Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2010925 - SELinux is preventing fprintd from 'write' accesses on the file persist.
Summary: SELinux is preventing fprintd from 'write' accesses on the file persist.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 35
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:bdd87a8514dea337df3869bc9d7...
: 2027469 2038702 2046579 2053522 2064792 2069876 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-10-05 16:01 UTC by keen.frog3570
Modified: 2022-04-14 20:52 UTC (History)
65 users (show)

Fixed In Version: selinux-policy-35.16-1.fc35
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-04-10 19:52:18 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy issues 840 0 None open Allow fprintd suspend/resume 2021-11-03 20:27:03 UTC
Github fedora-selinux selinux-policy pull 1131 0 None open Allow fprintd read and write hardware state information 2022-04-06 07:40:38 UTC

Internal Links: 2062911

Description keen.frog3570 2021-10-05 16:01:41 UTC
Description of problem:
No idea how this happens, I just use my Fedora as my main machine, with Cinnamon desktop environment.
SELinux is preventing fprintd from 'write' accesses on the file persist.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that fprintd should be allowed write access on the persist file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'fprintd' --raw | audit2allow -M my-fprintd
# semodule -X 300 -i my-fprintd.pp

Additional Information:
Source Context                system_u:system_r:fprintd_t:s0
Target Context                system_u:object_r:sysfs_t:s0
Target Objects                persist [ file ]
Source                        fprintd
Source Path                   fprintd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-34.21-1.fc35.noarch
Local Policy RPM              selinux-policy-targeted-34.21-1.fc35.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.14.9-300.fc35.x86_64 #1 SMP Thu
                              Sep 30 11:54:18 UTC 2021 x86_64 x86_64
Alert Count                   18
First Seen                    2021-10-04 20:25:02 CEST
Last Seen                     2021-10-05 17:52:34 CEST
Local ID                      4cfc6465-8ee0-4318-96a2-ba7457546c86

Raw Audit Messages
type=AVC msg=audit(1633449154.386:744): avc:  denied  { write } for  pid=20540 comm="fprintd" name="persist" dev="sysfs" ino=28365 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0


Hash: fprintd,fprintd_t,sysfs_t,file,write

Version-Release number of selected component:
selinux-policy-targeted-34.21-1.fc35.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.15.2
hashmarkername: setroubleshoot
kernel:         5.14.9-300.fc35.x86_64
type:           libreport

Comment 1 Branko Grubić 2021-10-05 19:50:18 UTC
Can confirm it on my system as well (F35 x86_64)

Raw Audit Messages
type=AVC msg=audit(1633462273.636:301): avc:  denied  { write } for  pid=2980 comm="fprintd" name="persist" dev="sysfs" ino=23698 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0


from the fprintd service log:
...
fprintd[2980]: Failed to open /sys/bus/usb/devices/1-1.3/power/persist
...


USB device is fingerprint reader in this case:
Bus 001 Device 003: ID 147e:2016 Upek Biometric Touchchip/Touchstrip Fingerprint Sensor




potentially related packages
------------ 
fprintd-1.92.0-2.fc35.x86_64
fprintd-pam-1.92.0-2.fc35.x86_64
selinux-policy-34.21-1.fc35.noarch
selinux-policy-targeted-34.21-1.fc35.noarch
libfprint-1.94.1-1.fc35.x86_64

Comment 2 Milos Malik 2021-10-13 09:05:18 UTC
Please run the following commands and let us know what their output is:

# semanage permissive -a fprintd_t
# systemctl restart fprintd.service
# ausearch -m avc -m user_avc -m selinux_err -i -ts today

The first command temporarily switches the fprintd policy to permissive.
The following command switches the fprintd policy to enforcing again:

# semanage permissive -d fprintd_t

Comment 3 Branko Grubić 2021-10-13 09:32:41 UTC
For me I get following messages now when in permissive mode (I see some other messages which are unrelated to fprintd as well):

