Bug 1056831

Summary:

Selinux is preventing Tumblerd from working

Product:

[Fedora] Fedora

Reporter:

Adrián Reboreda Martínez <a.fedora>

Component:

selinux-policy

Assignee:

Miroslav Grepl <mgrepl>

Status:

CLOSED ERRATA

QA Contact:

Fedora Extras Quality Assurance <extras-qa>

Severity:

unspecified

Docs Contact:

Priority:

unspecified

Version:

CC:

a.fedora, aleritty, anton4linux, arielnmz, christoph.wickert, dominick.grift, dwalsh, kevin, lvrabec, mgrepl, mmalik, prasanna.ven

Target Milestone:

---

Target Release:

---

Hardware:

x86_64

OS:

Unspecified

Whiteboard:

Fixed In Version:

selinux-policy-3.12.1-127.fc20

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2014-03-12 12:17:07 UTC

Type:

Bug

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
Sealert output.	none

Description Adrián Reboreda Martínez 2014-01-23 02:21:14 UTC

Created attachment 854162 [details]
Sealert output.

Description of problem:
Selinux is preventing Tumblerd from generating thumbnails under XFCE and Thunar. The problem started after a update of selinux-policy-targeted.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.12.1-119.fc20.noarch

How reproducible:
Start a tumblerd process from a terminal.

Steps to Reproduce:
1. Close all Thunar Windows
2. Kill any tumblerd instance: pkill tumblerd
3. Try to start a new tumblerd process: /lib64/tumbler-1/tumblerd

Actual results:
Tumblerd does no starts, but the next message is shown:

(tumblerd:32274): tumblerd-WARNING **: Failed to connect to the D-Bus session bus: Failed to connect to socket /tmp/dbus-0IrFZKt0JG: Permission denied


Expected results:
Tumblerd must start and generate thumbnails.

Additional info:
If selinux is disabled tumblerd can be started:

setenforce 0
/lib64/tumbler-1/tumblerd

I add an attachment from the sealert output, the text shows that slinux is having issues with dbus-launch.

Comment 1 Miroslav Grepl 2014-01-23 10:32:21 UTC

# matchpathcon /lib64/tumbler-1/tumblerd
/lib64/tumbler-1/tumblerd	system_u:object_r:thumb_exec_t:s0

Try to execute

# restorecon -R -v /lib64/tumbler-1/tumblerd

Comment 2 Miroslav Grepl 2014-01-23 10:35:24 UTC

*** Bug 1056991 has been marked as a duplicate of this bug. ***

Comment 3 Miroslav Grepl 2014-01-23 10:36:44 UTC

It looks like labeling issue. 

# fixfiles restore

should fix labeling on your system.

Comment 4 Adrián Reboreda Martínez 2014-01-23 10:57:35 UTC

I've tried your solution:

# su -
# fixfiles restore


The process finishes without problem. I try to start tumblerd and the same prolem happens.

Also I check if the executable is labeled as it should be:

# matchpathcon /lib64/tumbler-1/tumblerd 
/lib64/tumbler-1/tumblerd	system_u:object_r:thumb_exec_t:s0
# ls -Z /lib64/tumbler-1/tumblerd
-rwxr-xr-x. root root system_u:object_r:thumb_exec_t:s0 /lib64/tumbler-1/tumblerd


Some other idea?

Comment 5 Miroslav Grepl 2014-01-23 11:41:39 UTC

Ok, I overlooked. Could you try to update to the lastest policy, re-login and re-test?

Comment 6 Miroslav Grepl 2014-01-23 11:58:26 UTC

I am not able to reproduce it.

Comment 7 Adrián Reboreda Martínez 2014-01-23 18:54:37 UTC

Nope, the latest selinux policy is installed. Today's updates only include NetworkManager, dnf and some other stuf.

I did try removing tumbler:

# yum remove tumbler

The command also remove tumbler-extras and ristretto.

