Description of problem: SELinux is preventing /usr/libexec/fprintd from read access on the file /var/lib/sss/mc/passwd. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that fprintd should be allowed read access on the passwd file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep fprintd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:fprintd_t:s0-s0:c0.c1023 Target Context system_u:object_r:sssd_var_lib_t:s0 Target Objects /var/lib/sss/mc/passwd [ file ] Source fprintd Source Path /usr/libexec/fprintd Port <Unknown> Host shanks.pnq.redhat.com Source RPM Packages fprintd-0.4.1-1.fc16.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-80.fc16.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name shanks.pnq.redhat.com Platform Linux shanks.pnq.redhat.com 3.2.9-2.fc16.x86_64 #1 SMP Mon Mar 5 20:55:39 UTC 2012 x86_64 x86_64 Alert Count 3 First Seen Fri 30 Mar 2012 03:52:00 AM IST Last Seen Fri 30 Mar 2012 10:30:06 AM IST Local ID 9843ca8a-5875-41ff-955a-fbd4f0e206ab Raw Audit Messages type=AVC msg=audit(1333083606.141:159): avc: denied { read } for pid=3865 comm="fprintd" path="/var/lib/sss/mc/passwd" dev=sda3 ino=131501 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1333083606.141:159): arch=x86_64 syscall=execve success=yes exit=0 a0=1431950 a1=1431870 a2=1430010 a3=15 items=0 ppid=3864 pid=3865 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=fprintd exe=/usr/libexec/fprintd subj=system_u:system_r:fprintd_t:s0-s0:c0.c1023 key=(null) Hash: fprintd,fprintd_t,sssd_var_lib_t,file,read audit2allow #============= fprintd_t ============== allow fprintd_t sssd_var_lib_t:file read; audit2allow -R #============= fprintd_t ============== allow fprintd_t sssd_var_lib_t:file read; [root@shanks ~]# Version-Release number of selected component (if applicable): selinux-policy-targeted-3.10.0-80.fc16.noarch How reproducible: Steps to Reproduce: 1. See description 2. 3. Actual results: Expected results: Additional info:
Fixed in selinux-policy-3.10.0-82.fc16 You can allow it for now using $ chcon -R -t sssd_public_t /var/lib/sss/mc
selinux-policy-3.10.0-84.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-84.fc16
selinux-policy-3.10.0-84.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
I'm still having this issue with selinux-policy-3.10.0-118.fc17.noarch type=AVC msg=audit(1336480562.282:284): avc: denied { read } for pid=15282 comm="tmpwatch" path="/var/lib/sss/mc/group" dev="dm-2" ino=3162172 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_public_t:s0 tclass=file
Steven, is this something we should allow? Do we want to allow tmpreaper to read/delete sssd_public_t content?
(In reply to comment #5) > Steven, is this something we should allow? Do we want to allow tmpreaper to > read/delete sssd_public_t content? I think it needs to be able to read it or else it cannot use the SSSD in-memory cache to look up group and user data on files. I assume it must be doing so internally. I'll confess I don't know exactly what it's doing, only that it's trying to read our memory cache which only happens through our libnss_sss.so.2 plugin for glibc. It should have READ permission. Delete should be reserved by SSSD processes.
Ok Strange up til now tmpwatch/tmpreaper have not had the ability to use the getpw calls other then reading /etc/passwd. Seems we need to fix policy to allow it. Anyways you are reporting an F17 bug on an F16 system. Fixed in selinux-policy-3.10.0-123.fc17 Probably needs to be back ported to F16
selinux-policy-3.10.0-89.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-89.fc16
Package selinux-policy-3.10.0-89.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-89.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-9507/selinux-policy-3.10.0-89.fc16 then log in and leave karma (feedback).
selinux-policy-3.10.0-89.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
I've updated selinux-policy to 3.10.0-89.fc16.noarch and I still have a lot of messages like this one in syslog: Jun 28 20:30:56 localhost kernel: [ 158.598018] type=1400 audit(1340904633.454:1524): avc: denied { create } for pid=1694 comm="fprintd" scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
That is a different AVC. Looks like fprintd is trying to send a syslog message?
If you set # semanage permissive -a fprintd_t a re-test. Are you getting more AVC # ausearch -m avc -ts recent