Bug 500872 - AVC from fprintd on return from switched user login
Summary: AVC from fprintd on return from switched user login
Keywords:
Status: CLOSED DUPLICATE of bug 501365
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: rawhide
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-05-14 15:51 UTC by Paul W. Frields
Modified: 2009-05-18 20:30 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-05-18 20:30:36 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Paul W. Frields 2009-05-14 15:51:25 UTC
I have my normal user account configured to use fprintd with my laptop's UPEK scanner for authentication.  If I Switch User to a second account, exit that session, return to my first login session's screensaver, and authenticate with the fingerprint scanner, my session comes back properly but I get an AVC error.

Steps to Reproduce:
1.  Configure Acct1 to use fprintd for auth
2.  Switch User to Acct2
3.  Logout from Acct2 session
4.  Authenticate through screensaver using fprintd
5.  See error through sealert
  
--- Alert copy from sealert follows ---

Summary:

SELinux is preventing fprintd (fprintd_t) "sys_ptrace" fprintd_t.

Detailed Description:

SELinux denied access requested by fprintd. It is not expected that this access
is required by fprintd and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:fprintd_t:s0-s0:c0.c1023
Target Context                system_u:system_r:fprintd_t:s0-s0:c0.c1023
Target Objects                None [ capability ]
Source                        fprintd
Source Path                   /usr/libexec/fprintd
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           fprintd-0.1-9.git04fd09cfa.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-34.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              2.6.29.3-140.fc11.x86_64 #1 SMP Tue May 12
                              10:44:27 EDT 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Thu 14 May 2009 11:35:29 AM EDT
Last Seen                     Thu 14 May 2009 11:35:29 AM EDT
Local ID                      5edf5044-d694-46c7-a23f-b135df3ec7e9
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1242315329.434:25): avc:  denied  { sys_ptrace } for  pid=5698 comm="fprintd" capability=19 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tclass=capability

node=localhost.localdomain type=SYSCALL msg=audit(1242315329.434:25): arch=c000003e syscall=0 success=yes exit=245 a0=9 a1=7fff07728910 a2=1000 a3=1000 items=0 ppid=1 pid=5698 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fprintd" exe="/usr/libexec/fprintd" subj=system_u:system_r:fprintd_t:s0-s0:c0.c1023 key=(null)

Comment 1 Daniel Walsh 2009-05-14 17:43:19 UTC
Fixed in selinux-policy-3.6.12-37.fc11.noarch

Comment 2 Jeremy Katz 2009-05-18 20:30:36 UTC

*** This bug has been marked as a duplicate of bug 501365 ***


Note You need to log in before you can comment on or make changes to this bug.