unrelated. The original problem with the SELinux denial is fixed.