Bug 858615
Summary: | SELinux is preventing /usr/bin/totem-video-thumbnailer from 'create' accesses on the file registry.x86_64.bin.tmpLUSKKW. | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Abhay <abhaykadam88> | ||||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 18 | CC: | chmelarz, dominick.grift, dwalsh, elad, lsatenstein, luya, mgrepl, mikhail.v.gavrilov, pschindl, stefw | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | x86_64 | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | abrt_hash:927c3b39bc6b7555bdd07838f0f3b8a73e6d2fcb7c27b3325779c68f5f3ad14a | ||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2012-10-24 18:54:18 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Abhay
2012-09-19 08:40:02 UTC
Created attachment 614261 [details]
File: type
Created attachment 614262 [details]
File: hashmarkername
What is a path to "registry.x86_64.bin.tmpLUSKKW"? I would like to know if this is mislabeling or we need to add new rules. Thank you. I guess this is mislabling, because the file was located in /home/abhay/video. ~/.cache/thumbnails is mislabled in the current policy it should be labeled thumb_home_t, I just fixed that in policy. Fixed in selinux-policy-3.11.1-23.fc18.noarch selinux-policy-3.11.1-25.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-25.fc18 Package selinux-policy-3.11.1-25.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-25.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-14807/selinux-policy-3.11.1-25.fc18 then log in and leave karma (feedback). I did no activity with Totem, message appeared during empting the trash Package: (null) OS Release: Fedora release 18 (Spherical Cow) thumbnailers get executed when you have a nautilus screen, IE a screen showing you files with icons. Fixed in selinux-policy-3.11.1-37.fc18.noarch This bug appears when I copy some music and videos from one folder to another. Package: (null) OS Release: Fedora release 18 (Spherical Cow) $ rpm -q selinux-policy selinux-policy-3.11.1-46.fc18.noarch And problem still there :( Do you get the same AVC msg? How check this???? so???? # cat /var/log/audit/audit.log | grep totem-video-thumbnailer type=SYSCALL msg=audit(1351430384.195:1125): arch=40000003 syscall=5 success=no exit=-13 a0=906e110 a1=80c2 a2=180 a3=c items=0 ppid=7020 pid=24791 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) type=SYSCALL msg=audit(1351430384.196:1126): arch=40000003 syscall=5 success=no exit=-13 a0=908c738 a1=80c2 a2=180 a3=c items=0 ppid=7020 pid=24791 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) type=SYSCALL msg=audit(1351440660.812:1161): arch=40000003 syscall=5 success=no exit=-13 a0=84f5ca8 a1=80c2 a2=180 a3=c items=0 ppid=7020 pid=27605 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) type=SYSCALL msg=audit(1351440660.813:1162): arch=40000003 syscall=5 success=no exit=-13 a0=84f5ca8 a1=80c2 a2=180 a3=c items=0 ppid=7020 pid=27605 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) type=SYSCALL msg=audit(1351440660.994:1163): arch=40000003 syscall=5 success=no exit=-13 a0=919f110 a1=80c2 a2=180 a3=c items=0 ppid=7020 pid=27625 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) type=SYSCALL msg=audit(1351440660.994:1164): arch=40000003 syscall=5 success=no exit=-13 a0=91bd738 a1=80c2 a2=180 a3=c items=0 ppid=7020 pid=27625 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) type=SYSCALL msg=audit(1351442452.956:1178): arch=40000003 syscall=5 success=no exit=-13 a0=8356110 a1=80c2 a2=180 a3=c items=0 ppid=7020 pid=29060 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) type=SYSCALL msg=audit(1351442452.956:1179): arch=40000003 syscall=5 success=no exit=-13 a0=8374738 a1=80c2 a2=180 a3=c items=0 ppid=7020 pid=29060 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) type=SYSCALL msg=audit(1351530390.257:322): arch=40000003 syscall=5 success=no exit=-13 a0=8c84ca8 a1=80c2 a2=180 a3=c items=0 ppid=3994 pid=4018 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) type=SYSCALL msg=audit(1351530390.257:323): arch=40000003 syscall=5 success=no exit=-13 a0=8c84ca8 a1=80c2 a2=180 a3=c items=0 ppid=3994 pid=4018 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) [root@localhost ~]# Try to re-test it and execute # ausearch -m avc -ts recent Petr ls -ldZ ~/.cache/thumbnails drwx------. dwalsh dwalsh staff_u:object_r:thumb_home_t:s0 /home/dwalsh/.cache/thumbnails # ausearch -m avc -ts recent ---- time->Wed Oct 31 01:34:06 2012 type=SYSCALL msg=audit(1351625646.830:559): arch=40000003 syscall=5 success=no exit=-13 a0=9c47ca8 a1=80c2 a2=180 a3=d items=0 ppid=9392 pid=21907 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1351625646.830:559): avc: denied { create } for pid=21907 comm="totem-video-thu" name="registry.i686.bin.tmpO2NHNW" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=file ---- time->Wed Oct 31 01:34:06 2012 type=SYSCALL msg=audit(1351625646.830:560): arch=40000003 syscall=5 success=no exit=-13 a0=9c47ca8 a1=80c2 a2=180 a3=d items=0 ppid=9392 pid=21907 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1351625646.830:560): avc: denied { create } for pid=21907 comm="totem-video-thu" name="registry.i686.bin.tmpQ0NHNW" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=file ---- time->Wed Oct 31 01:34:19 2012 type=SYSCALL msg=audit(1351625659.688:562): arch=40000003 syscall=5 success=no exit=-13 a0=8abeca8 a1=80c2 a2=180 a3=d items=0 ppid=9392 pid=21958 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1351625659.688:562): avc: denied { create } for pid=21958 comm="totem-video-thu" name="registry.i686.bin.tmpNK1ENW" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=file ---- time->Wed Oct 31 01:34:19 2012 type=SYSCALL msg=audit(1351625659.688:561): arch=40000003 syscall=5 success=no exit=-13 a0=8abeca8 a1=80c2 a2=180 a3=d items=0 ppid=9392 pid=21958 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1351625659.688:561): avc: denied { create } for pid=21958 comm="totem-video-thu" name="registry.i686.bin.tmpQQ1ENW" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=file ---- time->Wed Oct 31 01:34:41 2012 type=SYSCALL msg=audit(1351625681.690:564): arch=40000003 syscall=5 success=no exit=-13 a0=836dca8 a1=80c2 a2=180 a3=d items=0 ppid=9392 pid=22013 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1351625681.690:564): avc: denied { create } for pid=22013 comm="totem-video-thu" name="registry.i686.bin.tmpTZZENW" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=file ---- time->Wed Oct 31 01:34:41 2012 type=SYSCALL msg=audit(1351625681.690:563): arch=40000003 syscall=5 success=no exit=-13 a0=836dca8 a1=80c2 a2=180 a3=d items=0 ppid=9392 pid=22013 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1351625681.690:563): avc: denied { create } for pid=22013 comm="totem-video-thu" name="registry.i686.bin.tmpS4ZENW" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=file $ ls -ldZ ~/.cache/thumbnails drwx------. mikhail mikhail unconfined_u:object_r:thumb_home_t:s0 /home/mikhail/.cache/thumbnails Mikhail do you think this file is being created in the ~/.cache directory or one of the subdirs? Can you execute auditctl -w /etc/shadow -p w And then generate the AVC's. This should generate full path information on where the file is created. I just want to see if there is a specific subdir where the thumbnailer is using rather then allow thumbnailers to write anywhere in ~/.cache |