Bug 873946

Summary: SELinux is preventing /usr/bin/totem-video-thumbnailer from 'unlink' accesses on the file /home/mikhail/.cache/gstreamer-1.0/registry.i686.bin.
Product: [Fedora] Fedora Reporter: Mikhail <mikhail.v.gavrilov>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: acc-bugz-redhat, decathorpe, dominick.grift, dwalsh, elad, eleks73, glmakx, mail, mgrepl, mikhail.v.gavrilov, niki.guldbrand, patrys, rxguy, sanjay.ankur, wbb19881018, xaver
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: i686   
OS: Unspecified   
Whiteboard: abrt_hash:ff376683d24eecc51b2e4e987e94b8108402152fe9e17d4c793be71b9e70551f
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-11 23:13:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: type
none
File: hashmarkername none

Description Mikhail 2012-11-07 03:56:31 UTC 
Additional info:
libreport version: 2.0.18
kernel:         3.6.6-3.fc18.i686.PAE

description:
:SELinux is preventing /usr/bin/totem-video-thumbnailer from 'unlink' accesses on the file /home/mikhail/.cache/gstreamer-1.0/registry.i686.bin.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that totem-video-thumbnailer should be allowed unlink access on the registry.i686.bin file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep totem-video-thu /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
:Target Context                unconfined_u:object_r:cache_home_t:s0
:Target Objects                /home/mikhail/.cache/gstreamer-1.0/registry.i686.b
:                              in [ file ]
:Source                        totem-video-thu
:Source Path                   /usr/bin/totem-video-thumbnailer
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           totem-3.6.2-1.fc18.i686
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.11.1-50.fc18.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.6-3.fc18.i686.PAE #1 SMP Mon
:                              Nov 5 16:37:58 UTC 2012 i686 i686
:Alert Count                   3
:First Seen                    2012-11-07 09:55:05 YEKT
:Last Seen                     2012-11-07 09:55:05 YEKT
:Local ID                      d557eaa3-59d9-4862-8b50-f09c7d3d8997
:
:Raw Audit Messages
:type=AVC msg=audit(1352260505.829:332): avc:  denied  { unlink } for  pid=4165 comm="totem-video-thu" name="registry.i686.bin" dev="sdb" ino=162792649 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1352260505.829:332): arch=i386 syscall=rename success=no exit=EACCES a0=96f9820 a1=95d0900 a2=46ae2000 a3=96f8e80 items=0 ppid=4107 pid=4165 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts3 ses=2 comm=totem-video-thu exe=/usr/bin/totem-video-thumbnailer subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)
:
:Hash: totem-video-thu,thumb_t,cache_home_t,file,unlink
:
:audit2allow
:
:#============= thumb_t ==============
:allow thumb_t cache_home_t:file unlink;
:
:audit2allow -R
:
:#============= thumb_t ==============
:allow thumb_t cache_home_t:file unlink;
:
Comment 1 Mikhail 2012-11-07 03:56:35 UTC 
Created attachment 639774 [details]
File: type
Comment 2 Mikhail 2012-11-07 03:56:37 UTC 
Created attachment 639775 [details]
File: hashmarkername
Comment 3 Miroslav Grepl 2012-11-07 13:34:50 UTC 
We would need to make /home/mikhail/.cache/gstreamer-1.0 labeled as gstreamer_home_t.

I added fixes to see if it works. You can execute

# chcon -R -t gstreamer_home_t /home/mikhail/.cache/gstreamer-1.0
Comment 4 Ankur Sinha (FranciscoD) 2012-11-08 10:02:22 UTC 
Plugged in my usb hdd with videos and stuff.

Package: (null)
Architecture: x86_64
OS Release: Fedora release 18 (Spherical Cow)
Comment 5 Ankur Sinha (FranciscoD) 2012-11-08 10:27:37 UTC 
Videos on a usb pen drive.

Package: (null)
Architecture: x86_64
OS Release: Fedora release 18 (Spherical Cow)
Comment 6 Niki Guldbrand 2012-11-11 21:25:47 UTC 
Don't exactly know how this happened... :-/

Package: (null)
Architecture: x86_64
OS Release: Fedora release 18 (Spherical Cow)
Comment 7 Fabio Valentini 2012-11-17 14:03:41 UTC 
1. open nautilus
2. navigate to a folder containing a video file


Package: (null)
Architecture: x86_64
OS Release: Fedora release 18 (Spherical Cow)
Comment 8 Daniel Walsh 2012-11-19 16:15:19 UTC 
f23aef5bbc1f2fe410a0a2d4caf8d52b36d6c76e fixes this issue.

