Bug 982511

Summary: SELinux is preventing /usr/bin/gsf-office-thumbnailer from using the 'dac_override' capabilities.
Product: [Fedora] Fedora Reporter: aloonyokinda
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: dominick.grift, dwalsh, mgrepl, naveen
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Unspecified   
Whiteboard: abrt_hash:ab73351c5007a7e986153e6dcb1673acf6973e74e1b630c9b9b59be526636f8b
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-07-10 08:16:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description aloonyokinda 2013-07-09 08:32:40 UTC 
Description of problem:
it keeps on poping when i use firefox
SELinux is preventing /usr/bin/gsf-office-thumbnailer from using the 'dac_override' capabilities.

*****  Plugin dac_override (91.4 confidence) suggests  ***********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it, 
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that gsf-office-thumbnailer should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep gsf-office-thum /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Objects                 [ capability ]
Source                        gsf-office-thum
Source Path                   /usr/bin/gsf-office-thumbnailer
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           libgsf-1.14.26-4.fc19.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-59.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.9.9-301.fc19.i686.PAE #1 SMP Thu
                              Jul 4 15:25:09 UTC 2013 i686 i686
Alert Count                   2
First Seen                    2013-07-09 11:16:17 EAT
Last Seen                     2013-07-09 11:16:17 EAT
Local ID                      73294be0-6ac1-4f13-9bed-32a654ff198c

Raw Audit Messages
type=AVC msg=audit(1373357777.351:467): avc:  denied  { dac_override } for  pid=2837 comm="gsf-office-thum" capability=1  scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tclass=capability


type=AVC msg=audit(1373357777.351:467): avc:  denied  { dac_read_search } for  pid=2837 comm="gsf-office-thum" capability=2  scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tclass=capability


type=SYSCALL msg=audit(1373357777.351:467): arch=i386 syscall=open success=no exit=EACCES a0=9a54650 a1=8000 a2=1b6 a3=9a57478 items=0 ppid=2496 pid=2837 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=(none) comm=gsf-office-thum exe=/usr/bin/gsf-office-thumbnailer subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)

Hash: gsf-office-thum,thumb_t,thumb_t,capability,dac_override

Additional info:
reporter:       libreport-2.1.5
hashmarkername: setroubleshoot
kernel:         3.9.9-301.fc19.i686.PAE
type:           libreport

Potential duplicate: bug 910553
Comment 1 Daniel Walsh 2013-07-09 20:30:06 UTC 
Why are you running firefox as root?  This is very dangerous.

Not something we will support from SELinux.
Comment 2 Naveen 2013-11-18 08:24:52 UTC 
(In reply to Daniel Walsh from comment #1)
> Why are you running firefox as root?  This is very dangerous.
> 
> Not something we will support from SELinux.

when i am running as aanother account with  firefox same issue is there.

SELinux is preventing /usr/bin/gsf-office-thumbnailer from using the dac_override capability.

*****  Plugin dac_override (91.4 confidence) suggests  ***********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it, 
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that gsf-office-thumbnailer should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep gsf-office-thum /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Objects                 [ capability ]
Source                        gsf-office-thum
Source Path                   /usr/bin/gsf-office-thumbnailer
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           evince-3.8.2-1.fc19.x86_64
                              evince-3.8.3-2.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-74.11.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 3.11.7-200.fc19.x86_64
                              #1 SMP Mon Nov 4 14:09:03 UTC 2013 x86_64 x86_64
Alert Count                   241
First Seen                    2013-11-15 17:19:47 IST
Last Seen                     2013-11-18 13:30:11 IST
Local ID                      03ebe6fc-9826-45e8-b372-1c842694d587

Raw Audit Messages
type=AVC msg=audit(1384761611.235:544): avc:  denied  { dac_override } for  pid=5018 comm="evince-thumbnai" capability=1  scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tclass=capability


type=AVC msg=audit(1384761611.235:544): avc:  denied  { dac_read_search } for  pid=5018 comm="evince-thumbnai" capability=2  scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tclass=capability


type=SYSCALL msg=audit(1384761611.235:544): arch=x86_64 syscall=open success=no exit=EACCES a0=132e9f0 a1=0 a2=0 a3=aaaaaaaaaaaaaaab items=0 ppid=3553 pid=5018 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=(none) comm=evince-thumbnai exe=/usr/bin/evince-thumbnailer subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)

Hash: gsf-office-thum,thumb_t,thumb_t,capability,dac_override
Comment 3 Daniel Walsh 2013-11-18 16:30:24 UTC 
THis is still running as root
auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 

Are you getting this from firefox?