This update locks the fprintd daemon down, thus reducing the reach of potential security issues. It also makes it possible to avoid waking up fingerprint readers when no fingerprints are enrolled.
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --refresh --advisory=FEDORA-2017-65297dc913
Please login to add feedback.
This update has been submitted for testing by hadess.
This update has been pushed to testing.
Works
works for me in a VM
After installing this update, "su -" in gnome-terminal suffers from a 15 seconds delay. Downgrading to 0.7.0-4.fc27 fixes it.
Would be enough for a -1, but maybe I'm missing something.
Not only "su -" is affected, also "su USERNAME".
There's also SELinux errors. Since the downgrade works, I assume something is broken in this test update.
Sep 19 00:39:10 noname audit[4498]: AVC avc: denied { mounton } for pid=4498 comm="(fprintd)" path="/var/lib/fprint" dev="sda5" ino=793064 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fprin Sep 19 00:39:10 noname audit: SELINUX_ERR op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:fprintd_t:s0 Sep 19 00:39:10 noname audit[4498]: AVC avc: denied { map } for pid=4498 comm="fprintd" path="/usr/libexec/fprintd" dev="sda5" ino=1704831 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fprin Sep 19 00:39:10 noname audit[4498]: ANOM_ABEND auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:init_t:s0 pid=4498 comm="fprintd" exe="/usr/libexec/fprintd" sig=11 res=1
SELinux is preventing (fprintd) from mounton access on the directory /var/lib/fprint.
* Plugin catchall (100. confidence) suggests ******
If you believe that (fprintd) should be allowed mounton access on the fprint directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing:
ausearch -c '(fprintd)' --raw | audit2allow -M my-fprintd
semodule -X 300 -i my-fprintd.pp
Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:object_r:fprintd_var_lib_t:s0 Target Objects /var/lib/fprint [ dir ] Source (fprintd) Source Path (fprintd) Port <Unknown> Host localhost.localdomain Source RPM Packages
Target RPM Packages fprintd-0.8.0-1.fc27.x86_64 Policy RPM selinux-policy-3.13.1-283.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name noname Platform Linux noname 4.13.0-0.rc7.git0.1.fc27.x86_64 #1 SMP Mon Aug 28 02:33:21 UTC 2017 x86_64 x86_64 Alert Count 1 First Seen 2017-09-18 01:29:51 CEST Last Seen 2017-09-18 01:29:51 CEST Local ID 4aeb873a-c1c8-49bf-9c12-7dbc75c68ec5
Raw Audit Messages type=AVC msg=audit(1505690991.218:591): avc: denied { mounton } for pid=22890 comm="(fprintd)" path="/var/lib/fprint" dev="sda5" ino=793064 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:fprintd_var_lib_t:s0 tclass=dir permissive=0
Hash: (fprintd),init_t,fprintd_var_lib_t,dir,mounton
Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.
Works great! LGTM! =)
@besser82 : https://fedoraproject.org/wiki/QA:Update_feedback_guidelines#Previously_reported_bugs
This update strictly needs the newer selinux-policy package that has now been pushed, too: https://bodhi.fedoraproject.org/updates/FEDORA-2017-a1b4dab97d
This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes
Withdrawing my earlier -1 vote since the needed selinux-policy package has been made available and has been pushed to stable meanwhile.
works
This update has been submitted for batched by hadess.
This update has been submitted for stable by hadess.
This update has been pushed to stable.