Red Hat Bugzilla – Bug 501365
avc with fingerprint readers
Last modified: 2009-05-20 17:02:57 EDT
Getting the following from setroubleshoot whenever the fingerprint reader pops up to authenticate
SELinux is preventing fprintd (fprintd_t) "sys_ptrace" fprintd_t
Given that fingerprint enrollment is one of the features we've advertised with F11, we really don't want it to be giving SELinux errors every time, thus putting on the blocker list
allow fprintd_t self:capability sys_ptrace;
You can add these rules for now using
# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Fixed in selinux-policy-3.6.12-38.fc11.noarch
This is a dupe of bug 500872, but since it's on the blocker list I didn't want to close it as a dupe.
*** Bug 500872 has been marked as a duplicate of this bug. ***
Did the duping the other way. Also, -38 failed to build so reopening
fingerd policy is a permissive domain, So actually fingerd should not be blocked by SELinux at all. If you look at the AVC you will see a success=yes, which means the sys_ptrace was not actually blocked.
-38 is built now.
-39 has been tagged for F11 and should appear in tomorrow's Rawhide. I've tested and confirmed the fix.