Bug 2042696

Summary: After latest selinux-policy update getting constant errors from tumblerd
Product: [Fedora] Fedora Reporter: Robert Moskowitz <rgm>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: medium    
Version: 35CC: abrahao_rj, atstjx, dani, duplessisf187, dwalsh, enyone, ezwinglet, fedora, fedora, forummail, grepl.miroslav, ian.s.mcinerney, jhutar, lvrabec, maxime, mbol8309, mhroncok, mmalik, neto.itaituba, nixuser, norbert.jurkeit, omosnace, pkoncity, redhat, red, scroolik, thedatum+bz, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-35.13-1.fc35 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-02-04 01:22:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robert Moskowitz 2022-01-19 23:45:03 UTC
Description of problem:

System:  F35 with Xfce UI

Constant Selinuc policy errors triggered by tumblerd

Version-Release number of selected component (if applicable):

selinux-policy-targeted-35.10-1.fc35.noarch

How reproducible:

Applied latest update:

selinux-policy-targeted-35.8-1.fc35.noarch to selinux-policy-targeted-35.10-1.fc35.noarch




Additional info:

Details:

SELinux is preventing tumblerd from write access on the sock_file bus.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that tumblerd should be allowed write access on the bus sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'tumblerd' --raw | audit2allow -M my-tumblerd
# semodule -X 300 -i my-tumblerd.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Context                system_u:object_r:session_dbusd_tmp_t:s0
Target Objects                bus [ sock_file ]
Source                        tumblerd
Source Path                   tumblerd
Port                          <Unknown>
Host                          lx140e.htt-consult.com
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-35.10-1.fc35.noarch
Local Policy RPM              selinux-policy-targeted-35.10-1.fc35.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     lx140e.htt-consult.com
Platform                      Linux lx140e.htt-consult.com
                              5.15.14-200.fc35.x86_64 #1 SMP Tue Jan 11 16:49:27
                              UTC 2022 x86_64 x86_64
Alert Count                   10
First Seen                    2022-01-19 18:30:28 EST
Last Seen                     2022-01-19 18:37:36 EST
Local ID                      efb2e4f1-0433-4b8f-9a60-37e76ac5d4af

Raw Audit Messages
type=AVC msg=audit(1642635456.954:3314): avc:  denied  { write } for  pid=104519 comm="tumblerd" name="bus" dev="tmpfs" ino=40 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=0


Hash: tumblerd,thumb_t,session_dbusd_tmp_t,sock_file,write

Comment 1 Robert Moskowitz 2022-01-19 23:46:34 UTC
I just told the selinux browser to ignore this error as it keeps coming up.  Very annoying.

Comment 2 Zdenek Pytela 2022-01-20 16:16:31 UTC
Please update to selinux-policy-35.11-1.fc35

I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/1016

Comment 3 Zdenek Pytela 2022-01-20 16:21:58 UTC
*** Bug 2042666 has been marked as a duplicate of this bug. ***

Comment 4 Robert Moskowitz 2022-01-20 16:24:48 UTC
OK.  I just ran:

dnf update https://kojipkgs.fedoraproject.org//packages/selinux-policy/35.11/1.fc35/noarch/selinux-policy-35.11-1.fc35.noarch.rpm https://kojipkgs.fedoraproject.org//packages/selinux-policy/35.11/1.fc35/noarch/selinux-policy-targeted-35.11-1.fc35.noarch.rpm

which seems to have updated policy to 35.11-1.  I also updated policy-targeted, as they seem to go together.

Now how do I turn of the 'ignore' setting I had set so I can see if this really fixed the problem.

thanks

Comment 5 Robert Moskowitz 2022-01-20 16:54:51 UTC
I opened up SELinux Alert Browser and see I am still getting the errors:

SELinux is preventing tumblerd from write access on the sock_file bus.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that tumblerd should be allowed write access on the bus sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'tumblerd' --raw | audit2allow -M my-tumblerd
# semodule -X 300 -i my-tumblerd.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Context                system_u:object_r:session_dbusd_tmp_t:s0
Target Objects                bus [ sock_file ]
Source                        tumblerd
Source Path                   tumblerd
Port                          <Unknown>
Host                          lx140e.htt-consult.com
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-35.11-1.fc35.noarch
Local Policy RPM              selinux-policy-targeted-35.11-1.fc35.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     lx140e.htt-consult.com
Platform                      Linux lx140e.htt-consult.com
                              5.15.14-200.fc35.x86_64 #1 SMP Tue Jan 11 16:49:27
                              UTC 2022 x86_64 x86_64
Alert Count                   155
First Seen                    2022-01-19 18:30:28 EST
Last Seen                     2022-01-20 11:50:21 EST
Local ID                      efb2e4f1-0433-4b8f-9a60-37e76ac5d4af

Raw Audit Messages
type=AVC msg=audit(1642697421.643:4939): avc:  denied  { write } for  pid=129496 comm="tumblerd" name="bus" dev="tmpfs" ino=40 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=0


Hash: tumblerd,thumb_t,session_dbusd_tmp_t,sock_file,write

Comment 6 Zdenek Pytela 2022-01-20 17:38:09 UTC
This particular problem has not been addressed, there is just a PR for it.