----
type=AVC msg=audit(13.10.2021. 09:28:48.298:204) : avc:  denied  { read } for  pid=1343 comm=gdm-session-wor scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0 
----
type=AVC msg=audit(13.10.2021. 09:28:48.298:205) : avc:  denied  { read } for  pid=1343 comm=gdm-session-wor scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0 
----
type=AVC msg=audit(13.10.2021. 11:14:07.988:202) : avc:  denied  { read } for  pid=1479 comm=gdm-session-wor scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0 
----
type=AVC msg=audit(13.10.2021. 11:14:07.988:203) : avc:  denied  { read } for  pid=1479 comm=gdm-session-wor scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=0 
----
type=AVC msg=audit(13.10.2021. 11:16:52.778:282) : avc:  denied  { write } for  pid=3552 comm=fprintd name=wakeup dev="sysfs" ino=23705 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(13.10.2021. 11:17:51.311:291) : avc:  denied  { write } for  pid=3609 comm=fprintd name=wakeup dev="sysfs" ino=23705 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(13.10.2021. 11:18:56.833:303) : avc:  denied  { write } for  pid=3698 comm=fprintd name=wakeup dev="sysfs" ino=23705 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(13.10.2021. 11:26:47.427:317) : avc:  denied  { write } for  pid=3884 comm=fprintd name=wakeup dev="sysfs" ino=23705 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 



also in journal:

-- Journal begins at Sun 2021-01-03 09:35:33 CET, ends at Wed 2021-10-13 11:29:27 CEST. --
окт 13 11:16:52 fedora.linux systemd[1]: Starting Fingerprint Authentication Daemon...
окт 13 11:16:52 fedora.linux fprintd[3552]: Failed to open /sys/bus/usb/devices/1-1.3/power/persist
окт 13 11:16:52 fedora.linux systemd[1]: Started Fingerprint Authentication Daemon.
окт 13 11:17:22 fedora.linux systemd[1]: fprintd.service: Deactivated successfully.
окт 13 11:17:51 fedora.linux systemd[1]: Starting Fingerprint Authentication Daemon...
окт 13 11:17:51 fedora.linux fprintd[3609]: Failed to open /sys/bus/usb/devices/1-1.3/power/persist
окт 13 11:17:51 fedora.linux systemd[1]: Started Fingerprint Authentication Daemon.
окт 13 11:18:24 fedora.linux systemd[1]: fprintd.service: Deactivated successfully.
окт 13 11:18:56 fedora.linux systemd[1]: Starting Fingerprint Authentication Daemon...
окт 13 11:18:56 fedora.linux fprintd[3698]: Failed to open /sys/bus/usb/devices/1-1.3/power/persist
окт 13 11:18:56 fedora.linux systemd[1]: Started Fingerprint Authentication Daemon.
окт 13 11:19:29 fedora.linux systemd[1]: fprintd.service: Deactivated successfully.
окт 13 11:26:47 fedora.linux systemd[1]: Starting Fingerprint Authentication Daemon...
окт 13 11:26:47 fedora.linux fprintd[3884]: Failed to open /sys/bus/usb/devices/1-1.3/power/persist
окт 13 11:26:47 fedora.linux systemd[1]: Started Fingerprint Authentication Daemon.
окт 13 11:27:17 fedora.linux systemd[1]: fprintd.service: Deactivated successfully.

Comment 4 keen.frog3570 2021-10-13 09:54:25 UTC
Here's the result :

# semanage permissive -a fprintd_t
# systemctl restart fprintd.service
# ausearch -m avc -m user_avc -m selinux_err -i -ts today
----
type=AVC msg=audit(10/13/2021 08:26:15.788:1148) : avc:  denied  { write } for  pid=30272 comm=fprintd name=wakeup dev="sysfs" ino=76443 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 
----
type=AVC msg=audit(10/13/2021 08:26:15.788:1149) : avc:  denied  { write } for  pid=30272 comm=fprintd name=persist dev="sysfs" ino=33477 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 
----
type=AVC msg=audit(10/13/2021 11:28:04.964:341) : avc:  denied  { write } for  pid=2466 comm=fprintd name=wakeup dev="sysfs" ino=33188 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 
----
type=AVC msg=audit(10/13/2021 11:28:04.964:342) : avc:  denied  { write } for  pid=2466 comm=fprintd name=persist dev="sysfs" ino=33181 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 
----
type=AVC msg=audit(10/13/2021 11:46:51.904:416) : avc:  denied  { write } for  pid=6028 comm=fprintd name=wakeup dev="sysfs" ino=33188 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 
----
type=AVC msg=audit(10/13/2021 11:46:51.904:417) : avc:  denied  { write } for  pid=6028 comm=fprintd name=persist dev="sysfs" ino=33181 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 
----
type=AVC msg=audit(10/13/2021 11:47:12.774:438) : avc:  denied  { write } for  pid=6120 comm=fprintd name=wakeup dev="sysfs" ino=33188 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 
----
type=AVC msg=audit(10/13/2021 11:52:44.468:472) : avc:  denied  { write } for  pid=6399 comm=fprintd name=wakeup dev="sysfs" ino=33188 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1

