Bug 1517393
Summary: | SELinux is preventing gsf-office-thum from 'map' accesses on the fichier /tmp/gnome-desktop-file-to-thumbnail.doc. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | GOGI <goksibg> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 27 | CC: | dwalsh, goksibg, lvrabec, mgrepl, plautrba, pmoore |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | abrt_hash:7b4efbd54931bf4eea161bc325c826ca4be8b3d023b85a3d0c56e118a73c2f12;VARIANT_ID=workstation; | ||
Fixed In Version: | selinux-policy-3.13.1-283.21.fc27 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-01-10 02:06:49 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
GOGI
2017-11-24 20:00:07 UTC
Up please! This now happens even more often, when I open Nautilus, or some other apps that may rely on this binary. By the way, upgrading to selinux-policy vers. 3.13.1-283.17 doesn't make the issue vanish, and turning off the alerts or creating a local rule for this kind od stuff is not an option for me. Regards. This avc indicates that a thumbnail application is attempting to memory map a file that belongs in /root homedir? Looks like this file was created in /root and then mv'd to /tmp? Are you running nautilus as root or some kind of graphics tools as root? (In reply to Daniel Walsh from comment #2) > This avc indicates that a thumbnail application is attempting to memory map > a file that belongs in /root homedir? > > Looks like this file was created in /root and then mv'd to /tmp? > You're right, and I'm aware of this, but the fact is that I have no such file in my root directory, neither do I ever use to create/modify files under this directory. Same under /tmp as it is mounted on tmpfs and thus is cleaned after reboot. That's the point, I don't understand why SELinux keeps complaining, neither do I know where did this come from... Really weird. > Are you running nautilus as root or some kind of graphics tools as root? Well, it occurred to me that I opened some .svg icons from custom theme in Inkscape as root, but these files are not labelled as admin_home_t but usr_t. Could it be possible that it is an old alert that hasn't been cleaned properly and keeps now showing? (In reply to GOGI from comment #3) > (In reply to Daniel Walsh from comment #2) > > This avc indicates that a thumbnail application is attempting to memory map > > a file that belongs in /root homedir? > > > > Looks like this file was created in /root and then mv'd to /tmp? > > > > You're right, and I'm aware of this, but the fact is that I have no such > file in my root directory, neither do I ever use to create/modify files > under this directory. Same under /tmp as it is mounted on tmpfs and thus is > cleaned after reboot. That's the point, I don't understand why SELinux keeps > complaining, neither do I know where did this come from... Really weird. > > > > Are you running nautilus as root or some kind of graphics tools as root? > > Well, it occurred to me that I opened some .svg icons from custom theme in > Inkscape as root, but these files are not labelled as admin_home_t but usr_t. > > Could it be possible that it is an old alert that hasn't been cleaned > properly and keeps now showing? Yes, it looks like old denial. Could you please delete it from setroubleshoot? Are you able to reproduce it? (In reply to Lukas Vrabec from comment #4) > (In reply to GOGI from comment #3) > > (In reply to Daniel Walsh from comment #2) > > > This avc indicates that a thumbnail application is attempting to memory map > > > a file that belongs in /root homedir? > > > > > > Looks like this file was created in /root and then mv'd to /tmp? > > > > > > > You're right, and I'm aware of this, but the fact is that I have no such > > file in my root directory, neither do I ever use to create/modify files > > under this directory. Same under /tmp as it is mounted on tmpfs and thus is > > cleaned after reboot. That's the point, I don't understand why SELinux keeps > > complaining, neither do I know where did this come from... Really weird. > > > > > > > Are you running nautilus as root or some kind of graphics tools as root? > > > > Well, it occurred to me that I opened some .svg icons from custom theme in > > Inkscape as root, but these files are not labelled as admin_home_t but usr_t. > > > > Could it be possible that it is an old alert that hasn't been cleaned > > properly and keeps now showing? > > Yes, it looks like old denial. Could you please delete it from > setroubleshoot? Are you able to reproduce it? Sorry for not answering earlier. It looks like this is really a random issue, and I still don't have any clue on what could cause it. In example, here is the last alert I got : SELinux interdit à gsf-office-thum d'utiliser l'accès map sur le fichier /tmp/gnome-desktop-file-to-thumbnail.doc. ***** Le greffon catchall (100. de confiance) suggère ********************* Si vous pensez que gsf-office-thum devrait être autorisé à accéder map sur gnome-desktop-file-to-thumbnail.doc file par défaut. Alors vous devriez rapporter ceci en tant qu'anomalie. Vous pouvez générer un module de stratégie local pour autoriser cet accès. Faire autoriser cet accès pour le moment en exécutant : # ausearch -c "gsf-office-thum" --raw | audit2allow -M my-gsfofficethum # semodule -X 300 -i my-gsfofficethum.pp Informations complémentaires : Contexte source unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 Contexte cible system_u:object_r:var_t:s0 Objets du contexte /tmp/gnome-desktop-file-to-thumbnail.doc [ file ] Source gsf-office-thum Chemin de la source gsf-office-thum Port <Inconnu> Hôte fedora Paquets RPM source Paquets RPM cible RPM de la statégie selinux-policy-3.13.1-283.17.fc27.noarch Selinux activé True Type de stratégie targeted Mode strict Enforcing Nom de l'hôte fedora Plateforme Linux fedora 4.14.8-300.fc27.x86_64 #1 SMP Wed Dec 20 19:00:18 UTC 2017 x86_64 x86_64 Compteur d'alertes 1 Première alerte 2017-12-25 20:42:38 CET Dernière alerte 2017-12-25 20:42:38 CET ID local 6628ec35-68c1-4fa9-86f8-3b227a176db1 Messages d'audit bruts type=AVC msg=audit(1514230958.11:414): avc: denied { map } for pid=5957 comm="gsf-office-thum" path="/tmp/gnome-desktop-file-to-thumbnail.doc" dev="dm-0" ino=60558 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=0 Hash: gsf-office-thum,thumb_t,var_t,file,map I apologise for the alert being in french, I don't really have time to translate but I'm convinced that you're used to this and don't actually need it to be translated. selinux-policy-3.13.1-283.21.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4 selinux-policy-3.13.1-283.21.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4 selinux-policy-3.13.1-283.21.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0d8506aba4 selinux-policy-3.13.1-283.21.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. |