Created attachment 854162 [details] Sealert output. Description of problem: Selinux is preventing Tumblerd from generating thumbnails under XFCE and Thunar. The problem started after a update of selinux-policy-targeted. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.12.1-119.fc20.noarch How reproducible: Start a tumblerd process from a terminal. Steps to Reproduce: 1. Close all Thunar Windows 2. Kill any tumblerd instance: pkill tumblerd 3. Try to start a new tumblerd process: /lib64/tumbler-1/tumblerd Actual results: Tumblerd does no starts, but the next message is shown: (tumblerd:32274): tumblerd-WARNING **: Failed to connect to the D-Bus session bus: Failed to connect to socket /tmp/dbus-0IrFZKt0JG: Permission denied Expected results: Tumblerd must start and generate thumbnails. Additional info: If selinux is disabled tumblerd can be started: setenforce 0 /lib64/tumbler-1/tumblerd I add an attachment from the sealert output, the text shows that slinux is having issues with dbus-launch.
# matchpathcon /lib64/tumbler-1/tumblerd /lib64/tumbler-1/tumblerd system_u:object_r:thumb_exec_t:s0 Try to execute # restorecon -R -v /lib64/tumbler-1/tumblerd
*** Bug 1056991 has been marked as a duplicate of this bug. ***
It looks like labeling issue. # fixfiles restore should fix labeling on your system.
I've tried your solution: # su - # fixfiles restore The process finishes without problem. I try to start tumblerd and the same prolem happens. Also I check if the executable is labeled as it should be: # matchpathcon /lib64/tumbler-1/tumblerd /lib64/tumbler-1/tumblerd system_u:object_r:thumb_exec_t:s0 # ls -Z /lib64/tumbler-1/tumblerd -rwxr-xr-x. root root system_u:object_r:thumb_exec_t:s0 /lib64/tumbler-1/tumblerd Some other idea?
Ok, I overlooked. Could you try to update to the lastest policy, re-login and re-test?
I am not able to reproduce it.
Nope, the latest selinux policy is installed. Today's updates only include NetworkManager, dnf and some other stuf. I did try removing tumbler: # yum remove tumbler The command also remove tumbler-extras and ristretto. Later I installed the three packages and restored the conf: # yum install tumbler tumbler-extras ristretto # restorecon -vRF /lib64 But the same problem happens again when I try to start tumblerd.
*** Bug 1058064 has been marked as a duplicate of this bug. ***
type=AVC msg=audit(1390159825.110:494): avc: denied { execute } for pid=18814 comm="dbus-launch" name="dbus-daemon" dev="dm-2" ino=400782 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file
Ok, "Is auditd running?" Yes [root@******* ariel]# systemctl status auditd.service auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled) Active: active (running) since lun 2014-01-27 11:26:37 CST; 11min ago Process: 402 ExecStartPost=/sbin/auditctl -R /etc/audit/audit.rules (code=exited, status=0/SUCCESS) Main PID: 401 (auditd) CGroup: /system.slice/auditd.service ├─401 /sbin/auditd -n ├─407 /sbin/audispd └─408 /usr/sbin/sedispatch ene 27 11:26:37 ******* systemd[1]: Started Security Auditing Service. ene 27 11:26:37 ******* auditd[401]: Started dispatcher: /sbin/audispd pid: 407 ene 27 11:26:37 ******* audispd[407]: priority_boost_parser called with: 4 ene 27 11:26:37 ******* audispd[407]: max_restarts_parser called with: 10 ene 27 11:26:37 ******* audispd[407]: audispd initialized with q_depth=150 ...ns ene 27 11:26:37 ******* auditd[401]: Init complete, auditd 2.3.3 listening ...e) Hint: Some lines were ellipsized, use -l to show in full. (******* is my hostname) And "Also what does #ausearch -m user_avc" This is the output: ---- time->Wed Jan 8 16:01:02 2014 type=USER_AVC msg=audit(1389218462.021:620): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=2) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Wed Jan 8 16:01:02 2014 type=USER_AVC msg=audit(1389218462.022:621): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=3) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Wed Jan 8 18:01:01 2014 type=USER_AVC