Comment 5 gene 2021-11-03 01:30:09 UTC
Similar problem has been detected:

Upgraded from Fedora 34 to 35, saw this on first login via SELinux Troubleshooter

hashmarkername: setroubleshoot
kernel:         5.14.14-300.fc35.x86_64
package:        selinux-policy-targeted-35.3-1.20211019git94970fc.fc35.noarch
reason:         SELinux is preventing fprintd from 'write' accesses on the file persist.
type:           libreport

Comment 6 Francesco 2021-11-03 20:16:38 UTC
Similar problem has been detected:

I got this warning at every system startup

hashmarkername: setroubleshoot
kernel:         5.14.14-300.fc35.x86_64
package:        selinux-policy-targeted-35.3-1.20211019git94970fc.fc35.noarch
reason:         SELinux is preventing fprintd from 'write' accesses on the file persist.
type:           libreport

Comment 7 clyde.laforge 2021-11-04 11:39:40 UTC
Similar problem has been detected:

I have this issue since the fedora 35 update. I am using a fingerprint sensor to log in, my system is vanilla gnome.
It seems to have already been reported there: https://github.com/fedora-selinux/selinux-policy/issues/840
I also have the same selinux report, but for writing to 'wakeup' file:

time->Thu Nov  4 12:27:55 2021
type=AVC msg=audit(1636025275.058:437): avc:  denied  { write } for  pid=6294 comm="fprintd" name="persist" dev="sysfs" ino=22511 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
----
time->Thu Nov  4 12:31:29 2021
type=AVC msg=audit(1636025489.349:459): avc:  denied  { write } for  pid=7466 comm="fprintd" name="wakeup" dev="sysfs" ino=38228 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0

hashmarkername: setroubleshoot
kernel:         5.14.14-300.fc35.x86_64
package:        selinux-policy-targeted-35.3-1.20211019git94970fc.fc35.noarch
reason:         SELinux is preventing fprintd from 'write' accesses on the file persist.
type:           libreport

Comment 8 k3v1n0x90 2021-11-05 15:37:50 UTC
Similar problem has been detected:

After the update to fedora 35 i got the problem

hashmarkername: setroubleshoot
kernel:         5.14.15-300.fc35.x86_64
package:        selinux-policy-targeted-35.3-1.20211019git94970fc.fc35.noarch
reason:         SELinux is preventing fprintd from 'write' accesses on the file persist.
type:           libreport

Comment 9 Kamil Páral 2021-11-08 10:13:17 UTC
Similar problem has been detected:

This seems to happen every time I try to unlock my locked GNOME session using a fingerprint.

hashmarkername: setroubleshoot
kernel:         5.14.16-301.fc35.x86_64
package:        selinux-policy-targeted-35.5-1.fc35.noarch
reason:         SELinux is preventing fprintd from 'write' accesses on the file persist.
type:           libreport

Comment 10 Marco Guazzone 2021-11-10 07:35:37 UTC
Similar problem has been detected:

It seems that this problem happens every time I run a command with "sudo" (e.g., sudo dnf update).

hashmarkername: setroubleshoot
kernel:         5.14.16-301.fc35.x86_64
package:        selinux-policy-targeted-35.5-1.fc35.noarch
reason:         SELinux is preventing fprintd from 'write' accesses on the file persist.
type:           libreport

