Bug 982511
Summary: | SELinux is preventing /usr/bin/gsf-office-thumbnailer from using the 'dac_override' capabilities. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | aloonyokinda |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 19 | CC: | dominick.grift, dwalsh, mgrepl, naveen |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i686 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:ab73351c5007a7e986153e6dcb1673acf6973e74e1b630c9b9b59be526636f8b | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-07-10 08:16:34 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
aloonyokinda
2013-07-09 08:32:40 UTC
Why are you running firefox as root? This is very dangerous. Not something we will support from SELinux. (In reply to Daniel Walsh from comment #1) > Why are you running firefox as root? This is very dangerous. > > Not something we will support from SELinux. when i am running as aanother account with firefox same issue is there. SELinux is preventing /usr/bin/gsf-office-thumbnailer from using the dac_override capability. ***** Plugin dac_override (91.4 confidence) suggests *********************** If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system Then turn on full auditing to get path information about the offending file and generate the error again. Do Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent If you see PATH record check ownership/permissions on file, and fix it, otherwise report as a bugzilla. ***** Plugin catchall (9.59 confidence) suggests *************************** If you believe that gsf-office-thumbnailer should have the dac_override capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep gsf-office-thum /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 Target Objects [ capability ] Source gsf-office-thum Source Path /usr/bin/gsf-office-thumbnailer Port <Unknown> Host localhost.localdomain Source RPM Packages evince-3.8.2-1.fc19.x86_64 evince-3.8.3-2.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-74.11.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 3.11.7-200.fc19.x86_64 #1 SMP Mon Nov 4 14:09:03 UTC 2013 x86_64 x86_64 Alert Count 241 First Seen 2013-11-15 17:19:47 IST Last Seen 2013-11-18 13:30:11 IST Local ID 03ebe6fc-9826-45e8-b372-1c842694d587 Raw Audit Messages type=AVC msg=audit(1384761611.235:544): avc: denied { dac_override } for pid=5018 comm="evince-thumbnai" capability=1 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1384761611.235:544): avc: denied { dac_read_search } for pid=5018 comm="evince-thumbnai" capability=2 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1384761611.235:544): arch=x86_64 syscall=open success=no exit=EACCES a0=132e9f0 a1=0 a2=0 a3=aaaaaaaaaaaaaaab items=0 ppid=3553 pid=5018 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=(none) comm=evince-thumbnai exe=/usr/bin/evince-thumbnailer subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) Hash: gsf-office-thum,thumb_t,thumb_t,capability,dac_override THis is still running as root auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 Are you getting this from firefox? |