Later I installed the three packages and restored the conf:

# yum install tumbler tumbler-extras ristretto
# restorecon -vRF /lib64

But the same problem happens again when I try to start tumblerd.

Comment 8 Miroslav Grepl 2014-01-27 09:51:02 UTC

*** Bug 1058064 has been marked as a duplicate of this bug. ***

Comment 9 Miroslav Grepl 2014-01-27 09:59:27 UTC

type=AVC msg=audit(1390159825.110:494): avc:  denied  { execute } for  pid=18814 comm="dbus-launch" name="dbus-daemon" dev="dm-2" ino=400782 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file

Comment 10 Benjamin Ariel Nava Martinez 2014-01-27 17:42:02 UTC

Ok, "Is auditd running?" Yes
[root@******* ariel]# systemctl status auditd.service 
auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled)
   Active: active (running) since lun 2014-01-27 11:26:37 CST; 11min ago
  Process: 402 ExecStartPost=/sbin/auditctl -R /etc/audit/audit.rules (code=exited, status=0/SUCCESS)
 Main PID: 401 (auditd)
   CGroup: /system.slice/auditd.service
           ├─401 /sbin/auditd -n
           ├─407 /sbin/audispd
           └─408 /usr/sbin/sedispatch

ene 27 11:26:37 ******* systemd[1]: Started Security Auditing Service.
ene 27 11:26:37 ******* auditd[401]: Started dispatcher: /sbin/audispd pid: 407
ene 27 11:26:37 ******* audispd[407]: priority_boost_parser called with: 4
ene 27 11:26:37 ******* audispd[407]: max_restarts_parser called with: 10
ene 27 11:26:37 ******* audispd[407]: audispd initialized with q_depth=150 ...ns
ene 27 11:26:37 ******* auditd[401]: Init complete, auditd 2.3.3 listening ...e)
Hint: Some lines were ellipsized, use -l to show in full.
(******* is my hostname)

And "Also what does #ausearch -m user_avc" This is the output:
----
time->Wed Jan  8 16:01:02 2014
type=USER_AVC msg=audit(1389218462.021:620): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Wed Jan  8 16:01:02 2014
type=USER_AVC msg=audit(1389218462.022:621): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=3)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Wed Jan  8 18:01:01 2014
type=USER_AVC msg=audit(1389225661.573:668): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=4)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Wed Jan  8 18:01:01 2014
type=USER_AVC msg=audit(1389225661.573:669): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=5)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Wed Jan  8 18:01:01 2014
type=USER_AVC msg=audit(1389225661.573:670): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=6)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Wed Jan  8 18:01:01 2014
type=USER_AVC msg=audit(1389225661.573:671): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=7)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Thu Jan  9 01:01:01 2014
type=USER_AVC msg=audit(1389250861.523:576): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Thu Jan  9 01:01:01 2014
type=USER_AVC msg=audit(1389250861.523:577): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=3)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Thu Jan  9 01:01:01 2014
type=USER_AVC msg=audit(1389250861.523:578): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=4)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Thu Jan  9 01:01:01 2014
type=USER_AVC msg=audit(1389250861.523:579): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=5)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Fri Jan 17 19:59:21 2014
type=USER_AVC msg=audit(1390010361.614:415): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Wed Jan 22 13:23:02 2014
type=USER_AVC msg=audit(1390418582.977:25): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Thu Jan 23 12:08:52 2014
type=USER_AVC msg=audit(1390500532.319:806): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Sun Jan 26 13:04:34 2014
type=USER_AVC msg=audit(1390763074.182:15): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Comment 11 Adrián Reboreda Martínez 2014-01-27 17:45:51 UTC

My output of auserch is the next.

time->Wed Jan 22 15:01:01 2014
type=USER_AVC msg=audit(1390424461.830:447): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Comment 12 Milos Malik 2014-01-31 10:33:31 UTC

