1056831 – Selinux is preventing Tumblerd from working

Bug 1056831 - Selinux is preventing Tumblerd from working

Summary: Selinux is preventing Tumblerd from working

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	20
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	1056991 1058064 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-01-23 02:21 UTC by Adrián Reboreda Martínez
Modified:	2015-11-04 06:34 UTC (History)
CC List:	12 users (show)
Fixed In Version:	selinux-policy-3.12.1-127.fc20
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-03-12 12:17:07 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Sealert output. (1.79 KB, text/plain) 2014-01-23 02:21 UTC, Adrián Reboreda Martínez	no flags	Details
View All

Description Adrián Reboreda Martínez 2014-01-23 02:21:14 UTC

Created attachment 854162 [details]
Sealert output.

Description of problem:
Selinux is preventing Tumblerd from generating thumbnails under XFCE and Thunar. The problem started after a update of selinux-policy-targeted.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.12.1-119.fc20.noarch

How reproducible:
Start a tumblerd process from a terminal.

Steps to Reproduce:
1. Close all Thunar Windows
2. Kill any tumblerd instance: pkill tumblerd
3. Try to start a new tumblerd process: /lib64/tumbler-1/tumblerd

Actual results:
Tumblerd does no starts, but the next message is shown:

(tumblerd:32274): tumblerd-WARNING **: Failed to connect to the D-Bus session bus: Failed to connect to socket /tmp/dbus-0IrFZKt0JG: Permission denied


Expected results:
Tumblerd must start and generate thumbnails.

Additional info:
If selinux is disabled tumblerd can be started:

setenforce 0
/lib64/tumbler-1/tumblerd

I add an attachment from the sealert output, the text shows that slinux is having issues with dbus-launch.

Comment 1 Miroslav Grepl 2014-01-23 10:32:21 UTC

# matchpathcon /lib64/tumbler-1/tumblerd
/lib64/tumbler-1/tumblerd	system_u:object_r:thumb_exec_t:s0

Try to execute

# restorecon -R -v /lib64/tumbler-1/tumblerd

Comment 2 Miroslav Grepl 2014-01-23 10:35:24 UTC

*** Bug 1056991 has been marked as a duplicate of this bug. ***

Comment 3 Miroslav Grepl 2014-01-23 10:36:44 UTC

It looks like labeling issue. 

# fixfiles restore

should fix labeling on your system.

Comment 4 Adrián Reboreda Martínez 2014-01-23 10:57:35 UTC

I've tried your solution:

# su -
# fixfiles restore


The process finishes without problem. I try to start tumblerd and the same prolem happens.

Also I check if the executable is labeled as it should be:

# matchpathcon /lib64/tumbler-1/tumblerd 
/lib64/tumbler-1/tumblerd	system_u:object_r:thumb_exec_t:s0
# ls -Z /lib64/tumbler-1/tumblerd
-rwxr-xr-x. root root system_u:object_r:thumb_exec_t:s0 /lib64/tumbler-1/tumblerd


Some other idea?

Comment 5 Miroslav Grepl 2014-01-23 11:41:39 UTC

Ok, I overlooked. Could you try to update to the lastest policy, re-login and re-test?

Comment 6 Miroslav Grepl 2014-01-23 11:58:26 UTC

I am not able to reproduce it.

Comment 7 Adrián Reboreda Martínez 2014-01-23 18:54:37 UTC

Nope, the latest selinux policy is installed. Today's updates only include NetworkManager, dnf and some other stuf.

I did try removing tumbler:

# yum remove tumbler

The command also remove tumbler-extras and ristretto.

Later I installed the three packages and restored the conf:

# yum install tumbler tumbler-extras ristretto
# restorecon -vRF /lib64

But the same problem happens again when I try to start tumblerd.

Comment 8 Miroslav Grepl 2014-01-27 09:51:02 UTC

*** Bug 1058064 has been marked as a duplicate of this bug. ***

Comment 9 Miroslav Grepl 2014-01-27 09:59:27 UTC

type=AVC msg=audit(1390159825.110:494): avc:  denied  { execute } for  pid=18814 comm="dbus-launch" name="dbus-daemon" dev="dm-2" ino=400782 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file

Comment 10 Benjamin Ariel Nava Martinez 2014-01-27 17:42:02 UTC

Ok, "Is auditd running?" Yes
[root@******* ariel]# systemctl status auditd.service 
auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled)
   Active: active (running) since lun 2014-01-27 11:26:37 CST; 11min ago
  Process: 402 ExecStartPost=/sbin/auditctl -R /etc/audit/audit.rules (code=exited, status=0/SUCCESS)
 Main PID: 401 (auditd)
   CGroup: /system.slice/auditd.service
           ├─401 /sbin/auditd -n
           ├─407 /sbin/audispd
           └─408 /usr/sbin/sedispatch

ene 27 11:26:37 ******* systemd[1]: Started Security Auditing Service.
ene 27 11:26:37 ******* auditd[401]: Started dispatcher: /sbin/audispd pid: 407
ene 27 11:26:37 ******* audispd[407]: priority_boost_parser called with: 4
ene 27 11:26:37 ******* audispd[407]: max_restarts_parser called with: 10
ene 27 11:26:37 ******* audispd[407]: audispd initialized with q_depth=150 ...ns
ene 27 11:26:37 ******* auditd[401]: Init complete, auditd 2.3.3 listening ...e)
Hint: Some lines were ellipsized, use -l to show in full.
(******* is my hostname)

