Bug 757404 - SELinux is preventing /usr/libexec/fprintd from 'read' accesses on the plik /proc/<pid>/cmdline.
Summary: SELinux is preventing /usr/libexec/fprintd from 'read' accesses on the plik /...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:16ac8f17ede...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-11-26 20:49 UTC by Maciej Kaczmarek
Modified: 2012-02-26 00:52 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.9.16-50.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-01-17 20:26:10 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Maciej Kaczmarek 2011-11-26 20:49:56 UTC 
SELinux is preventing /usr/libexec/fprintd from 'read' accesses on the plik /proc/<pid>/cmdline.

*****  Plugin catchall (100. confidence) suggests  ***************************

If aby fprintd powinno mieć domyślnie read dostęp do cmdline file.
Then proszę to zgłosić jako błąd.
Można utworzyć lokalny moduł polityki, aby umożliwić ten dostęp.
Do
można tymczasowo zezwolić na ten dostęp wykonując polecenia:
# grep fprintd /var/log/audit/audit.log | audit2allow -M moja_polityka
# semodule -i moja_polityka.pp

Additional Information:
Source Context                system_u:system_r:fprintd_t:s0-s0:c0.c1023
Target Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Objects                /proc/<pid>/cmdline [ file ]
Source                        fprintd
Source Path                   /usr/libexec/fprintd
Port                          <Nieznane>
Host                          (removed)
Source RPM Packages           fprintd-0.2.0-3.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-35.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.40.3-0.fc15.x86_64 #1 SMP Tue Aug
                              16 04:10:59 UTC 2011 x86_64 x86_64
Alert Count                   19
First Seen                    czw, 25 sie 2011, 06:30:21
Last Seen                     nie, 4 wrz 2011, 22:07:36
Local ID                      bfffda5f-fadd-4174-920f-027e17d9010e

Raw Audit Messages
type=AVC msg=audit(1315166856.294:276): avc:  denied  { read } for  pid=9849 comm="fprintd" path="/proc/9565/cmdline" dev=proc ino=291270 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=file


type=SYSCALL msg=audit(1315166856.294:276): arch=x86_64 syscall=execve success=yes exit=0 a0=1629780 a1=16296a0 a2=1628010 a3=0 items=0 ppid=9848 pid=9849 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=fprintd exe=/usr/libexec/fprintd subj=system_u:system_r:fprintd_t:s0-s0:c0.c1023 key=(null)

Hash: fprintd,fprintd_t,xdm_t,file,read

audit2allow

#============= fprintd_t ==============
allow fprintd_t xdm_t:file read;

audit2allow -R

#============= fprintd_t ==============
allow fprintd_t xdm_t:file read;
Comment 1 Miroslav Grepl 2011-11-28 11:40:12 UTC 
This is a leak file descriptor. Which display manager do you use?
Comment 2 Maciej Kaczmarek 2011-11-28 15:37:42 UTC 
Hello!

I use Gnome version 3.0.1 with gnome-shell.


Maciej
Comment 3 Daniel Walsh 2011-11-29 03:16:45 UTC 
I believe this is part of the dbus protocol and I have allowed it in

b3392c8e5ed77eecff4bfd3d53e66ca7b5a9f41c
Comment 4 Miroslav Grepl 2011-11-29 08:51:37 UTC 
Ok, the fix is added to F16 and F15.
Comment 5 Fedora Update System 2011-12-14 13:40:38 UTC 
selinux-policy-3.9.16-50.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-50.fc15
Comment 6 Fedora Update System 2011-12-14 23:30:27 UTC 
Package selinux-policy-3.9.16-50.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-50.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-17089/selinux-policy-3.9.16-50.fc15
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2012-01-17 20:26:10 UTC 
selinux-policy-3.9.16-50.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Tony Browning 2012-02-18 03:19:23 UTC 
This evidently requires a mirror. Evidently I'm out of mirrors after I added Arora web browser. Are there any such thing as installing mirrors or fetching mirrors from somewhere? Because I tried installing this update testing but it keeps reading: Trying other mirror. Wonder how I ran out of mirrors anyways? I just have Firefox and Arora.
Comment 9 Tony Browning 2012-02-18 03:21:41 UTC 
[root@toshiba tonybrowning]# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-50.fc15'
Loaded plugins: langpacks, presto, refresh-packagekit
updates-testing/metalink                                 | 8.2 kB     00:00     
updates-testing                                          | 4.5 kB     00:00     
http://mirror.itc.virginia.edu/fedora/updates/testing/16/i386/repodata/01cd634d8601afe972a5dc88f017a6c564b438acb3fc1c9063fd9c6a5f8c8b57-primary.sqlite.bz2: [Errno 12] Timeout on http://mirror.itc.virginia.edu/fedora/updates/testing/16/i386/repodata/01cd634d8601afe972a5dc88f017a6c564b438acb3fc1c9063fd9c6a5f8c8b57-primary.sqlite.bz2: (28, '')
Trying other mirror.
http://mirror.pnl.gov/fedora/linux/updates/testing/16/i386/repodata/01cd634d8601afe972a5dc88f017a6c564b438acb3fc1c9063fd9c6a5f8c8b57-primary.sqlite.bz2: [Errno 12] Timeout on http://mirror.pnl.gov/fedora/linux/updates/testing/16/i386/repodata/01cd634d8601afe972a5dc88f017a6c564b438acb3fc1c9063fd9c6a5f8c8b57-primary.sqlite.bz2: (28, '')
Trying other mirror.
updates-testing/primary_db                               | 867 kB     02:28     
updates-testing/group_gz                                 | 431 kB     01:31     
Setting up Update Process
No Match for argument: selinux-policy-3.9.16-50.fc15
No package selinux-policy-3.9.16-50.fc15 available.
No Packages marked for Update
[root@toshiba tonybrowning]#
Comment 10 Tony Browning 2012-02-26 00:52:07 UTC 
Fixed-For-Me. Thanks.
Note You need to log in before you can comment on or make changes to this bug.