msg=audit(1389225661.573:668): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=4) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Wed Jan 8 18:01:01 2014 type=USER_AVC msg=audit(1389225661.573:669): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=5) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Wed Jan 8 18:01:01 2014 type=USER_AVC msg=audit(1389225661.573:670): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=6) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Wed Jan 8 18:01:01 2014 type=USER_AVC msg=audit(1389225661.573:671): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=7) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Thu Jan 9 01:01:01 2014 type=USER_AVC msg=audit(1389250861.523:576): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=2) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Thu Jan 9 01:01:01 2014 type=USER_AVC msg=audit(1389250861.523:577): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=3) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Thu Jan 9 01:01:01 2014 type=USER_AVC msg=audit(1389250861.523:578): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=4) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Thu Jan 9 01:01:01 2014 type=USER_AVC msg=audit(1389250861.523:579): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=5) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Fri Jan 17 19:59:21 2014 type=USER_AVC msg=audit(1390010361.614:415): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=2) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Wed Jan 22 13:23:02 2014 type=USER_AVC msg=audit(1390418582.977:25): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Thu Jan 23 12:08:52 2014 type=USER_AVC msg=audit(1390500532.319:806): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=2) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' ---- time->Sun Jan 26 13:04:34 2014 type=USER_AVC msg=audit(1390763074.182:15): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
My output of auserch is the next. time->Wed Jan 22 15:01:01 2014 type=USER_AVC msg=audit(1390424461.830:447): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received policyload notice (seqno=2) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Manual run of tumblerd on my RHEL-7 machine always ends up with "permission denied" message. Some access is denied, but AVCs are not visible until you call "semodule -DB" command: After logging in as staff_u user: ---- type=SOCKADDR msg=audit(01/31/2014 11:22:51.362:26438) : saddr=local /tmp/dbus-zmG3DhqIfX type=SYSCALL msg=audit(01/31/2014 11:22:51.362:26438) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=0x3 a1=0x7fffdcfb2b50 a2=0x17 a3=0x0 items=0 ppid=6650 pid=7692 auid=userY uid=userY gid=userY euid=userY suid=userY fsuid=userY egid=userY sgid=userY fsgid=userY tty=pts1 ses=3460 comm=tumblerd exe=/usr/lib64/tumbler-1/tumblerd subj=staff_u:staff_r:thumb_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(01/31/2014 11:22:51.362:26438) : avc: denied { connectto } for pid=7692 comm=tumblerd path=/tmp/dbus-zmG3DhqIfX scontext=staff_u:staff_r:thumb_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket ---- After logging in as user_u user: ---- type=SOCKADDR msg=audit(01/31/2014 11:29:09.157:28819) : saddr=local /tmp/dbus-nFz2EkjzWb type=SYSCALL msg=audit(01/31/2014 11:29:09.157:28819) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=0x3 a1=0x7fffb62d9600 a2=0x17 a3=0x0 items=0 ppid=11031 pid=11090 auid=userX uid=userX gid=userX euid=userX suid=userX fsuid=userX egid=userX sgid=userX fsgid=userX tty=pts1 ses=3464 comm=tumblerd exe=/usr/lib64/tumbler-1/tumblerd subj=user_u:user_r:thumb_t:s0 key=(null) type=AVC msg=audit(01/31/2014 11:29:09.157:28819) : avc: denied { connectto } for pid=11090 comm=tumblerd path=/tmp/dbus-nFz2EkjzWb scontext=user_u:user_r:thumb_t:s0 tcontext=user_u:user_r:user_dbusd_t:s0 tclass=unix_stream_socket ----