Comment 11 Han Han 2021-11-10 09:20:22 UTC
Similar problem has been detected:
I followed the suggestion from setrubleshoot: ausearch -c 'fprintd' --raw | audit2allow -M my-fprintd#012# semodule -X 300 -i my-fprintd.pp
But it doesn't work either.
Nov 10 17:13:47 localhost audit[81988]: USER_END pid=81988 uid=1000 auid=1000 ses=14 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/3 res=success'
Nov 10 17:13:47 localhost audit[81988]: CRED_DISP pid=81988 uid=1000 auid=1000 ses=14 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_fprintd acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/3 res=success'
Nov 10 17:13:49 localhost audit: BPF prog-id=250 op=LOAD
Nov 10 17:13:49 localhost audit: BPF prog-id=251 op=LOAD
Nov 10 17:13:49 localhost systemd[1]: Starting Hostname Service...
Nov 10 17:13:49 localhost systemd[1]: Started Hostname Service.
Nov 10 17:13:49 localhost audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 10 17:13:51 localhost audit: BPF prog-id=252 op=LOAD
Nov 10 17:13:51 localhost systemd[1]: Starting Fingerprint Authentication Daemon...
Nov 10 17:13:51 localhost systemd[1]: Started Fingerprint Authentication Daemon.
Nov 10 17:13:51 localhost audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=fprintd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Nov 10 17:13:54 localhost journal[82873]: Verify has failed: 502
Nov 10 17:13:54 localhost journal[82873]: Device reported an error during verify: Unexpected result from device 502

Here is the error from fprintd:
Nov 10 17:14:26 localhost.localdomain systemd[1]: Started Fingerprint Authentication Daemon.
Nov 10 17:14:28 localhost.localdomain fprintd[82979]: Verify has failed: 502
Nov 10 17:14:28 localhost.localdomain fprintd[82979]: Device reported an error during verify: Unexpected result from device 502

version:
fprintd-1.94.1-1.fc35.x86_64
selinux-policy-35.5-1.fc35.noarch
kernel-5.14.16-301.fc35.x86_64

Comment 12 redhatbugzilla 2021-11-11 22:29:42 UTC
Similar problem has been detected:

directly after booting to xfce desktop

hashmarkername: setroubleshoot
kernel:         5.14.16-301.fc35.x86_64
package:        selinux-policy-targeted-35.5-1.fc35.noarch
reason:         SELinux is preventing fprintd from 'write' accesses on the Datei persist.
type:           libreport

Comment 13 Vladimir 2021-11-14 13:10:37 UTC
Similar problem has been detected:

sudo dnf install htop

hashmarkername: setroubleshoot
kernel:         5.14.17-301.fc35.x86_64
package:        selinux-policy-targeted-35.5-1.fc35.noarch
reason:         SELinux is preventing fprintd from 'write' accesses on the файл persist.
type:           libreport

Comment 14 IPGentlemann 2021-11-15 09:17:46 UTC
Similar problem has been detected:

Started receiving this SELinux alert after upgrading from Fedora 34 to 35. fprintd is not allowed write permissions to its persist.img file.

hashmarkername: setroubleshoot
kernel:         5.14.17-301.fc35.x86_64
package:        selinux-policy-targeted-35.5-1.fc35.noarch
reason:         SELinux is preventing fprintd from 'write' accesses on the file persist.
type:           libreport

Comment 16 Susi Lehtola 2021-11-24 04:07:34 UTC
Similar problem has been detected:

I installed texlive-scheme-full and ran

$ sudo updmap-sys --syncwithtrees


hashmarkername: setroubleshoot
kernel:         5.14.18-300.fc35.x86_64
package:        selinux-policy-targeted-35.5-1.fc35.noarch
reason:         SELinux is preventing fprintd from 'write' accesses on the file persist.
type:           libreport

Comment 17 juanelas 2021-11-25 12:01:51 UTC
Similar problem has been detected:

any sudo command

hashmarkername: setroubleshoot
kernel:         5.15.3-301.fc35.x86_64
package:        selinux-policy-targeted-35.5-1.fc35.noarch
reason:         SELinux is preventing fprintd from 'write' accesses on the file persist.
type:           libreport

Comment 18 David Auer (2nd Account) 2021-11-25 17:23:36 UTC
Similar problem has been detected:

Upgrade F34 to F35.
Happens now whenever I use the fingerprint device.

hashmarkername: setroubleshoot
kernel:         5.14.18-300.fc35.x86_64
package:        selinux-policy-targeted-35.5-1.fc35.noarch
reason:         SELinux is preventing fprintd from 'write' accesses on the file persist.
type:           libreport

Comment 19 yellowcarbon 2021-11-29 18:05:14 UTC
*** Bug 2027469 has been marked as a duplicate of this bug. ***

Comment 20 yellowcarbon 2021-11-30 15:13:27 UTC
Similar problem has been detected:

Logged in from opening the laptop lid.

