Bug 972391

Summary: SELinux is preventing /usr/bin/totem-video-thumbnailer from 'append' accesses on the unix_stream_socket unix_stream_socket.
Product: Red Hat Enterprise Linux 7 Reporter: Matěj Cepl <mcepl>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Michal Trunecka <mtruneck>
Severity: medium Docs Contact:
Priority: low    
Version: 7.0CC: bnocera, ebenes, ksrot, mcepl, mgrepl, mmalik, mtruneck
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: abrt_hash:a96a137b78ec68b8d09f158593e52721549a021256f22b827de34c34b24a0db1
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-16 08:18:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matěj Cepl 2013-06-09 06:19:11 UTC 
Description of problem:
SELinux is preventing /usr/bin/totem-video-thumbnailer from 'append' accesses on the unix_stream_socket unix_stream_socket.

*****  Plugin leaks (86.2 confidence) suggests  ******************************

If you want to ignore totem-video-thumbnailer trying to append access the unix_stream_socket unix_stream_socket, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/bin/totem-video-thumbnailer /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (14.7 confidence) suggests  ***************************

If you believe that totem-video-thumbnailer should be allowed append access on the unix_stream_socket unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep totem-video-thu /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Objects                unix_stream_socket [ unix_stream_socket ]
Source                        totem-video-thu
Source Path                   /usr/bin/totem-video-thumbnailer
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           totem-3.8.0-3.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-48.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.10.0-0.rc4.59.el7.x86_64 #1 SMP
                              Mon Jun 3 14:40:03 EDT 2013 x86_64 x86_64
Alert Count                   8
First Seen                    2013-06-08 13:57:48 CEST
Last Seen                     2013-06-09 08:06:50 CEST
Local ID                      4060e79c-0938-41e6-a031-4bdae347eeb5

Raw Audit Messages
type=AVC msg=audit(1370758010.39:8261): avc:  denied  { append } for  pid=18799 comm="totem-video-thu" path="socket:[26612]" dev="sockfs" ino=26612 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=unix_stream_socket


type=SYSCALL msg=audit(1370758010.39:8261): arch=x86_64 syscall=execve success=yes exit=0 a0=7f8f2c008d40 a1=7f8f2c0265c0 a2=7fffc35a3dd0 a3=7f8f380b6600 items=0 ppid=6330 pid=18799 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm=totem-video-thu exe=/usr/bin/totem-video-thumbnailer subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)

Hash: totem-video-thu,thumb_t,xdm_t,unix_stream_socket,append

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.10.0-0.rc4.59.el7.x86_64
type:           libreport
Comment 2 Miroslav Grepl 2013-06-12 09:10:06 UTC 
Does everything work correctly?
Comment 3 Matěj Cepl 2013-06-12 09:28:17 UTC 
(In reply to Miroslav Grepl from comment #2)
> Does everything work correctly?

I don't see any problems, but I am not sure what to look for.
Comment 4 Bastien Nocera 2013-06-12 09:40:57 UTC 
What file is it trying to write? This is probably nautilus wrongly detecting something as a video file and letting the thumbnailer loose on it.
Comment 5 Bastien Nocera 2013-06-24 15:08:38 UTC 
How do I reproduce this?
Comment 6 Matěj Cepl 2013-06-25 09:43:34 UTC 
(In reply to Bastien Nocera from comment #5)
> How do I reproduce this?

Unfortunately, I have no clue. Sealert warning just jumps on me from time to time. Even from studying the SELinux message I cannot decipher what is the concerned file.

wycliff:x86_64# find /usr /var /home /tmp /etc /boot /root /srv -context '*xdm_t*' -print 2>/dev/null |tee /tmp/xdm_t-files.txt
/tmp/.X0-lock
/tmp/.ICE-unix
/tmp/.ICE-unix/4546
/tmp/.X11-unix
/tmp/.X11-unix/X0
wycliff:x86_64#
Comment 7 Bastien Nocera 2013-09-19 09:24:12 UTC 
Reassigning to selinux-policy for root causing.

Even if the problem is with totem, nautilus or GStreamer, we cannot fix the bug unless we know how to cause it.

The SELinux warning should show the full command-line path used to launch the triggering application to help root causing.
Comment 8 Miroslav Grepl 2013-09-19 13:01:35 UTC 
#============= thumb_t ==============

#!!!! This avc has a dontaudit rule in the current policy
allow thumb_t xdm_t:unix_stream_socket append;
Comment 9 Bastien Nocera 2013-09-19 13:34:25 UTC 
Why are you adding a rule for this? In which circumstances would totem's video thumbnailer try to write to a socket in the xdm_t domain?
Comment 10 Miroslav Grepl 2013-09-25 20:26:27 UTC 
We don't add the "allow" rule but we add the "dontaudit" rule. It means it won't be allowed and SELinux won't complain about it.
Comment 11 Bastien Nocera 2013-09-25 21:52:47 UTC 
Could we try and fix it instead? Is there a way to know why totem-video-thumbnailer required those permissions?
Comment 13 Bastien Nocera 2013-10-15 05:34:58 UTC 
Can I have an answer to comment 11?
Comment 14 Miroslav Grepl 2013-10-21 16:26:03 UTC 
Not sure if I understand your question from  comment 11.
Comment 15 Bastien Nocera 2013-10-21 16:42:03 UTC 
(In reply to Miroslav Grepl from comment #14)
> Not sure if I understand your question from  comment 11.

You added a dontaudit rule which just hides the symptoms of the problem, instead of fixing the problem. How do I reproduce the problem so that we can effectively fix it instead of working around it?
Comment 16 Miroslav Grepl 2013-10-25 07:46:17 UTC 
I have no idea how to reproduce it.

# semodule -DB

will turn off dontaudit rules.
Comment 18 Bastien Nocera 2014-01-07 08:03:00 UTC 
How does one reproduce the problem? I don't see how this problem can be marked as verified when there's no reproducer for it.
Comment 19 Milos Malik 2014-04-15 13:23:30 UTC 
Based on comment#0 it is a leaked file descriptor problem. The program which executed totem-video-thumbnailer leaked a fd. If the reporter does not know how to reproduce it I doubt we will find the cause.

I tried following scenarios and the AVC didn't appear even if dontaudit rules were removed from active policy:
 * totem-video-thumbnailer under unconfined_u user in GNOME environment
 * totem-video-thumbnailer under staff_u user in GNOME environment

Thumbnails were generated automatically and manual execution of  totem-video-thumbnailer inside ~/.cache directory also worked well.
Comment 21 Ludek Smid 2014-06-16 08:18:21 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.