Comment 7 Zdenek Pytela 2022-01-25 16:59:32 UTC
*** Bug 2042108 has been marked as a duplicate of this bug. ***

Comment 8 ezwinglet 2022-01-25 23:35:45 UTC
Similar problem has been detected:

When viewing image files (JPG, PNG, etc.) in Fedora 35 using the Eye of MATE Image Viewer, this SELinux alert pops up randomly.  This began a couple of weeks ago whwen some SELinux updates came down from the @fedora repositories.  Some further updates came down the next day or the day after, also to SELinux, but did not resolve this particular alert.    Sometimes this occurs when browsing through photos in the viewer, sometimes it occurs when a photo is opened and closed rapidly, the behavior appears random and does not necessarily correlate to any sort of file system action such as a deletion, rename, movement, etc.

hashmarkername: setroubleshoot
kernel:         5.15.14-200.fc35.x86_64
package:        selinux-policy-targeted-35.11-1.fc35.noarch
reason:         SELinux is preventing gdk-pixbuf-thum from 'write' accesses on the sock_file bus.
type:           libreport

Comment 9 Zdenek Pytela 2022-01-26 14:10:38 UTC
*** Bug 2044422 has been marked as a duplicate of this bug. ***

Comment 10 Zdenek Pytela 2022-01-26 15:46:44 UTC
*** Bug 2041932 has been marked as a duplicate of this bug. ***

Comment 11 Zdenek Pytela 2022-01-26 15:49:34 UTC
*** Bug 2041085 has been marked as a duplicate of this bug. ***

Comment 12 James Caldwell 2022-01-27 02:36:46 UTC
Similar problem has been detected:

When I enter my ~/Pictures folder. I've run the following in my home folder and it does not correct the issue.

restorecon -R -v ~

Using Fedora 35 with LXDE and PCManFM file manager  aka Lightweight file manager
using LibFM ver. 1.3.2

hashmarkername: setroubleshoot
kernel:         5.15.16-200.fc35.x86_64
package:        selinux-policy-targeted-35.11-1.fc35.noarch
reason:         SELinux is preventing evince-thumbnai from 'write' accesses on the sock_file bus.
type:           libreport

Comment 13 atstjx 2022-01-30 04:05:25 UTC
Similar problem has been detected:

I opened a pdf file from within nemo file explorer. Unsure if there is any connection, but it was coincident.

hashmarkername: setroubleshoot
kernel:         5.15.16-200.fc35.x86_64
package:        selinux-policy-targeted-35.11-1.fc35.noarch
reason:         SELinux is preventing gdk-pixbuf-thum from 'write' accesses on the sock_file bus.
type:           libreport

Comment 14 Ian McInerney 2022-01-30 17:33:00 UTC
@zpytela I see that there is a build of the 35.12 policy for Rawhide, but there isn't one for F35 yet. Can you also build & submit it for F35 so that this error is fixed there?

Comment 15 Zdenek Pytela 2022-01-31 10:34:19 UTC
(In reply to Ian McInerney from comment #14)
> @zpytela I see that there is a build of the 35.12 policy for
> Rawhide, but there isn't one for F35 yet. Can you also build & submit it for
> F35 so that this error is fixed there?

There will be a new build soon.

Comment 16 Zdenek Pytela 2022-01-31 11:52:19 UTC
*** Bug 2048076 has been marked as a duplicate of this bug. ***

Comment 17 thedatum+bz 2022-02-02 00:20:08 UTC
Similar problem has been detected:

Problem occurs while browsing through files and folders in Caja file manager.

hashmarkername: setroubleshoot
kernel:         5.15.18-200.fc35.x86_64
package:        selinux-policy-targeted-35.11-1.fc35.noarch
reason:         SELinux is preventing atril-thumbnail from 'write' accesses on the sock_file bus.
type:           libreport

Comment 18 Fedora Update System 2022-02-02 12:11:04 UTC
FEDORA-2022-20f36a8b0e has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-20f36a8b0e

Comment 19 Fedora Update System 2022-02-03 01:35:20 UTC
FEDORA-2022-20f36a8b0e has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-20f36a8b0e`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-20f36a8b0e

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 20 Fedora Update System 2022-02-04 01:22:58 UTC
FEDORA-2022-20f36a8b0e has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 21 Nicolas Sapa 2022-02-04 22:36:35 UTC
Similar problem has been detected:

Opening a folder with PNG image with Caja

hashmarkername: setroubleshoot
kernel:         5.15.16-200.fc35.x86_64
package:        selinux-policy-targeted-35.11-1.fc35.noarch
reason:         SELinux is preventing gdk-pixbuf-thum from 'write' accesses on the sock_file bus.
type:           libreport

Comment 22 Zdenek Pytela 2022-02-08 18:04:12 UTC
*** Bug 2043844 has been marked as a duplicate of this bug. ***

Comment 23 Miguel Bolivar 2022-02-10 18:45:41 UTC
Similar problem has been detected:

i just try to rotate an image in pictures folder that was from a print screen

hashmarkername: setroubleshoot
kernel:         5.15.17-200.fc35.x86_64
package:        selinux-policy-targeted-35.11-1.fc35.noarch
reason:         SELinux is preventing gdk-pixbuf-thum from 'write' accesses on the sock_file bus.
type:           libreport