Bug 730163 - SELinux is preventing /usr/libexec/fprintd from 'getattr' accesses on the unix_stream_socket unix_stream_socket.
Summary: SELinux is preventing /usr/libexec/fprintd from 'getattr' accesses on the uni...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: i386
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:8c981ded912...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-12 00:45 UTC by Frantisek Hanzlik
Modified: 2011-10-06 00:02 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.9.16-39.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-10-06 00:02:08 UTC


Attachments (Terms of Use)

Description Frantisek Hanzlik 2011-08-12 00:45:48 UTC
SELinux is preventing /usr/libexec/fprintd from 'getattr' accesses on the unix_stream_socket unix_stream_socket.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that fprintd should be allowed getattr access on the unix_stream_socket unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep fprintd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:fprintd_t:s0-s0:c0.c1023
Target Context                system_u:system_r:init_t:s0
Target Objects                unix_stream_socket [ unix_stream_socket ]
Source                        fprintd
Source Path                   /usr/libexec/fprintd
Port                          <Neznámé>
Host                          (removed)
Source RPM Packages           fprintd-0.2.0-3.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-35.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 2.6.40-4.fc15.i686.PAE #1
                              SMP Fri Jul 29 18:47:58 UTC 2011 i686 i686
Alert Count                   17
First Seen                    Po 8. srpen 2011, 21:40:05 CEST
Last Seen                     Pá 12. srpen 2011, 02:41:21 CEST
Local ID                      e5104a07-61ac-4fb0-8732-1b9fdb6df821

Raw Audit Messages
type=AVC msg=audit(1313109681.843:163): avc:  denied  { getattr } for  pid=3621 comm="fprintd" path="socket:[17652]" dev=sockfs ino=17652 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket


type=SYSCALL msg=audit(1313109681.843:163): arch=i386 syscall=fstat64 success=yes exit=0 a0=1 a1=bffe1964 a2=4a877ff4 a3=4a878500 items=0 ppid=3620 pid=3621 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=fprintd exe=/usr/libexec/fprintd subj=system_u:system_r:fprintd_t:s0-s0:c0.c1023 key=(null)

Hash: fprintd,fprintd_t,init_t,unix_stream_socket,getattr

audit2allow

#============= fprintd_t ==============
allow fprintd_t init_t:unix_stream_socket getattr;

audit2allow -R

#============= fprintd_t ==============
allow fprintd_t init_t:unix_stream_socket getattr;

Comment 1 Daniel Walsh 2011-08-12 10:57:14 UTC
Any idea of what you were doing when this happened?

Comment 2 Frantisek Hanzlik 2011-08-12 12:02:37 UTC
This attempt is triggered always when I login into system (xfce DE), or when some command over sudo is entered.

At roughly same time are logged similar events:

Aug 12 02:41:21 (null) (null): audit(1313109681.838:162): avc: denied { read write } for pid=3621 comm=fprintd path="socket:[17652]" ino=17652 dev=sockfs scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket 


Aug 12 02:41:51 (null) (null): audit(1313109711.959:173): avc: denied { write } for pid=3621 comm=fprintd path="socket:[17652]" ino=17652 dev=sockfs scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket 

System is desktop PC without fingerprint sensor, thus there is no need for fprintd and uninstalling that package probably solve things. But on system with fingerprint reader it isn't acceptable solution.

Comment 3 Daniel Walsh 2011-08-15 12:12:45 UTC
I dont audited these in F16.

Comment 4 Miroslav Grepl 2011-08-22 07:23:36 UTC
Fixed in F15.

Comment 5 Fedora Update System 2011-09-08 08:11:41 UTC
selinux-policy-3.9.16-39.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15

Comment 6 Fedora Update System 2011-09-09 05:27:56 UTC
Package selinux-policy-3.9.16-39.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-39.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2011-10-06 00:02:08 UTC
selinux-policy-3.9.16-39.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.