Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1491808

Summary: SELinux is preventing fprintd from 'map' accesses on the file /usr/libexec/fprintd.
Product: [Fedora] Fedora Reporter: Joachim Frieben <jfrieben>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 27CC: b.gatessucks, dwalsh, kparal, lsm5, lvrabec, mgrepl, mikhail.v.gavrilov, pablodav, plautrba, pmoore, pschindl, robatino, sgallagh
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:8b57c5d1bd0a7a7d4437751683af789bb6a4f5f19ab2c99745bb338c29b8c18b;VARIANT_ID=workstation; AcceptedFreezeException
Fixed In Version: selinux-policy-3.13.1-283.3.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-20 15:26:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1396703, 1396704    

Description Joachim Frieben 2017-09-14 18:07:24 UTC
Description of problem:
SELinux is preventing fprintd from 'map' accesses on the file /usr/libexec/fprintd.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that fprintd should be allowed map access on the fprintd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'fprintd' --raw | audit2allow -M my-fprintd
# semodule -X 300 -i my-fprintd.pp

Additional Information:
Source Context                system_u:system_r:init_t:s0
Target Context                system_u:object_r:fprintd_exec_t:s0
Target Objects                /usr/libexec/fprintd [ file ]
Source                        fprintd
Source Path                   fprintd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           fprintd-0.8.0-1.fc27.x86_64
Policy RPM                    selinux-policy-3.13.1-283.fc27.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.13.1-302.fc27.x86_64 #1 SMP Tue
                              Sep 12 09:10:01 UTC 2017 x86_64 x86_64
Alert Count                   21
First Seen                    2017-09-14 15:19:24 CEST
Last Seen                     2017-09-14 20:03:24 CEST
Local ID                      9fb4687d-b23b-4cf5-b838-5416f166948d

Raw Audit Messages
type=AVC msg=audit(1505412204.468:441): avc:  denied  { map } for  pid=8278 comm="fprintd" path="/usr/libexec/fprintd" dev="dm-1" ino=23883 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fprintd_exec_t:s0 tclass=file permissive=0


Hash: fprintd,init_t,fprintd_exec_t,file,map

Version-Release number of selected component:
selinux-policy-3.13.1-283.fc27.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.2
hashmarkername: setroubleshoot
kernel:         4.13.1-302.fc27.x86_64
type:           libreport

Comment 1 Kamil Páral 2017-09-15 14:11:17 UTC
Description of problem:
Updated, rebooted, and logged in.

Version-Release number of selected component:
selinux-policy-3.13.1-283.fc27.noarch

Additional info:
reporter:       libreport-2.9.2
hashmarkername: setroubleshoot
kernel:         4.13.1-303.fc27.x86_64
type:           libreport

Comment 2 Kamil Páral 2017-09-15 14:14:34 UTC
Seems to violate:
"There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop. "
https://fedoraproject.org/wiki/Fedora_27_Final_Release_Criteria#SELinux_and_crash_notifications

This is a default system (VM).

Comment 3 b.gatessucks 2017-09-15 17:50:32 UTC
Description of problem:
1. open terminal (Konsole)
2. type "su -"

Version-Release number of selected component:
selinux-policy-3.13.1-283.fc27.noarch

Additional info:
reporter:       libreport-2.9.2
hashmarkername: setroubleshoot
kernel:         4.13.1-302.fc27.x86_64
type:           libreport

Comment 4 Pablo Estigarribia 2017-09-16 00:36:58 UTC
Got same issue, I have normal desktop without fingerprint device, so don't know why it is trying to use it. 

also su, sudo something or shell login is taking around 18s to promt for a password, don't know why yet but probably some pam module related to fingerprint could be delaying it... 

set 15 21:35:28 192.168.1.3 dbus-daemon[922]: [system] Failed to activate service 'net.reactivated.Fprint': timed out (service_start_timeout=25000ms)

Comment 5 Pablo Estigarribia 2017-09-16 00:39:25 UTC
the 18s delay to prompt password was definetively fprintd-pam module, I have removed all fprintd: dnf remove fprintd

===================================================================================================================================================================================================================
 Paquete                                           Arquitectura                                 Versión                                               Repositorio                                            Tamaño
===================================================================================================================================================================================================================
Eliminando:
 fprintd                                           x86_64                                       0.8.0-1.fc27                                          @updates-testing                                       403 k
Removing depended packages:
 fprintd-pam                                       x86_64                                       0.8.0-1.fc27                                          @updates-testing                                        25 k
Eliminando dependencias sin uso:
 libfprint                                         x86_64                                       0.7.0-3.fc27                                          @fedora                                                491 k


And now password promt is very fast!

Comment 6 Fedora Update System 2017-09-18 13:37:17 UTC
selinux-policy-3.13.1-283.3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-a1b4dab97d

Comment 7 Lukas Vrabec 2017-09-18 13:55:26 UTC
*** Bug 1492359 has been marked as a duplicate of this bug. ***

Comment 8 Fedora Update System 2017-09-18 22:23:27 UTC
selinux-policy-3.13.1-283.3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-a1b4dab97d

Comment 9 Kamil Páral 2017-09-19 09:20:07 UTC
The login prompt delay (gdm, sudo, su) seems to be gone with the update. Proposing as BetaFreezeException, the login delays are very very annoying.

Comment 10 Stephen Gallagher 2017-09-19 13:16:46 UTC
+1 FE

Comment 11 Petr Schindler 2017-09-19 13:20:08 UTC
I'm also +1 FE. Moving to accepted FE

Comment 12 Fedora Update System 2017-09-20 15:26:39 UTC
selinux-policy-3.13.1-283.3.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.