Bug 825874

Where is "magickd17HII" located in your home directory?

Same for me here. Seems that the gnome-exe-thumbnailer cause this.

$rpm -qa| grep selinux

selinux-policy-devel-3.10.0-132.fc17.noarch
libselinux-2.1.10-3.fc17.x86_64
selinux-policy-targeted-3.10.0-132.fc17.noarch
libselinux-utils-2.1.10-3.fc17.x86_64
libselinux-2.1.10-3.fc17.i686
selinux-policy-3.10.0-132.fc17.noarch
libselinux-python-2.1.10-3.fc17.x86_64

$sealert -l 3a9dbfd7-c960-446d-bb65-2f1fb7712f55

WARNING: Policy would be downgraded from version 27 to 26.

** (setroubleshoot:5774): WARNING **: Trying to register gtype 'GMountMountFlags' as enum when in fact it is of type 'GFlags'

** (setroubleshoot:5774): WARNING **: Trying to register gtype 'GDriveStartFlags' as enum when in fact it is of type 'GFlags'

** (setroubleshoot:5774): WARNING **: Trying to register gtype 'GSocketMsgFlags' as enum when in fact it is of type 'GFlags'
Gtk-Message: Failed to load module "pk-gtk-module"
SELinux is preventing /usr/bin/composite from create access on the file magick7iMnWP.

*****  Plugin catchall (100. confidence) suggests  ***************************

If sie denken, dass composite standardmässig erlaubt sein sollte, create Zugriff auf magick7iMnWP file zu erhalten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
# grep composite /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


WARNING: Policy would be downgraded from version 27 to 26.
WARNING: Policy would be downgraded from version 27 to 26.
Additional Information:
Source Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:user_home_dir_t:s0
Target Objects                magick7iMnWP [ file ]
Source                        composite
Source Path                   /usr/bin/composite
Port                          <Unbekannt>
Host                          hurricane.lounge-warrior.org
Source RPM Packages           ImageMagick-6.7.5.6-3.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-132.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     hurricane.lounge-warrior.org
Platform                      Linux hurricane.lounge-warrior.org
                              3.4.3-1.fc17.x86_64 #1 SMP Mon Jun 18 19:53:17 UTC
                              2012 x86_64 x86_64
Alert Count                   7
First Seen                    Do 21 Jun 2012 17:27:33 CEST
Last Seen                     Do 21 Jun 2012 17:27:34 CEST
Local ID                      3a9dbfd7-c960-446d-bb65-2f1fb7712f55

Raw Audit Messages
type=AVC msg=audit(1340292454.372:213): avc:  denied  { create } for  pid=5503 comm="convert" name="magick7iMnWP" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file


type=SYSCALL msg=audit(1340292454.372:213): arch=x86_64 syscall=open success=no exit=EACCES a0=148cd90 a1=c2 a2=180 a3=f800b3cc40 items=0 ppid=5470 pid=5503 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm=convert exe=/usr/bin/convert subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)

Hash: composite,thumb_t,user_home_dir_t,file,create

audit2allow

#============= thumb_t ==============
allow thumb_t user_home_dir_t:file create;

audit2allow -R

#============= thumb_t ==============
allow thumb_t user_home_dir_t:file create;

Could you locate the magick7iMnWP file

if you re-test it with

# semanage permissive -a thumb_t

Created attachment 594202 [details]
selinux default

Created attachment 594203 [details]
selinux with thumb_d allowed

It seems that that "magick*" files are created in "/tmp".
But can't find any of these files.

Without # semanage permissive -a thumb_t, i get:

Hash: composite,thumb_t,user_home_dir_t,file,create
audit2allow
#============= thumb_t ==============
allow thumb_t user_home_dir_t:file { write create };
audit2allow -R
#============= thumb_t ==============
allow thumb_t user_home_dir_t:file { write create };


With # semanage permissive -a thumb_t enabled, i get:

Hash: composite,thumb_t,user_home_dir_t,file,unlink
audit2allow
#============= thumb_t ==============
allow thumb_t user_home_dir_t:file unlink;
audit2allow -R
#============= thumb_t ==============
allow thumb_t user_home_dir_t:file unlink;

also i catched these from /var/log/messages:

composite: Ignoring incorrect cHRM white(.3127,.3127) r(.64,.33)g(.3,.6)b(.15,.06) when sRGB is also present `/tmp/magick-2N4mavlW' @ warning/png.c/MagickPNGWarningHandler/1754.
composite: Ignoring incorrect cHRM white(.3127,.3127) r(.64,.33)g(.3,.6)b(.15,.06) when sRGB is also present `/tmp/magick-O8H4HyX1' @ warning/png.c/MagickPNGWarningHandler/1754.

Full output of selinux attached.

Stephan does

> restorecon -R -v ~

Change any labels?

(In reply to comment #7)
> Stephan does
> 
> > restorecon -R -v ~
> 
> Change any labels?

Yes it has changed the labels of a lot of files in $HOME, but this doesn't help on the problem. Same behaviour as bevor.

I have not mentioned, that I mounted /tmp on a tmpfs in fstab:

tmpfs /tmp tmpfs defaults,size=2048m,mode=1777,nosuid,nodev,fscontext=system_u:object_r:tmp_t:s0	0 0

But this should be fine, I guess. (?)

ls -lZd /tmp

#ls -lZd /tmp

drwxrwxrwt. root root system_u:object_r:tmp_t:s0 /tmp

I've make some tests. I removed /tmp from being tmpfs, make a clean reboot and after that a restorecon on ~ and /tmp, to be sure. Then I have open a dir with nautilus, that only holds two .exe files, to get the exe-thumbnailer triggered.