hashmarkername: setroubleshoot
kernel:         5.15.4-201.fc35.x86_64
package:        selinux-policy-targeted-35.5-1.fc35.noarch
reason:         SELinux is preventing fprintd from 'write' accesses on the file persist.
type:           libreport

Comment 21 Jakub Vavra 2021-12-01 07:11:27 UTC
I see the same issue after upgrading to F35:
----
type=AVC msg=audit(12/01/2021 06:52:58.482:305) : avc:  denied  { write } for  pid=2784 comm=fprintd name=wakeup dev="sysfs" ino=36110 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 
----
type=AVC msg=audit(12/01/2021 06:52:58.482:306) : avc:  denied  { write } for  pid=2784 comm=fprintd name=persist dev="sysfs" ino=36103 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 
----
type=AVC msg=audit(12/01/2021 07:12:47.628:368) : avc:  denied  { write } for  pid=5556 comm=fprintd name=wakeup dev="sysfs" ino=36110 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 
----
type=AVC msg=audit(12/01/2021 07:12:47.628:369) : avc:  denied  { write } for  pid=5556 comm=fprintd name=persist dev="sysfs" ino=36103 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 
----
type=AVC msg=audit(12/01/2021 08:09:04.508:400) : avc:  denied  { write } for  pid=9332 comm=fprintd name=wakeup dev="sysfs" ino=36110 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 

SELinux Policy RPM            selinux-policy-targeted-35.5-1.fc35.noarch

Comment 22 Miro Hrončok 2021-12-02 19:30:36 UTC
After installing Fedora 35 Xfce spin I see this alert over and over again. Updating to the latest packages did not help. It is really annoying.

Comment 23 Nils Philippsen 2021-12-06 12:05:55 UTC
Similar problem has been detected:

Rebooted and logged into GNOME (on Xorg if that matters).

hashmarkername: setroubleshoot
kernel:         5.15.6-200.fc35.x86_64
package:        selinux-policy-targeted-35.6-1.fc35.noarch
reason:         SELinux is preventing fprintd from 'write' accesses on the file persist.
type:           libreport

Comment 24 Miro Hrončok 2021-12-06 12:33:07 UTC
As a workaround, I got rid of fprintd, as I do not use the fingerprint reader:

sudo systemctl stop fprintd
sudo dnf remove fprintd

Comment 25 David Auer 2021-12-06 12:50:02 UTC
As a workaround, I just pressed "Ignore" in the Selinux Alert Browser. Using the fingerprint reader and it works fine.
Still, I think for a good Fedora experience, that issue should be fixed in fprintd or the selinux policy. Let me know if I can help with that.

Comment 26 gene 2021-12-15 13:47:34 UTC
Similar problem has been detected:

Computer had been locked from being idle overnight. Upon logging in this message was seen and its timing lined up with the login.

hashmarkername: setroubleshoot
kernel:         5.15.6-200.fc35.x86_64
package:        selinux-policy-targeted-35.6-1.fc35.noarch
reason:         SELinux is preventing fprintd from 'write' accesses on the file persist.
type:           libreport

Comment 27 gene 2021-12-15 13:53:20 UTC
(In reply to Milos Malik from comment #2)
> Please run the following commands and let us know what their output is:
> 
> # semanage permissive -a fprintd_t
> # systemctl restart fprintd.service
> # ausearch -m avc -m user_avc -m selinux_err -i -ts today
> 
> The first command temporarily switches the fprintd policy to permissive.
> The following command switches the fprintd policy to enforcing again:
> 
> # semanage permissive -d fprintd_t

[root@carbonbean ~]# semanage permissive -a fprintd_t
[root@carbonbean ~]# systemctl restart fprintd.service
[root@carbonbean ~]# ausearch -m avc -m user_avc -m selinux_err -i -ts today
----
type=AVC msg=audit(12/15/2021 08:44:58.497:320) : avc:  denied  { write } for  pid=131700 comm=fprintd name=wakeup dev="sysfs" ino=29857 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 
----
type=AVC msg=audit(12/15/2021 08:44:58.497:321) : avc:  denied  { write } for  pid=131700 comm=fprintd name=persist dev="sysfs" ino=29850 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 
----
type=AVC msg=audit(12/15/2021 08:50:33.895:335) : avc:  denied  { write } for  pid=133879 comm=fprintd name=wakeup dev="sysfs" ino=29857 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 
----
type=AVC msg=audit(12/15/2021 08:50:33.895:336) : avc:  denied  { write } for  pid=133879 comm=fprintd name=persist dev="sysfs" ino=29850 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 
----
type=AVC msg=audit(12/15/2021 08:50:54.971:354) : avc:  denied  { write } for  pid=133960 comm=fprintd name=wakeup dev="sysfs" ino=29857 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 
[root@carbonbean ~]# semanage permissive -d fprintd_t
libsemanage.semanage_direct_remove_key: Removing last permissive_fprintd_t module (no other permissive_fprintd_t module exists at another priority).