After logging in as unconfined_u user: ---- type=SOCKADDR msg=audit(01/31/2014 11:46:32.347:29056) : saddr=local /tmp/dbus-X Y7kElSMgR type=SYSCALL msg=audit(01/31/2014 11:46:32.347:29056) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=0x3 a1=0x7fff5c89a020 a2=0x17 a3=0x0 items=0 ppid=12809 pid=12879 auid=userQ uid=userQ gid=userQ euid=userQ suid=userQ fsuid=userQ egid=userQ sgid=userQ fsgid=userQ tty=pts1 ses=3477 comm=tumblerd exe=/usr/lib64/tumbler-1/tumblerd subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(01/31/2014 11:46:32.347:29056) : avc: denied { connectto } for pid=12879 comm=tumblerd path=/tmp/dbus-XY7kElSMgR scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket ---- After logging is as xguest_u user: ---- type=SOCKADDR msg=audit(01/31/2014 11:48:14.763:29445) : saddr=local /tmp/dbus-MIyZ5E0E6h type=SYSCALL msg=audit(01/31/2014 11:48:14.763:29445) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=0x3 a1=0x7fffcff16d10 a2=0x17 a3=0x0 items=0 ppid=13310 pid=13312 auid=userZ uid=userZ gid=userZ euid=userZ suid=userZ fsuid=userZ egid=userZ sgid=userZ fsgid=userZ tty=(none) ses=3478 comm=tumblerd exe=/usr/lib64/tumbler-1/tumblerd subj=xguest_u:xguest_r:thumb_t:s0 key=(null) type=AVC msg=audit(01/31/2014 11:48:14.763:29445) : avc: denied { connectto } for pid=13312 comm=tumblerd path=/tmp/dbus-MIyZ5E0E6h scontext=xguest_u:xguest_r:thumb_t:s0 tcontext=xguest_u:xguest_r:xguest_dbusd_t:s0 tclass=unix_stream_socket ----
#============= thumb_t ============== #!!!! This avc has a dontaudit rule in the current policy allow thumb_t xguest_dbusd_t:unix_stream_socket connectto; Do you need this access to make it working?
policy_module(mypolicy,1.0) require { type thumb_t; type staff_dbusd_t; class unix_stream_socket { connectto }; class dbus { send_msg }; } allow thumb_t staff_dbusd_t : unix_stream_socket { connectto }; allow thumb_t staff_dbusd_t : dbus { send_msg }; When SELinux is in enforcing mode and above-mentioned policy module is loaded in memory, tumblerd exits with following message: (tumblerd:21892): tumblerd-WARNING **: Failed to start the thumbnail cache service: Another thumbnail cache service is already running When I switch to permissive mode, tumblerd runs as expected and there are no messages. Unfortunately, I'm unable to make tumblerd running in enforcing mode. After "semodule -DB" there are some AVCs, but none of them (converted to allow rule) seems to help.
Ok, I think we will need to allow dbus chat. allow thumb_t staff_dbusd_t : dbus { send_msg }; allow staff_dbusd_t thumb_t : dbus { send_msg }; The problem is we have thumb "dbus-daemon --session" running in thumb_t now.
Description of problem: I tried to open the application Additional info: reporter: libreport-2.1.11 hashmarkername: setroubleshoot kernel: 3.12.9-301.fc20.x86_64 type: libreport
So, are there any workarounds for this yet? I'm running a server and I can't disable selinux, but it's hard to manage a very large number of images without any thumbnails.
Try to use the lastest F20 policy. http://koji.fedoraproject.org/koji/buildinfo?buildID=495907
Yep it works! I've installed both the selinux-policy and selinux-policy-targeted # yum localinstall --nogpgcheck http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.12.1/124.fc20/noarch/selinux-policy-3.12.1-124.fc20.noarch.rpm http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.12.1/124.fc20/noarch/selinux-policy-targeted-3.12.1-124.fc20.noarch.rpm And now tumblerd works without problem. Thanks a lot!
Thanks for confirming! I'll just wait until it's pushed to the updates repo. Saludos!
selinux-policy-3.12.1-126.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-126.fc20
I'll provide feedback when it becomes available at my local (mx) mirror. Thanks.
Package selinux-policy-3.12.1-126.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-126.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-126.fc20 then log in and leave karma (feedback).
Package selinux-policy-3.12.1-127.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-127.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-127.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-127.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.