Bug 501365 - avc with fingerprint readers
avc with fingerprint readers
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
: 500872 (view as bug list)
Depends On:
Blocks: F11Blocker/F11FinalBlocker
  Show dependency treegraph
Reported: 2009-05-18 14:33 EDT by Jeremy Katz
Modified: 2009-05-20 17:02 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-05-20 17:02:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jeremy Katz 2009-05-18 14:33:44 EDT
Getting the following from setroubleshoot whenever the fingerprint reader pops up to authenticate
   SELinux is preventing fprintd (fprintd_t) "sys_ptrace" fprintd_t

Given that fingerprint enrollment is one of the features we've advertised with F11, we really don't want it to be giving SELinux errors every time, thus putting on the blocker list
Comment 1 Daniel Walsh 2009-05-18 14:43:51 EDT
allow fprintd_t self:capability sys_ptrace;
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.12-38.fc11.noarch
Comment 2 Paul W. Frields 2009-05-18 16:26:34 EDT
This is a dupe of bug 500872, but since it's on the blocker list I didn't want to close it as a dupe.
Comment 3 Jeremy Katz 2009-05-18 16:30:36 EDT
*** Bug 500872 has been marked as a duplicate of this bug. ***
Comment 4 Jeremy Katz 2009-05-18 16:35:58 EDT
Did the duping the other way.  Also, -38 failed to build so reopening
Comment 5 Daniel Walsh 2009-05-18 21:17:40 EDT
fingerd policy is a permissive domain,  So actually fingerd should not be blocked by SELinux at all.  If you look at the AVC you will see a success=yes, which means the sys_ptrace was not actually blocked.

-38 is built now.
Comment 6 Will Woods 2009-05-20 17:02:57 EDT
-39 has been tagged for F11 and should appear in tomorrow's Rawhide. I've tested and confirmed the fix.

Note You need to log in before you can comment on or make changes to this bug.