Comment 28 Troy Volin 2021-12-20 02:20:01 UTC
Similar problem has been detected:

Recently upgraded to F35. have been configured for kscreenlock (and most things with system-auth) to use fingerprint.
I now get this selinux violation consistently when running sudo from a terminal.
The error is usually against a file called "persist" but is also, maybe 30% of the time, against a file called "wakeup".
I strongly suspect it is trying to write to "persist" and/or "wakeup" under:
/sys/devices/pci0000:00/0000:00:14.0/usb1/1-9/power/
because that's my fingerprint reader.

I guess if fprintd wants to adjust the wakeup and persist of the fingerprint reader, SeLinux should allow that?

hashmarkername: setroubleshoot
kernel:         5.15.8-200.fc35.x86_64
package:        selinux-policy-targeted-35.6-1.fc35.noarch
reason:         SELinux is preventing fprintd from 'write' accesses on the file persist.
type:           libreport

Comment 29 Brian J. Murrell 2021-12-23 02:07:32 UTC
Similar problem has been detected:

Not sure what caused this.

hashmarkername: setroubleshoot
kernel:         5.15.6-200.fc35.x86_64
package:        selinux-policy-targeted-35.6-1.fc35.noarch
reason:         SELinux is preventing fprintd from 'write' accesses on the file persist.
type:           libreport

Comment 30 benno.kuenz 2021-12-27 16:20:42 UTC
Similar problem has been detected:

each time a command with 'sudo' is run this message pops up

hashmarkername: setroubleshoot
kernel:         5.15.11-200.fc35.x86_64
package:        selinux-policy-targeted-35.7-1.fc35.noarch
reason:         SELinux is preventing fprintd from 'write' accesses on the file persist.
type:           libreport

Comment 31 Brian J. Murrell 2021-12-28 05:00:59 UTC
Similar problem has been detected:

I'm not sure why this happened.

hashmarkername: setroubleshoot
kernel:         5.14.17-301.fc35.x86_64
package:        selinux-policy-targeted-35.5-1.fc35.noarch
reason:         SELinux is preventing fprintd from 'write' accesses on the file persist.
type:           libreport

Comment 32 Sam Varshavchik 2022-01-01 23:00:58 UTC
Similar problem has been detected:

Executed "su" in a terminal shell.

hashmarkername: setroubleshoot
kernel:         5.15.11-200.fc35.x86_64
package:        selinux-policy-targeted-35.7-1.fc35.noarch
reason:         SELinux is preventing fprintd from 'write' accesses on the file persist.
type:           libreport

Comment 33 m8ms93idb@relay.firefox.com 2022-01-13 18:59:46 UTC
Similar problem has been detected:

when attemp of log in after sleep, selinux reported that fprintd attempt to access, and said that if I believe it should be able to than I need to submit a bug. so it is the case

hashmarkername: setroubleshoot
kernel:         5.15.12-200.fc35.x86_64
package:        selinux-policy-targeted-35.7-1.fc35.noarch
reason:         SELinux is preventing fprintd from 'write' accesses on the file wakeup.
type:           libreport

Comment 34 Mike 2022-01-15 18:28:58 UTC
Similar problem has been detected:

Automatically appears after a startup is finished

hashmarkername: setroubleshoot
kernel:         5.15.13-200.fc35.x86_64
package:        selinux-policy-targeted-35.8-1.fc35.noarch
reason:         SELinux is preventing fprintd from 'write' accesses on the file persist.
type:           libreport

Comment 35 Nicolás 2022-01-18 23:49:43 UTC
Similar problem has been detected:

Me aparece al iniciar sesion.

