I have my normal user account configured to use fprintd with my laptop's UPEK scanner for authentication. If I Switch User to a second account, exit that session, return to my first login session's screensaver, and authenticate with the fingerprint scanner, my session comes back properly but I get an AVC error. Steps to Reproduce: 1. Configure Acct1 to use fprintd for auth 2. Switch User to Acct2 3. Logout from Acct2 session 4. Authenticate through screensaver using fprintd 5. See error through sealert --- Alert copy from sealert follows --- Summary: SELinux is preventing fprintd (fprintd_t) "sys_ptrace" fprintd_t. Detailed Description: SELinux denied access requested by fprintd. It is not expected that this access is required by fprintd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:fprintd_t:s0-s0:c0.c1023 Target Context system_u:system_r:fprintd_t:s0-s0:c0.c1023 Target Objects None [ capability ] Source fprintd Source Path /usr/libexec/fprintd Port <Unknown> Host localhost.localdomain Source RPM Packages fprintd-0.1-9.git04fd09cfa.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.12-34.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.29.3-140.fc11.x86_64 #1 SMP Tue May 12 10:44:27 EDT 2009 x86_64 x86_64 Alert Count 1 First Seen Thu 14 May 2009 11:35:29 AM EDT Last Seen Thu 14 May 2009 11:35:29 AM EDT Local ID 5edf5044-d694-46c7-a23f-b135df3ec7e9 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1242315329.434:25): avc: denied { sys_ptrace } for pid=5698 comm="fprintd" capability=19 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tclass=capability node=localhost.localdomain type=SYSCALL msg=audit(1242315329.434:25): arch=c000003e syscall=0 success=yes exit=245 a0=9 a1=7fff07728910 a2=1000 a3=1000 items=0 ppid=1 pid=5698 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fprintd" exe="/usr/libexec/fprintd" subj=system_u:system_r:fprintd_t:s0-s0:c0.c1023 key=(null)
Fixed in selinux-policy-3.6.12-37.fc11.noarch
*** This bug has been marked as a duplicate of bug 501365 ***