Manual run of tumblerd on my RHEL-7 machine always ends up with "permission denied" message. Some access is denied, but AVCs are not visible until you call "semodule -DB" command:

After logging in as staff_u user:
----
type=SOCKADDR msg=audit(01/31/2014 11:22:51.362:26438) : saddr=local /tmp/dbus-zmG3DhqIfX 
type=SYSCALL msg=audit(01/31/2014 11:22:51.362:26438) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=0x3 a1=0x7fffdcfb2b50 a2=0x17 a3=0x0 items=0 ppid=6650 pid=7692 auid=userY uid=userY gid=userY euid=userY suid=userY fsuid=userY egid=userY sgid=userY fsgid=userY tty=pts1 ses=3460 comm=tumblerd exe=/usr/lib64/tumbler-1/tumblerd subj=staff_u:staff_r:thumb_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(01/31/2014 11:22:51.362:26438) : avc:  denied  { connectto } for  pid=7692 comm=tumblerd path=/tmp/dbus-zmG3DhqIfX scontext=staff_u:staff_r:thumb_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket 
----

After logging in as user_u user:
----
type=SOCKADDR msg=audit(01/31/2014 11:29:09.157:28819) : saddr=local /tmp/dbus-nFz2EkjzWb 
type=SYSCALL msg=audit(01/31/2014 11:29:09.157:28819) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=0x3 a1=0x7fffb62d9600 a2=0x17 a3=0x0 items=0 ppid=11031 pid=11090 auid=userX uid=userX gid=userX euid=userX suid=userX fsuid=userX egid=userX sgid=userX fsgid=userX tty=pts1 ses=3464 comm=tumblerd exe=/usr/lib64/tumbler-1/tumblerd subj=user_u:user_r:thumb_t:s0 key=(null) 
type=AVC msg=audit(01/31/2014 11:29:09.157:28819) : avc:  denied  { connectto } for  pid=11090 comm=tumblerd path=/tmp/dbus-nFz2EkjzWb scontext=user_u:user_r:thumb_t:s0 tcontext=user_u:user_r:user_dbusd_t:s0 tclass=unix_stream_socket 
----

Comment 13 Milos Malik 2014-01-31 10:49:22 UTC

After logging in as unconfined_u user:
----
type=SOCKADDR msg=audit(01/31/2014 11:46:32.347:29056) : saddr=local /tmp/dbus-X
Y7kElSMgR 
type=SYSCALL msg=audit(01/31/2014 11:46:32.347:29056) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=0x3 a1=0x7fff5c89a020 a2=0x17 a3=0x0 items=0 ppid=12809 pid=12879 auid=userQ uid=userQ gid=userQ euid=userQ suid=userQ fsuid=userQ egid=userQ sgid=userQ fsgid=userQ tty=pts1 ses=3477 comm=tumblerd exe=/usr/lib64/tumbler-1/tumblerd subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(01/31/2014 11:46:32.347:29056) : avc:  denied  { connectto } for  pid=12879 comm=tumblerd path=/tmp/dbus-XY7kElSMgR scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket 
----

After logging is as xguest_u user:
----
type=SOCKADDR msg=audit(01/31/2014 11:48:14.763:29445) : saddr=local /tmp/dbus-MIyZ5E0E6h 
type=SYSCALL msg=audit(01/31/2014 11:48:14.763:29445) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=0x3 a1=0x7fffcff16d10 a2=0x17 a3=0x0 items=0 ppid=13310 pid=13312 auid=userZ uid=userZ gid=userZ euid=userZ suid=userZ fsuid=userZ egid=userZ sgid=userZ fsgid=userZ tty=(none) ses=3478 comm=tumblerd exe=/usr/lib64/tumbler-1/tumblerd subj=xguest_u:xguest_r:thumb_t:s0 key=(null) 
type=AVC msg=audit(01/31/2014 11:48:14.763:29445) : avc:  denied  { connectto } for  pid=13312 comm=tumblerd path=/tmp/dbus-MIyZ5E0E6h scontext=xguest_u:xguest_r:thumb_t:s0 tcontext=xguest_u:xguest_r:xguest_dbusd_t:s0 tclass=unix_stream_socket 
----

Comment 14 Miroslav Grepl 2014-01-31 11:20:23 UTC

#============= thumb_t ==============

#!!!! This avc has a dontaudit rule in the current policy
allow thumb_t xguest_dbusd_t:unix_stream_socket connectto;

Do you need this access to make it working?

