Bug 1022547 - SELinux is preventing /usr/bin/gnome-thumbnail-font from using the 'dac_override' capabilities.
SELinux is preventing /usr/bin/gnome-thumbnail-font from using the 'dac_overr...
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:1d7bc17aed16c82aca5a6a7b62d...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-23 09:48 EDT by Zero
Modified: 2014-06-23 09:46 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-25 02:50:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Zero 2013-10-23 09:48:58 EDT
Description of problem:
SELinux is preventing /usr/bin/gnome-thumbnail-font from using the 'dac_override' capabilities.

*****  Plugin dac_override (91.4 confidence) suggests  ***********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it, 
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that gnome-thumbnail-font should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep gnome-thumbnail /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Objects                 [ capability ]
Source                        gnome-thumbnail
Source Path                   /usr/bin/gnome-thumbnail-font
Port                          <Neznámé>
Host                          (removed)
Source RPM Packages           gnome-font-viewer-3.8.0-1.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-74.9.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.11.4-201.fc19.x86_64 #1 SMP Thu
                              Oct 10 14:11:18 UTC 2013 x86_64 x86_64
Alert Count                   2
First Seen                    2013-10-16 22:06:44 CEST
Last Seen                     2013-10-16 22:06:46 CEST
Local ID                      b9623b24-0d44-40d7-8780-faca301d4588

Raw Audit Messages
type=AVC msg=audit(1381954006.222:545): avc:  denied  { dac_override } for  pid=10583 comm="gnome-thumbnail" capability=1  scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tclass=capability


type=AVC msg=audit(1381954006.222:545): avc:  denied  { dac_read_search } for  pid=10583 comm="gnome-thumbnail" capability=2  scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tclass=capability


type=SYSCALL msg=audit(1381954006.222:545): arch=x86_64 syscall=stat success=no exit=EACCES a0=828a90 a1=7fff0d4e8f40 a2=7fff0d4e8f40 a3=3d34532720 items=0 ppid=10537 pid=10583 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts1 comm=gnome-thumbnail exe=/usr/bin/gnome-thumbnail-font subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)

Hash: gnome-thumbnail,thumb_t,thumb_t,capability,dac_override

Additional info:
reporter:       libreport-2.1.8
hashmarkername: setroubleshoot
kernel:         3.11.4-201.fc19.x86_64
type:           libreport
Comment 1 Miroslav Grepl 2013-10-24 09:04:28 EDT
If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w

Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
Comment 2 Daniel Walsh 2013-10-24 13:24:16 EDT
You really should not be running nautilus or any X Apps as root, this is fairly dangerous and is what is causing the DAC_OVERRIDE.

Which X App were you running when this happened?
Comment 3 Miroslav Grepl 2013-10-25 02:50:45 EDT
Ah, I overlooked "uid=0".
Comment 4 Zero 2014-06-23 09:46:08 EDT
it's fixed

Note You need to log in before you can comment on or make changes to this bug.