We have the labels of ~/.cache/.gstreamer instead of ~/.cache/gstreamer, which is causing this problem.
Comment 9 Daniel Walsh 2012-11-19 16:15:49 UTC 
Fixed in selinux-policy-3.11.1-55.fc18.noarch
Comment 10 Fedora Update System 2012-11-28 20:57:15 UTC 
selinux-policy-3.11.1-57.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-57.fc18
Comment 11 Fedora Update System 2012-11-30 06:35:30 UTC 
Package selinux-policy-3.11.1-57.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-57.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-57.fc18
then log in and leave karma (feedback).
Comment 12 Fedora Update System 2012-12-02 19:29:31 UTC 
Package selinux-policy-3.11.1-59.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-59.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-59.fc18
then log in and leave karma (feedback).
Comment 13 Dale Turner 2012-12-06 01:44:46 UTC 
Opened files with .avi file present

Package: (null)
Architecture: x86_64
OS Release: Fedora release 18 (Spherical Cow)
Comment 14 Fedora Update System 2012-12-06 20:11:50 UTC 
Package selinux-policy-3.11.1-60.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-60.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-19374/selinux-policy-3.11.1-60.fc18
then log in and leave karma (feedback).
Comment 15 Fedora Update System 2012-12-07 04:30:44 UTC 
selinux-policy-3.11.1-60.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Mikhail 2012-12-15 16:53:37 UTC 
$ rpm -q selinux-policy
selinux-policy-3.11.1-62.fc18.noarch

Problem still occurs
Comment 17 Mikhail 2012-12-17 03:58:52 UTC 
# ausearch -m avc -ts recent
----
time->Mon Dec 17 09:56:36 2012
type=SYSCALL msg=audit(1355716596.759:1594): arch=40000003 syscall=38 success=no exit=-13 a0=9daf710 a1=9c18d38 a2=41eeb000 a3=9e04370 items=0 ppid=7051 pid=28119 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355716596.759:1594): avc:  denied  { unlink } for  pid=28119 comm="totem-video-thu" name="registry.i686.bin" dev="sdb" ino=162792523 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=file
----
time->Mon Dec 17 09:56:37 2012
type=SYSCALL msg=audit(1355716597.499:1595): arch=40000003 syscall=38 success=no exit=-13 a0=a08e710 a1=9ef7d38 a2=41eeb000 a3=a0e3370 items=0 ppid=7051 pid=28139 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355716597.499:1595): avc:  denied  { unlink } for  pid=28139 comm="totem-video-thu" name="registry.i686.bin" dev="sdb" ino=162792523 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=file
----
time->Mon Dec 17 09:56:38 2012
type=SYSCALL msg=audit(1355716598.015:1596): arch=40000003 syscall=38 success=no exit=-13 a0=8fd2a28 a1=8e5ad38 a2=41eeb000 a3=9046370 items=0 ppid=7051 pid=28161 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355716598.015:1596): avc:  denied  { unlink } for  pid=28161 comm="totem-video-thu" name="registry.i686.bin" dev="sdb" ino=162792523 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=file
----
time->Mon Dec 17 09:56:38 2012
type=SYSCALL msg=audit(1355716598.485:1597): arch=40000003 syscall=38 success=no exit=-13 a0=9448710 a1=92b1d38 a2=41eeb000 a3=949d370 items=0 ppid=7051 pid=28184 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355716598.485:1597): avc:  denied  { unlink } for  pid=28184 comm="totem-video-thu" name="registry.i686.bin" dev="sdb" ino=162792523 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=file
----
time->Mon Dec 17 09:56:38 2012
type=SYSCALL msg=audit(1355716598.846:1598): arch=40000003 syscall=38 success=no exit=-13 a0=9595a28 a1=941dd38 a2=41eeb000 a3=9609370 items=0 ppid=7051 pid=28204 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1355716598.846:1598): avc:  denied  { unlink } for  pid=28204 comm="totem-video-thu" name="registry.i686.bin" dev="sdb" ino=162792523 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=file
Comment 18 Daniel Walsh 2012-12-17 19:08:37 UTC 
Fixed in selinux-policy-3.11.1-67.fc18.noarch

THere is a typo in the file context string cache should be \.cache
Comment 19 Fedora Update System 2012-12-21 10:31:32 UTC 
selinux-policy-3.11.1-67.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-67.fc18
Comment 20 Fedora Update System 2012-12-21 20:01:53 UTC 
Package selinux-policy-3.11.1-67.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-67.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-20813/selinux-policy-3.11.1-67.fc18
then log in and leave karma (feedback).
Comment 21 tuxor 2013-01-01 03:03:27 UTC 
Open folder with media files that nautilus hasn't seen before and will try to create thumbnails for.

Package: (null)
Architecture: x86_64
OS Release: Fedora release 18 (Spherical Cow)
Comment 22 Daniel Walsh 2013-01-02 19:47:47 UTC 
Did you get this with selinux-policy-3.11.1-67.fc18?
Comment 23 tuxor 2013-01-02 19:53:19 UTC 
No, I already confirmed7 via bodhi that this bug is fixed with 3.11.1-6. Thanks :)
Comment 24 Max 2013-01-08 20:06:13 UTC 
open *txt file in gedit

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)
Comment 25 Fedora Update System 2013-01-11 23:13:42 UTC 
selinux-policy-3.11.1-67.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.