Comment 15 Milos Malik 2014-01-31 12:51:26 UTC

policy_module(mypolicy,1.0)

require {
  type thumb_t;
  type staff_dbusd_t;
  class unix_stream_socket { connectto };
  class dbus { send_msg };
}

allow thumb_t staff_dbusd_t : unix_stream_socket { connectto };
allow thumb_t staff_dbusd_t : dbus { send_msg };

When SELinux is in enforcing mode and above-mentioned policy module is loaded in memory, tumblerd exits with following message:

(tumblerd:21892): tumblerd-WARNING **: Failed to start the thumbnail cache service: Another thumbnail cache service is already running

When I switch to permissive mode, tumblerd runs as expected and there are no messages. Unfortunately, I'm unable to make tumblerd running in enforcing mode. After "semodule -DB" there are some AVCs, but none of them (converted to allow rule) seems to help.

Comment 16 Miroslav Grepl 2014-01-31 12:56:59 UTC

Ok, I think we will need to allow dbus chat.

allow thumb_t staff_dbusd_t : dbus { send_msg };
allow staff_dbusd_t thumb_t : dbus { send_msg };

The problem is we have thumb "dbus-daemon --session" running in thumb_t now.

Comment 17 Prasanna Vedantha Desikan 2014-02-04 05:52:15 UTC

Description of problem:
I tried to open the application

Additional info:
reporter:       libreport-2.1.11
hashmarkername: setroubleshoot
kernel:         3.12.9-301.fc20.x86_64
type:           libreport

Comment 18 Benjamin Ariel Nava Martinez 2014-02-07 17:45:14 UTC

So, are there any workarounds for this yet? I'm running a server and I can't disable selinux, but it's hard to manage a very large number of images without any thumbnails.

Comment 19 Miroslav Grepl 2014-02-11 17:19:22 UTC

Try to use the lastest F20 policy.

http://koji.fedoraproject.org/koji/buildinfo?buildID=495907

Comment 20 Adrián Reboreda Martínez 2014-02-14 20:42:47 UTC

Yep it works!

I've installed both the selinux-policy and selinux-policy-targeted

# yum localinstall --nogpgcheck http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.12.1/124.fc20/noarch/selinux-policy-3.12.1-124.fc20.noarch.rpm http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.12.1/124.fc20/noarch/selinux-policy-targeted-3.12.1-124.fc20.noarch.rpm

And now tumblerd works without problem.

Thanks a lot!

Comment 21 Benjamin Ariel Nava Martinez 2014-02-15 06:33:01 UTC

Thanks for confirming! I'll just wait until it's pushed to the updates repo. Saludos!

Comment 22 Fedora Update System 2014-02-18 22:08:52 UTC

selinux-policy-3.12.1-126.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-126.fc20

Comment 23 Benjamin Ariel Nava Martinez 2014-02-20 05:08:16 UTC

I'll provide feedback when it becomes available at my local (mx) mirror. Thanks.

Comment 24 Fedora Update System 2014-02-22 00:41:00 UTC

Package selinux-policy-3.12.1-126.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-126.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-126.fc20
then log in and leave karma (feedback).

Comment 25 Fedora Update System 2014-02-26 13:48:37 UTC

Package selinux-policy-3.12.1-127.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-127.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-127.fc20
then log in and leave karma (feedback).

Comment 26 Fedora Update System 2014-03-12 12:17:07 UTC

selinux-policy-3.12.1-127.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.