And "Also what does #ausearch -m user_avc" This is the output:
----
time->Wed Jan  8 16:01:02 2014
type=USER_AVC msg=audit(1389218462.021:620): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Wed Jan  8 16:01:02 2014
type=USER_AVC msg=audit(1389218462.022:621): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=3)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Wed Jan  8 18:01:01 2014
type=USER_AVC msg=audit(1389225661.573:668): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=4)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Wed Jan  8 18:01:01 2014
type=USER_AVC msg=audit(1389225661.573:669): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=5)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Wed Jan  8 18:01:01 2014
type=USER_AVC msg=audit(1389225661.573:670): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=6)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Wed Jan  8 18:01:01 2014
type=USER_AVC msg=audit(1389225661.573:671): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=7)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Thu Jan  9 01:01:01 2014
type=USER_AVC msg=audit(1389250861.523:576): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Thu Jan  9 01:01:01 2014
type=USER_AVC msg=audit(1389250861.523:577): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=3)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Thu Jan  9 01:01:01 2014
type=USER_AVC msg=audit(1389250861.523:578): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=4)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Thu Jan  9 01:01:01 2014
type=USER_AVC msg=audit(1389250861.523:579): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=5)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Fri Jan 17 19:59:21 2014
type=USER_AVC msg=audit(1390010361.614:415): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Wed Jan 22 13:23:02 2014
type=USER_AVC msg=audit(1390418582.977:25): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Thu Jan 23 12:08:52 2014
type=USER_AVC msg=audit(1390500532.319:806): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
----
time->Sun Jan 26 13:04:34 2014
type=USER_AVC msg=audit(1390763074.182:15): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Comment 11 Adrián Reboreda Martínez 2014-01-27 17:45:51 UTC

My output of auserch is the next.

time->Wed Jan 22 15:01:01 2014
type=USER_AVC msg=audit(1390424461.830:447): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Comment 12 Milos Malik 2014-01-31 10:33:31 UTC

Manual run of tumblerd on my RHEL-7 machine always ends up with "permission denied" message. Some access is denied, but AVCs are not visible until you call "semodule -DB" command:

After logging in as staff_u user:
----
type=SOCKADDR msg=audit(01/31/2014 11:22:51.362:26438) : saddr=local /tmp/dbus-zmG3DhqIfX 
type=SYSCALL msg=audit(01/31/2014 11:22:51.362:26438) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=0x3 a1=0x7fffdcfb2b50 a2=0x17 a3=0x0 items=0 ppid=6650 pid=7692 auid=userY uid=userY gid=userY euid=userY suid=userY fsuid=userY egid=userY sgid=userY fsgid=userY tty=pts1 ses=3460 comm=tumblerd exe=/usr/lib64/tumbler-1/tumblerd subj=staff_u:staff_r:thumb_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(01/31/2014 11:22:51.362:26438) : avc:  denied  { connectto } for  pid=7692 comm=tumblerd path=/tmp/dbus-zmG3DhqIfX scontext=staff_u:staff_r:thumb_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket 
----

After logging in as user_u user:
----
type=SOCKADDR msg=audit(01/31/2014 11:29:09.157:28819) : saddr=local /tmp/dbus-nFz2EkjzWb 
type=SYSCALL msg=audit(01/31/2014 11:29:09.157:28819) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=0x3 a1=0x7fffb62d9600 a2=0x17 a3=0x0 items=0 ppid=11031 pid=11090 auid=userX uid=userX gid=userX euid=userX suid=userX fsuid=userX egid=userX sgid=userX fsgid=userX tty=pts1 ses=3464 comm=tumblerd exe=/usr/lib64/tumbler-1/tumblerd subj=user_u:user_r:thumb_t:s0 key=(null) 
type=AVC msg=audit(01/31/2014 11:29:09.157:28819) : avc:  denied  { connectto } for  pid=11090 comm=tumblerd path=/tmp/dbus-nFz2EkjzWb scontext=user_u:user_r:thumb_t:s0 tcontext=user_u:user_r:user_dbusd_t:s0 tclass=unix_stream_socket 
----

Comment 13 Milos Malik 2014-01-31 10:49:22 UTC

After logging in as unconfined_u user:
----
type=SOCKADDR msg=audit(01/31/2014 11:46:32.347:29056) : saddr=local /tmp/dbus-X
Y7kElSMgR 
type=SYSCALL msg=audit(01/31/2014 11:46:32.347:29056) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=0x3 a1=0x7fff5c89a020 a2=0x17 a3=0x0 items=0 ppid=12809 pid=12879 auid=userQ uid=userQ gid=userQ euid=userQ suid=userQ fsuid=userQ egid=userQ sgid=userQ fsgid=userQ tty=pts1 ses=3477 comm=tumblerd exe=/usr/lib64/tumbler-1/tumblerd subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(01/31/2014 11:46:32.347:29056) : avc:  denied  { connectto } for  pid=12879 comm=tumblerd path=/tmp/dbus-XY7kElSMgR scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket 
----

After logging is as xguest_u user:
----
type=SOCKADDR msg=audit(01/31/2014 11:48:14.763:29445) : saddr=local /tmp/dbus-MIyZ5E0E6h 
type=SYSCALL msg=audit(01/31/2014 11:48:14.763:29445) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=0x3 a1=0x7fffcff16d10 a2=0x17 a3=0x0 items=0 ppid=13310 pid=13312 auid=userZ uid=userZ gid=userZ euid=userZ suid=userZ fsuid=userZ egid=userZ sgid=userZ fsgid=userZ tty=(none) ses=3478 comm=tumblerd exe=/usr/lib64/tumbler-1/tumblerd subj=xguest_u:xguest_r:thumb_t:s0 key=(null) 
type=AVC msg=audit(01/31/2014 11:48:14.763:29445) : avc:  denied  { connectto } for  pid=13312 comm=tumblerd path=/tmp/dbus-MIyZ5E0E6h scontext=xguest_u:xguest_r:thumb_t:s0 tcontext=xguest_u:xguest_r:xguest_dbusd_t:s0 tclass=unix_stream_socket 
----

Comment 14 Miroslav Grepl 2014-01-31 11:20:23 UTC

#============= thumb_t ==============

#!!!! This avc has a dontaudit rule in the current policy
allow thumb_t xguest_dbusd_t:unix_stream_socket connectto;

Do you need this access to make it working?

Comment 15 Milos Malik 2014-01-31 12:51:26 UTC

policy_module(mypolicy,1.0)

require {
  type thumb_t;
  type staff_dbusd_t;
  class unix_stream_socket { connectto };
  class dbus { send_msg };
}

allow thumb_t staff_dbusd_t : unix_stream_socket { connectto };
allow thumb_t staff_dbusd_t : dbus { send_msg };

When SELinux is in enforcing mode and above-mentioned policy module is loaded in memory, tumblerd exits with following message:

(tumblerd:21892): tumblerd-WARNING **: Failed to start the thumbnail cache service: Another thumbnail cache service is already running

When I switch to permissive mode, tumblerd runs as expected and there are no messages. Unfortunately, I'm unable to make tumblerd running in enforcing mode. After "semodule -DB" there are some AVCs, but none of them (converted to allow rule) seems to help.

Comment 16 Miroslav Grepl 2014-01-31 12:56:59 UTC

Ok, I think we will need to allow dbus chat.

allow thumb_t staff_dbusd_t : dbus { send_msg };
allow staff_dbusd_t thumb_t : dbus { send_msg };

The problem is we have thumb "dbus-daemon --session" running in thumb_t now.

Comment 17 Prasanna Vedantha Desikan 2014-02-04 05:52:15 UTC

Description of problem:
I tried to open the application

Additional info:
reporter:       libreport-2.1.11
hashmarkername: setroubleshoot
kernel:         3.12.9-301.fc20.x86_64
type:           libreport

Comment 18 Benjamin Ariel Nava Martinez 2014-02-07 17:45:14 UTC

So, are there any workarounds for this yet? I'm running a server and I can't disable selinux, but it's hard to manage a very large number of images without any thumbnails.

Comment 19 Miroslav Grepl 2014-02-11 17:19:22 UTC

Try to use the lastest F20 policy.

http://koji.fedoraproject.org/koji/buildinfo?buildID=495907

Comment 20 Adrián Reboreda Martínez 2014-02-14 20:42:47 UTC

Yep it works!

I've installed both the selinux-policy and selinux-policy-targeted

# yum localinstall --nogpgcheck http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.12.1/124.fc20/noarch/selinux-policy-3.12.1-124.fc20.noarch.rpm http://kojipkgs.fedoraproject.org//packages/selinux-policy/3.12.1/124.fc20/noarch/selinux-policy-targeted-3.12.1-124.fc20.noarch.rpm

And now tumblerd works without problem.

Thanks a lot!

Comment 21 Benjamin Ariel Nava Martinez 2014-02-15 06:33:01 UTC

Thanks for confirming! I'll just wait until it's pushed to the updates repo. Saludos!

Comment 22 Fedora Update System 2014-02-18 22:08:52 UTC

selinux-policy-3.12.1-126.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-126.fc20

Comment 23 Benjamin Ariel Nava Martinez 2014-02-20 05:08:16 UTC

I'll provide feedback when it becomes available at my local (mx) mirror. Thanks.

Comment 24 Fedora Update System 2014-02-22 00:41:00 UTC

Package selinux-policy-3.12.1-126.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-126.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-126.fc20
then log in and leave karma (feedback).

Comment 25 Fedora Update System 2014-02-26 13:48:37 UTC

Package selinux-policy-3.12.1-127.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-127.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-127.fc20
then log in and leave karma (feedback).

Comment 26 Fedora Update System 2014-03-12 12:17:07 UTC

selinux-policy-3.12.1-127.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.