These are exacly the errors I've got:

Note the gconf-warning...

==> /home/jensen/.xsession-errors <==

(gconftool-2:2138): GConf-WARNING **: Client failed to connect to the D-BUS daemon:
Failed to connect to socket /tmp/dbus-D4NUponIlj: Keine Berechtigung
Der Wert für »/desktop/gnome/interface/icon_theme« konnte nicht ermittelt werden: D-BUS-Hintergrunddienst läuft nicht

composite: Ignoring incorrect cHRM white(.3127,.3127) r(.64,.33)g(.3,.6)b(.15,.06) when sRGB is also present `/tmp/magick-otfnOjqW' @ warning/png.c/MagickPNGWarningHandler/1754.

(gconftool-2:2175): GConf-WARNING **: Client failed to connect to the D-BUS daemon:
Failed to connect to socket /tmp/dbus-D4NUponIlj: Keine Berechtigung
Der Wert für »/desktop/gnome/interface/icon_theme« konnte nicht ermittelt werden: D-BUS-Hintergrunddienst läuft nicht

composite: Ignoring incorrect cHRM white(.3127,.3127) r(.64,.33)g(.3,.6)b(.15,.06) when sRGB is also present `/tmp/magick-HyDFmrtn' @ warning/png.c/MagickPNGWarningHandler/1754.

==> messages <==
Jun 26 01:33:45 hurricane setroubleshoot: SELinux is preventing /usr/bin/composite from create access on the file magicknHUHej. For complete SELinux messages. run sealert -l 8489268c-7221-4385-b86b-617ee6206152

Can we move these files to some other directory other then ~/.thumbnails, if possible.

Or into a directory like ~/.imagemagic

or worse case ~/.cache

~/.cache/.thumnails or ~/.cache/.imagemagic 

would also be good.

Sorry, but about what files you are speak? If I unsderstand correctly this deny logs imagemagick from nautilus plugin tries create temporary files in /tmp to do work of compositing images, but denied by policy. Is it undefined? Where it should place temporary intermediate files except /tmp?

For any strange reason, this error is gone. Nothing other changed so far.

selinux alert gone.
dbus error gone.

I have no idea, what happend.

Last packages updated:

Jun 26 06:01:51 Updated: xorg-x11-server-common-1.12.2-3.fc17.x86_64
Jun 26 06:01:52 Updated: netpbm-10.58.01-1.fc17.x86_64
Jun 26 06:01:53 Updated: xen-licenses-4.1.2-20.fc17.x86_64
Jun 26 06:01:55 Updated: krb5-libs-1.10.2-2.fc17.x86_64
Jun 26 06:01:56 Updated: krb5-workstation-1.10.2-2.fc17.x86_64
Jun 26 06:01:57 Updated: xen-libs-4.1.2-20.fc17.x86_64
Jun 26 06:02:00 Updated: netpbm-progs-10.58.01-1.fc17.x86_64
Jun 26 06:02:01 Updated: netpbm-devel-10.58.01-1.fc17.x86_64
Jun 26 06:02:02 Updated: xorg-x11-server-Xephyr-1.12.2-3.fc17.x86_64
Jun 26 06:02:03 Updated: xorg-x11-server-Xorg-1.12.2-3.fc17.x86_64
Jun 26 06:02:04 Updated: acpid-2.0.16-2.fc17.x86_64
Jun 26 06:02:04 Updated: felix-osgi-compendium-1.4.0-10.fc17.noarch
Jun 26 06:02:05 Updated: libvisio-0.0.17-1.fc17.x86_64
Jun 26 06:02:06 Updated: ibus-hangul-1.4.1-4.fc17.x86_64
Jun 26 06:02:07 Updated: javamail-1.4.3-11.fc17.noarch
Jun 26 06:02:10 Updated: libicu-4.8.1.1-4.fc17.x86_64
Jun 26 06:02:11 Updated: 2:tar-1.26-6.fc17.x86_64
Jun 26 06:02:12 Updated: python-urlgrabber-3.9.1-13.fc17.noarch
Jun 26 06:02:13 Updated: krb5-libs-1.10.2-2.fc17.i686

Ok, let's close this bug and reopen if this happens again.

*** Bug 878762 has been marked as a duplicate of this bug. ***

it happened again.

Thank you for your bugreport and willing make free software better!

Reported upstream: http://www.imagemagick.org/discourse-server/viewtopic.php?f=3&t=22311

We close bug now, as it related to upstream developing. But we continue track changes and whatever it will be fixed we consider make update in Fedora.

Could you check what settings MAGICK_TMPDIR env variable solve problem? Then we can try set it in profile.d by default.

*** Bug 870614 has been marked as a duplicate of this bug. ***

*** Bug 880941 has been marked as a duplicate of this bug. ***

*** Bug 980623 has been marked as a duplicate of this bug. ***

*** Bug 1001777 has been marked as a duplicate of this bug. ***

*** Bug 1069862 has been marked as a duplicate of this bug. ***

*** Bug 1293488 has been marked as a duplicate of this bug. ***