Bug 1022547

Summary: SELinux is preventing /usr/bin/gnome-thumbnail-font from using the 'dac_override' capabilities.
Product: [Fedora] Fedora Reporter: Zero <HolyMaster>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: dominick.grift, dwalsh, HolyMaster, lvrabec, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:1d7bc17aed16c82aca5a6a7b62d681144fa57f3e16f2072422a46a7213e067be
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-25 06:50:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Zero 2013-10-23 13:48:58 UTC 
Description of problem:
SELinux is preventing /usr/bin/gnome-thumbnail-font from using the 'dac_override' capabilities.

*****  Plugin dac_override (91.4 confidence) suggests  ***********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it, 
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that gnome-thumbnail-font should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep gnome-thumbnail /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Objects                 [ capability ]
Source                        gnome-thumbnail
Source Path                   /usr/bin/gnome-thumbnail-font
Port                          <Neznámé>
Host                          (removed)
Source RPM Packages           gnome-font-viewer-3.8.0-1.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-74.9.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.11.4-201.fc19.x86_64 #1 SMP Thu
                              Oct 10 14:11:18 UTC 2013 x86_64 x86_64
Alert Count                   2
First Seen                    2013-10-16 22:06:44 CEST
Last Seen                     2013-10-16 22:06:46 CEST
Local ID                      b9623b24-0d44-40d7-8780-faca301d4588

Raw Audit Messages
type=AVC msg=audit(1381954006.222:545): avc:  denied  { dac_override } for  pid=10583 comm="gnome-thumbnail" capability=1  scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tclass=capability


type=AVC msg=audit(1381954006.222:545): avc:  denied  { dac_read_search } for  pid=10583 comm="gnome-thumbnail" capability=2  scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tclass=capability


type=SYSCALL msg=audit(1381954006.222:545): arch=x86_64 syscall=stat success=no exit=EACCES a0=828a90 a1=7fff0d4e8f40 a2=7fff0d4e8f40 a3=3d34532720 items=0 ppid=10537 pid=10583 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts1 comm=gnome-thumbnail exe=/usr/bin/gnome-thumbnail-font subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)

Hash: gnome-thumbnail,thumb_t,thumb_t,capability,dac_override

Additional info:
reporter:       libreport-2.1.8
hashmarkername: setroubleshoot
kernel:         3.11.4-201.fc19.x86_64
type:           libreport
Comment 1 Miroslav Grepl 2013-10-24 13:04:28 UTC 
If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w

Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
Comment 2 Daniel Walsh 2013-10-24 17:24:16 UTC 
You really should not be running nautilus or any X Apps as root, this is fairly dangerous and is what is causing the DAC_OVERRIDE.

Which X App were you running when this happened?
Comment 3 Miroslav Grepl 2013-10-25 06:50:45 UTC 
Ah, I overlooked "uid=0".
Comment 4 Zero 2014-06-23 13:46:08 UTC 
it's fixed