| Summary: | SELinux is preventing /usr/bin/evince-thumbnailer from using the 'dac_override' capabilities. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | sushiltulu <sushil176> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 19 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:05443624bfca785cc15b3ab2659701b52c6c953c9e614ee8c5b522279a99d95c | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-10-29 11:26:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
You should not run as root in X. |
Description of problem: after logging into root user when i tried to access properties of a folder containg media files,it showed permission denied 2 times simultaneously,then the window closed.plz help. SELinux is preventing /usr/bin/evince-thumbnailer from using the 'dac_override' capabilities. ***** Plugin dac_override (91.4 confidence) suggests *********************** If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system Then turn on full auditing to get path information about the offending file and generate the error again. Do Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent If you see PATH record check ownership/permissions on file, and fix it, otherwise report as a bugzilla. ***** Plugin catchall (9.59 confidence) suggests *************************** If you believe that evince-thumbnailer should have the dac_override capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep evince-thumbnai /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 Target Objects [ capability ] Source evince-thumbnai Source Path /usr/bin/evince-thumbnailer Port <Unknown> Host (removed) Source RPM Packages totem-3.8.2-1.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-54.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.9.5-301.fc19.x86_64 #1 SMP Tue Jun 11 19:39:38 UTC 2013 x86_64 x86_64 Alert Count 261 First Seen 2013-10-26 18:57:48 IST Last Seen 2013-10-26 20:31:37 IST Local ID dff4b1df-022a-4660-9162-a48c70eb937e Raw Audit Messages type=AVC msg=audit(1382799697.478:912): avc: denied { dac_override } for pid=713 comm="totem-video-thu" capability=1 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1382799697.478:912): avc: denied { dac_read_search } for pid=713 comm="totem-video-thu" capability=2 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1382799697.478:912): arch=x86_64 syscall=open success=no exit=EACCES a0=1fd6ae0 a1=0 a2=0 a3=0 items=0 ppid=32608 pid=713 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4 tty=(none) comm=totem-video-thu exe=/usr/bin/totem-video-thumbnailer subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) Hash: evince-thumbnai,thumb_t,thumb_t,capability,dac_override Additional info: reporter: libreport-2.1.5 hashmarkername: setroubleshoot kernel: 3.9.5-301.fc19.x86_64 type: libreport Potential duplicate: bug 815106