PDA

View Full Version : SELinux and fprintd



RightOn
31st May 2009, 12:42 PM
Hi, I installed the fprintd packages and everything would be working fine if it wasn't for this SELinux problem:


Summary:

SELinux is preventing fprintd (fprintd_t) "read" proc_t.

Detailed Description:

SELinux denied access requested by fprintd. It is not expected that this access
is required by fprintd and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context system_u:system_r:fprintd_t:s0-s0:c0.c1023
Target Context system_u:object_r:proc_t:s0
Target Objects meminfo [ file ]
Source fprintd
Source Path /usr/libexec/fprintd
Port <Unknown>
Host f10alx.localdomain
Source RPM Packages fprintd-0.1-9.git04fd09cfa.fc11
Target RPM Packages
Policy RPM selinux-policy-3.6.12-39.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name f10alx.localdomain
Platform Linux f10alx.localdomain 2.6.29.4-167.fc11.x86_64
#1 SMP Wed May 27 17:27:08 EDT 2009 x86_64 x86_64
Alert Count 14
First Seen Sat 30 May 2009 12:25:05 PM WEST
Last Seen Sun 31 May 2009 12:23:04 PM WEST
Local ID 70344fc0-48bd-44e6-99e6-c4d41b4f8cfe
Line Numbers

Raw Audit Messages

node=f10alx.localdomain type=AVC msg=audit(1243768984.94:145): avc: denied { read } for pid=2032 comm="fprintd" name="meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file

node=f10alx.localdomain type=AVC msg=audit(1243768984.94:145): avc: denied { open } for pid=2032 comm="fprintd" name="meminfo" dev=proc ino=4026531984 scontext=system_u:system_r:fprintd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file

node=f10alx.localdomain type=SYSCALL msg=audit(1243768984.94:145): arch=c000003e syscall=2 success=yes exit=10 a0=3380f33ce4 a1=0 a2=1b6 a3=238 items=0 ppid=1 pid=2032 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fprintd" exe="/usr/libexec/fprintd" subj=system_u:system_r:fprintd_t:s0-s0:c0.c1023 key=(null)



Has anyone faced the same problem, coud you explain to me how could I create a policy to override this?
I already tried setting fprintd process to permissive in SELinux but it keeps returning the same error.

regards,
Alexandre.

RahulSundaram
31st May 2009, 06:29 PM
Hi,

Make sure you have all the updates and if it doesn't fix the issue, file a bug report

http://bugz.fedoraproject.org/fprintd

RightOn
1st June 2009, 11:13 AM
Hi,

Make sure you have all the updates and if it doesn't fix the issue, file a bug report

http://bugz.fedoraproject.org/fprintd

I'm filing a bug report now, thanks.
Alx