Bug 501365 - avc with fingerprint readers
Summary: avc with fingerprint readers
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 500872 (view as bug list)
Depends On:
Blocks: F11Blocker, F11FinalBlocker
TreeView+ depends on / blocked
 
Reported: 2009-05-18 18:33 UTC by Jeremy Katz
Modified: 2009-05-20 21:02 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-05-20 21:02:57 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Jeremy Katz 2009-05-18 18:33:44 UTC
Getting the following from setroubleshoot whenever the fingerprint reader pops up to authenticate
   SELinux is preventing fprintd (fprintd_t) "sys_ptrace" fprintd_t

Given that fingerprint enrollment is one of the features we've advertised with F11, we really don't want it to be giving SELinux errors every time, thus putting on the blocker list

Comment 1 Daniel Walsh 2009-05-18 18:43:51 UTC
allow fprintd_t self:capability sys_ptrace;
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.12-38.fc11.noarch

Comment 2 Paul W. Frields 2009-05-18 20:26:34 UTC
This is a dupe of bug 500872, but since it's on the blocker list I didn't want to close it as a dupe.

Comment 3 Jeremy Katz 2009-05-18 20:30:36 UTC
*** Bug 500872 has been marked as a duplicate of this bug. ***

Comment 4 Jeremy Katz 2009-05-18 20:35:58 UTC
Did the duping the other way.  Also, -38 failed to build so reopening

Comment 5 Daniel Walsh 2009-05-19 01:17:40 UTC
fingerd policy is a permissive domain,  So actually fingerd should not be blocked by SELinux at all.  If you look at the AVC you will see a success=yes, which means the sys_ptrace was not actually blocked.

-38 is built now.

Comment 6 Will Woods 2009-05-20 21:02:57 UTC
-39 has been tagged for F11 and should appear in tomorrow's Rawhide. I've tested and confirmed the fix.


Note You need to log in before you can comment on or make changes to this bug.