hashmarkername: setroubleshoot
kernel:         5.15.12-200.fc35.x86_64
package:        selinux-policy-targeted-35.7-1.fc35.noarch
reason:         SELinux is preventing fprintd from 'write' accesses on the archivo persist.
type:           libreport

Comment 36 Biji 2022-01-27 01:12:31 UTC
*** Bug 2046579 has been marked as a duplicate of this bug. ***

Comment 37 Brian J. Murrell 2022-01-29 00:22:57 UTC
Similar problem has been detected:

Clicked on a notification.

hashmarkername: setroubleshoot
kernel:         5.14.17-301.fc35.x86_64
package:        selinux-policy-targeted-35.5-1.fc35.noarch
reason:         SELinux is preventing fprintd from 'write' accesses on the file persist.
type:           libreport

Comment 38 Alex. H. F. 2022-02-01 17:59:32 UTC
Similar problem has been detected:

Just after system startup

hashmarkername: setroubleshoot
kernel:         5.15.17-200.fc35.x86_64
package:        selinux-policy-targeted-35.11-1.fc35.noarch
reason:         SELinux is preventing fprintd from 'write' accesses on the Datei persist.
type:           libreport

Comment 39 Ron M 2022-02-07 10:52:46 UTC
Similar problem has been detected:

Occurs at login; fprintd is using hardware 06cb:00bd (Synaptics).
Running on fedora 5.16.5-200.fc35.

hashmarkername: setroubleshoot
kernel:         5.16.5-200.fc35.x86_64
package:        selinux-policy-targeted-35.13-1.fc35.noarch
reason:         SELinux is preventing fprintd from 'write' accesses on the file wakeup.
type:           libreport

Comment 40 Chris J 2022-02-07 14:46:08 UTC
Similar problem has been detected:

Happens when I use sudo

hashmarkername: setroubleshoot
kernel:         5.16.5-200.fc35.x86_64
package:        selinux-policy-targeted-35.13-1.fc35.noarch
reason:         SELinux is preventing fprintd from 'write' accesses on the file persist.
type:           libreport

Comment 41 Petr Lautrbach 2022-02-11 13:21:43 UTC
*** Bug 2053522 has been marked as a duplicate of this bug. ***

Comment 42 Alex. H. F. 2022-02-18 11:13:50 UTC
Similar problem has been detected:

After every boot (maybe login) after FC35 install from scratch on Laptop with "fingerprint" reader.

It is crasily unbelievable, how "BAD" testing is made prior to releasing.

Every time again, SE-Linux rules are missing!
Please, remember to include it to the check-list.

hashmarkername: setroubleshoot
kernel:         5.16.9-200.fc35.x86_64
package:        selinux-policy-targeted-35.15-1.fc35.noarch
reason:         SELinux is preventing fprintd from 'write' accesses on the Datei persist.
type:           libreport

Comment 43 Jonathan Graham 2022-02-23 18:32:31 UTC
Similar problem has been detected:

This problem came up after locking the screen, returning, and unlocking the screen with password.

hashmarkername: setroubleshoot
kernel:         5.16.8-200.fc35.x86_64
package:        selinux-policy-targeted-35.13-1.fc35.noarch
reason:         SELinux is preventing fprintd from 'write' accesses on the file persist.
type:           libreport

Comment 44 Benjamin Berg 2022-02-24 14:56:04 UTC
Note that this is a pretty harmless warning.

fprintd/libfprint tries to configure the device to make suspend/resume work properly. But, for this to actually be useful, the lock screen would need to keep fingerprint authentication running while the laptop is suspended. And, I don't think we ever got to that point.

Comment 45 David Auer (2nd Account) 2022-02-24 15:03:25 UTC
Hey Benjamin,

it may be pretty harmless but it's still pretty annoying. Do you imply that this could be fixed by disabling this functionality in fprind/libfprint? If it's not useful we might as well disable it, right?
For me the easiest/fastest way to make this warning go away would be the best way. (But it should not be a workaround that each user has to find and apply on their own.)

Comment 46 Martin Wolf 2022-02-24 15:14:55 UTC
To get temporarily rid of the warning I used this mount option: context=system_u:object_r:fusefs_t:s0
I basically give it the same settings as ntfs-3g. I am not sure if that is wise, but it works for me for two weeks now.

