Bug 1517393

Up please!

This now happens even more often, when I open Nautilus, or some other apps that may rely on this binary.
By the way, upgrading to selinux-policy vers. 3.13.1-283.17 doesn't make the issue vanish, and turning off the alerts or creating a local rule for this kind od stuff is not an option for me.

Regards.

This avc indicates that a thumbnail application is attempting to memory map a file that belongs in /root homedir?

Looks like this file was created in /root and then mv'd to /tmp?

Are you running nautilus as root or some kind of graphics tools as root?

(In reply to Daniel Walsh from comment #2)
> This avc indicates that a thumbnail application is attempting to memory map
> a file that belongs in /root homedir?
> 
> Looks like this file was created in /root and then mv'd to /tmp?
> 

You're right, and I'm aware of this, but the fact is that I have no such file in my root directory, neither do I ever use to create/modify files under this directory. Same under /tmp as it is mounted on tmpfs and thus is cleaned after reboot. That's the point, I don't understand why SELinux keeps complaining, neither do I know where did this come from... Really weird.


> Are you running nautilus as root or some kind of graphics tools as root?

Well, it occurred to me that I opened some .svg icons from custom theme in Inkscape as root, but these files are not labelled as admin_home_t but usr_t.

Could it be possible that it is an old alert that hasn't been cleaned properly and keeps now showing?

(In reply to GOGI from comment #3)
> (In reply to Daniel Walsh from comment #2)
> > This avc indicates that a thumbnail application is attempting to memory map
> > a file that belongs in /root homedir?
> > 
> > Looks like this file was created in /root and then mv'd to /tmp?
> > 
> 
> You're right, and I'm aware of this, but the fact is that I have no such
> file in my root directory, neither do I ever use to create/modify files
> under this directory. Same under /tmp as it is mounted on tmpfs and thus is
> cleaned after reboot. That's the point, I don't understand why SELinux keeps
> complaining, neither do I know where did this come from... Really weird.
> 
> 
> > Are you running nautilus as root or some kind of graphics tools as root?
> 
> Well, it occurred to me that I opened some .svg icons from custom theme in
> Inkscape as root, but these files are not labelled as admin_home_t but usr_t.
> 
> Could it be possible that it is an old alert that hasn't been cleaned
> properly and keeps now showing?

Yes, it looks like old denial. Could you please delete it from setroubleshoot? Are you able to reproduce it?

(In reply to Lukas Vrabec from comment #4)
> (In reply to GOGI from comment #3)
> > (In reply to Daniel Walsh from comment #2)
> > > This avc indicates that a thumbnail application is attempting to memory map
> > > a file that belongs in /root homedir?
> > > 
> > > Looks like this file was created in /root and then mv'd to /tmp?
> > > 
> > 
> > You're right, and I'm aware of this, but the fact is that I have no such
> > file in my root directory, neither do I ever use to create/modify files
> > under this directory. Same under /tmp as it is mounted on tmpfs and thus is
> > cleaned after reboot. That's the point, I don't understand why SELinux keeps
> > complaining, neither do I know where did this come from... Really weird.
> > 
> > 
> > > Are you running nautilus as root or some kind of graphics tools as root?
> > 
> > Well, it occurred to me that I opened some .svg icons from custom theme in
> > Inkscape as root, but these files are not labelled as admin_home_t but usr_t.
> > 
> > Could it be possible that it is an old alert that hasn't been cleaned
> > properly and keeps now showing?
> 
> Yes, it looks like old denial. Could you please delete it from
> setroubleshoot? Are you able to reproduce it?


Sorry for not answering earlier. It looks like this is really a random issue, and I still don't have any clue on what could cause it. In example, here is the last alert I got :


SELinux interdit à gsf-office-thum d'utiliser l'accès map sur le fichier /tmp/gnome-desktop-file-to-thumbnail.doc.

*****  Le greffon catchall (100. de confiance) suggère   *********************

Si vous pensez que gsf-office-thum devrait être autorisé à accéder map sur gnome-desktop-file-to-thumbnail.doc file par défaut.
Alors vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet accès.
Faire
autoriser cet accès pour le moment en exécutant :
# ausearch -c "gsf-office-thum" --raw | audit2allow -M my-gsfofficethum
# semodule -X 300 -i my-gsfofficethum.pp

Informations complémentaires :
Contexte source               unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Contexte cible                system_u:object_r:var_t:s0
Objets du contexte            /tmp/gnome-desktop-file-to-thumbnail.doc [ file ]
Source                        gsf-office-thum
Chemin de la source           gsf-office-thum
Port                          <Inconnu>
Hôte                          fedora
Paquets RPM source            
Paquets RPM cible             
RPM de la statégie            selinux-policy-3.13.1-283.17.fc27.noarch
Selinux activé                True
Type de stratégie             targeted
Mode strict                   Enforcing
Nom de l'hôte                 fedora
Plateforme                    Linux fedora 4.14.8-300.fc27.x86_64 #1 SMP Wed Dec
                              20 19:00:18 UTC 2017 x86_64 x86_64
Compteur d'alertes            1
Première alerte               2017-12-25 20:42:38 CET
Dernière alerte               2017-12-25 20:42:38 CET
ID local                      6628ec35-68c1-4fa9-86f8-3b227a176db1

Messages d'audit bruts 
type=AVC msg=audit(1514230958.11:414): avc:  denied  { map } for  pid=5957 comm="gsf-office-thum" path="/tmp/gnome-desktop-file-to-thumbnail.doc" dev="dm-0" ino=60558 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=0


Hash: gsf-office-thum,thumb_t,var_t,file,map

I apologise for the alert being in french, I don't really have time to translate but I'm convinced that you're used to this and don't actually need it to be translated.

selinux-policy-3.13.1-283.21.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4

selinux-policy-3.13.1-283.21.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4

selinux-policy-3.13.1-283.21.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4

selinux-policy-3.13.1-283.21.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.