| Summary: | SElinux prevents Thunar from creating thumbnails | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | a.o.shyichuk | ||||||||||||||||
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||||||||||||||
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||||||||||
| Severity: | low | Docs Contact: | |||||||||||||||||
| Priority: | low | ||||||||||||||||||
| Version: | 23 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl, plautrba | ||||||||||||||||
| Target Milestone: | --- | ||||||||||||||||||
| Target Release: | --- | ||||||||||||||||||
| Hardware: | x86_64 | ||||||||||||||||||
| OS: | Linux | ||||||||||||||||||
| Whiteboard: | |||||||||||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||||||||||
| Doc Text: | Story Points: | --- | |||||||||||||||||
| Clone Of: | Environment: | ||||||||||||||||||
| Last Closed: | 2016-02-24 21:57:54 UTC | Type: | Bug | ||||||||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||||||||
| Documentation: | --- | CRM: | |||||||||||||||||
| Verified Versions: | Category: | --- | |||||||||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||||||
| Attachments: |
|
||||||||||||||||||
Created attachment 1130278 [details]
Cropped audit.log
Created attachment 1130279 [details]
My policy file for thumbnails, should work as a patch
Created attachment 1130280 [details]
.te file, corresponding to the .pp file
Created attachment 1130300 [details]
The .pp file that worked for me
Created attachment 1130301 [details]
The .pp file that worked for me
Created attachment 1130302 [details]
The .te file corresponding to the .pp file
Created attachment 1130303 [details]
Crooped log with message examples
Hi, Problem here is mislabeled homedir on your system. To fix this issue please run: # restorecon -Rv /home/ I removed text in doc text, because it's not proper fix. Thank you. |
Description of problem: SElinux does not allow Thunar to create thumbnail images in ~/.cache/thumbnails Version-Release number of selected component (if applicable): x86_64 Fedora 23 Xfce, 4.3.5-300.fc23.x86_64 How reproducible: Open a folder with images in Thunar: thumbnails are not displayed. "setenforce 0" fixes the issue. Just in case: I was opening a folder on a manually mounted non-system NTFS hard drive. Comments: In order to fix the issue, several different permissions must be set. Check the attached thumbs-pol.te for details. I do not know how to set them all at once, other then use the attached thumbs-pol.pp. In my case, I was repeating the steps below. Fix: Modify selinux policy via repetitions of the following steps: 0. Run "setenforce 1" to go back to enforcing mode. 1. Open a folder with images in Thunar (it is not required to restart thunar, just go to parent dir and back) 2. (optional): check /var/log/audit/audit.log; there must be a line like: type=AVC msg=audit(1456332407.222:284): avc: denied { add_name } for pid=1369 comm="pool" name="0dc587ea8551e5fcdb39b3599e9d4d68-1456332407-223458.png" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir permissive=0 3. grep <keyword> /var/log/audit/audit.log |audit2allow -M thumbs-pol As there are several permission to set, the lines in audit.log will differ after policy update. However, those must contain a common keyword. In my case, it was 'comm="pool"'. My command looked as: grep 'comm="pool"' /var/log/audit/audit.log |audit2allow -M thumbs-pol 4. Update policy via: semodule -i thumbs-pol.pp 5. Go to step 1 and check if the thumbnails are displayed, continue to step 2 or 3 if not. Note that the type=AVC messages will differ.