Bug 812094
Summary: | SELinux is preventing /usr/bin/totem-video-thumbnailer from 'setattr' accesses on the sock_file socket-4322-1804289383. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Mirco Tischler <mt-ml> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 17 | CC: | dominick.grift, dwalsh, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:c2aede47e45d9effad98006de94e4dc6b0588250f42fba3698293cb0fe3f45a8 | ||
Fixed In Version: | selinux-policy-3.10.0-116.fc17 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-04-18 23:07:43 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Mirco Tischler
2012-04-12 18:15:06 UTC
Do you know if this tmp_t file was owned by totem or xdm? If you mean file permissions, the file is owned by me, i.e. the user who used nautilus to browse to the directory containing the video files and thus triggering the execution of totem-video-thumbnailer. What I probably should have added in the first place, there are followup alerts for write and remove_name accesses. Also, this is 100% reproducible. I just have to create a new video file and browse to the directory containing it to trigger this. Ok if it creates the socket than that is good. I have checked in a fix to allow thumbnailers to create sockets in directories created by gdm. selinux-policy-3.10.0-114.fc17.noarch Are you sure this is the right build? I downloaded it from koji and it doesn't fix the issue. But koji says it was build this morning, so before Comment 2 and there is no mention of the change in the changelog? Maybe not. Lets say it is fixed in selinux-policy-3.10.0-114.fc17.noarch You could check if the fix was supposed to be in -114 grep -r xserver_xdm_tmp_filetrans /usr/share/selinux/devel/ That comes up empty. It is going to be fixed in selinux-policy-3.10.0-115.fc17 selinux-policy-3.10.0-116.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-116.fc17 116 fixes the problem. However, one related AVC still comes up, where totem-video-thumbnailer asks for setattr on the parent directory /tmp/at-spi2. I didn't realize this wasn't a duplicate of the originally reported message until now. Here's the audit line: type=AVC msg=audit(1334757947.372:154): avc: denied { setattr } for pid=5280 comm="totem-video-thu" name="at-spi2" dev="tmpfs" ino=85909 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:xdm_tmp_t:s0 tclass=dir Did everything work fine in enforcing mode, I guess we could dontaudit this one. selinux-policy-3.10.0-116.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |