Bug 500872 - AVC from fprintd on return from switched user login
AVC from fprintd on return from switched user login
Status: CLOSED DUPLICATE of bug 501365
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2009-05-14 11:51 EDT by Paul W. Frields
Modified: 2009-05-18 16:30 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-05-18 16:30:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Paul W. Frields 2009-05-14 11:51:25 EDT
I have my normal user account configured to use fprintd with my laptop's UPEK scanner for authentication.  If I Switch User to a second account, exit that session, return to my first login session's screensaver, and authenticate with the fingerprint scanner, my session comes back properly but I get an AVC error.

Steps to Reproduce:
1.  Configure Acct1 to use fprintd for auth
2.  Switch User to Acct2
3.  Logout from Acct2 session
4.  Authenticate through screensaver using fprintd
5.  See error through sealert
--- Alert copy from sealert follows ---


SELinux is preventing fprintd (fprintd_t) "sys_ptrace" fprintd_t.

Detailed Description:

SELinux denied access requested by fprintd. It is not expected that this access
is required by fprintd and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:fprintd_t:s0-s0:c0.c1023
Target Context                system_u:system_r:fprintd_t:s0-s0:c0.c1023
Target Objects                None [ capability ]
Source                        fprintd
Source Path                   /usr/libexec/fprintd
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           fprintd-0.1-9.git04fd09cfa.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-34.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                     #1 SMP Tue May 12
                              10:44:27 EDT 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Thu 14 May 2009 11:35:29 AM EDT
Last Seen                     Thu 14 May 2009 11:35:29 AM EDT
Local ID                      5edf5044-d694-46c7-a23f-b135df3ec7e9
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1242315329.434:25): avc:  denied  { sys_ptrace } for  pid=5698 comm="fprintd" capability=19 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tclass=capability

node=localhost.localdomain type=SYSCALL msg=audit(1242315329.434:25): arch=c000003e syscall=0 success=yes exit=245 a0=9 a1=7fff07728910 a2=1000 a3=1000 items=0 ppid=1 pid=5698 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fprintd" exe="/usr/libexec/fprintd" subj=system_u:system_r:fprintd_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2009-05-14 13:43:19 EDT
Fixed in selinux-policy-3.6.12-37.fc11.noarch
Comment 2 Jeremy Katz 2009-05-18 16:30:36 EDT

*** This bug has been marked as a duplicate of bug 501365 ***

Note You need to log in before you can comment on or make changes to this bug.