Comment 47 Martin Wolf 2022-02-24 15:15:43 UTC
sorry, wrong post :(

Comment 48 Benjamin Berg 2022-02-24 15:31:09 UTC
I can't imagine that the required selinux policy changes are complicated. Considering how long we already have been shipping with this situation, I am not very inclined to work around it by disabling a good-to-have feature in libfprint.

What I could offer though is trying to avoid the write in libfprint. i.e. read the attribute first, and only write() if we are actually changing the value. On F36, that would avoid the warnings already. Not on F35, as systemd doesn't handle turning off the persist feature yet.

Really, it would be good to just get the policy updated.

Comment 49 shantzis62 2022-02-26 15:31:33 UTC
Similar problem has been detected:

Simply happened on reboot, multiple times. I followed the recommended local fix but haven't yet determined if it fixes it:
sudo ausearch -c fprintd --raw | audit2allow -M my-fprintd
sudo semodule -X 300 -i my-fprintd.pp

hashmarkername: setroubleshoot
kernel:         5.16.9-200.fc35.x86_64
package:        selinux-policy-targeted-35.15-1.fc35.noarch
reason:         SELinux is preventing fprintd from 'write' accesses on the file persist.
type:           libreport

Comment 50 Alex. H. F. 2022-03-12 12:50:44 UTC
Similar problem has been detected:

At every System restart (maybe user login) in Gnome 41, FC35 

hashmarkername: setroubleshoot
kernel:         5.16.12-200.fc35.x86_64
package:        selinux-policy-targeted-35.15-1.fc35.noarch
reason:         SELinux is preventing fprintd from 'write' accesses on the Datei persist.
type:           libreport

Comment 52 Petr Lautrbach 2022-03-16 14:51:50 UTC
*** Bug 2064792 has been marked as a duplicate of this bug. ***

Comment 53 Nils Philippsen 2022-03-20 17:01:34 UTC
Similar problem has been detected:

Ran `sudo -i` which accesses the finger print sensor for authentication.

hashmarkername: setroubleshoot
kernel:         5.16.15-201.fc35.x86_64
package:        selinux-policy-targeted-35.15-1.fc35.noarch
reason:         SELinux is preventing fprintd from 'write' accesses on the file persist.
type:           libreport

Comment 54 Troy Volin 2022-03-20 22:40:57 UTC
(In reply to Benjamin Berg from comment #48)
> I can't imagine that the required selinux policy changes are complicated.
> Considering how long we already have been shipping with this situation, I am
> not very inclined to work around it by disabling a good-to-have feature in
> libfprint.
> 
> What I could offer though is trying to avoid the write in libfprint. i.e.
> read the attribute first, and only write() if we are actually changing the
> value. On F36, that would avoid the warnings already. Not on F35, as systemd
> doesn't handle turning off the persist feature yet.
> 
> Really, it would be good to just get the policy updated.

@bberg and other maintainers:
I think the proposed solution here (read "persist" and "wakeup", and only write to them if the value needs to change) is the right way to go.
I understand it won't make the noise go away until F36, but that's totally fine with me.

My only other thought is this: when libfprint actually does need to update the value of "persist" or "wakeup", is that actually a violation? I feel like it isn't. So if the right thing to do is to update the selinux policy, perhaps it is a waste of time to make the change in libfprint.
Regardless, seeing this fixed in the F36 timeline would be good.

Comment 55 Benjamin Berg 2022-03-21 10:32:25 UTC
Not writing the file is a micro-optimization that happens to work around the lack of an updated SELinux policy.

At the end, I just submitted https://gitlab.freedesktop.org/libfprint/libfprint/-/merge_requests/353 upstream, because I don't want to deal with selinux policies. That'll probably make its way into F36 eventually.

Comment 56 Zdenek Pytela 2022-03-30 07:01:07 UTC
*** Bug 2069876 has been marked as a duplicate of this bug. ***

Comment 57 Zdenek Pytela 2022-03-30 11:39:16 UTC
*** Bug 2038702 has been marked as a duplicate of this bug. ***

Comment 58 Fedora Update System 2022-04-06 15:24:31 UTC
FEDORA-2022-9681e66715 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-9681e66715

Comment 59 Fedora Update System 2022-04-06 19:48:37 UTC
FEDORA-2022-9681e66715 has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-9681e66715`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-9681e66715

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 60 Fedora Update System 2022-04-10 19:52:18 UTC
FEDORA-2022-9681e66715 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.