Bug 910553

Description of problem:
SELinux is preventing /usr/bin/gsf-office-thumbnailer from using the 'dac_override' capabilities.

*****  Plugin dac_override (91.4 confidence) suggests  ***********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it, 
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that gsf-office-thumbnailer should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep gsf-office-thum /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Objects                 [ capability ]
Source                        gsf-office-thum
Source Path                   /usr/bin/gsf-office-thumbnailer
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           evince-3.6.1-2.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-71.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.7.2-204.fc18.x86_64 #1 SMP Wed
                              Jan 16 16:22:52 UTC 2013 x86_64 x86_64
Alert Count                   96
First Seen                    2012-12-14 12:26:57 EST
Last Seen                     2013-01-21 15:36:20 EST
Local ID                      065466bc-adad-4f3d-a326-badb8c2ed217

Raw Audit Messages
type=AVC msg=audit(1358800580.81:594): avc:  denied  { dac_override } for  pid=2388 comm="evince-thumbnai" capability=1  scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tclass=capability


type=AVC msg=audit(1358800580.81:594): avc:  denied  { dac_read_search } for  pid=2388 comm="evince-thumbnai" capability=2  scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tclass=capability


type=SYSCALL msg=audit(1358800580.81:594): arch=x86_64 syscall=open success=no exit=EACCES a0=d7e7b0 a1=0 a2=0 a3=aaaaaaaaaaaaaaab items=0 ppid=2377 pid=2388 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=2 tty=pts2 comm=evince-thumbnai exe=/usr/bin/evince-thumbnailer subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)

Hash: gsf-office-thum,thumb_t,thumb_t,capability,dac_override

audit2allow

#============= thumb_t ==============
allow thumb_t self:capability { dac_read_search dac_override };

audit2allow -R

#============= thumb_t ==============
allow thumb_t self:capability { dac_read_search dac_override };


Additional info:
hashmarkername: setroubleshoot
kernel:         3.7.2-204.fc18.x86_64
type:           libreport