Bug 1311677 - SElinux prevents Thunar from creating thumbnails
SElinux prevents Thunar from creating thumbnails
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
23
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-24 12:33 EST by a.o.shyichuk
Modified: 2016-02-24 16:57 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-02-24 16:57:54 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Cropped audit.log (1.77 KB, text/plain)
2016-02-24 12:34 EST, a.o.shyichuk
no flags Details
My policy file for thumbnails, should work as a patch (1.25 KB, application/octet-stream)
2016-02-24 12:36 EST, a.o.shyichuk
a.o.shyichuk: review+
Details
.te file, corresponding to the .pp file (438 bytes, text/plain)
2016-02-24 12:36 EST, a.o.shyichuk
a.o.shyichuk: review+
Details
The .pp file that worked for me (1.28 KB, text/plain)
2016-02-24 14:08 EST, a.o.shyichuk
a.o.shyichuk: review+
Details
The .pp file that worked for me (1.28 KB, application/octet-stream)
2016-02-24 14:09 EST, a.o.shyichuk
no flags Details
The .te file corresponding to the .pp file (472 bytes, text/plain)
2016-02-24 14:09 EST, a.o.shyichuk
no flags Details
Crooped log with message examples (2.32 KB, text/plain)
2016-02-24 14:12 EST, a.o.shyichuk
no flags Details

  None (edit)
Description a.o.shyichuk 2016-02-24 12:33:00 EST
Description of problem:

SElinux does not allow Thunar to create thumbnail images in ~/.cache/thumbnails

Version-Release number of selected component (if applicable):
x86_64 Fedora 23 Xfce, 4.3.5-300.fc23.x86_64

How reproducible:

Open a folder with images in Thunar: thumbnails are not displayed. 
"setenforce 0" fixes the issue. 

Just in case: I was opening a folder on a manually mounted non-system NTFS hard drive. 

Comments:
In order to fix the issue, several different permissions must be set. Check the attached thumbs-pol.te for details. I do not know how to set them all at once, other then use the attached thumbs-pol.pp. In my case, I was repeating the steps below. 

Fix:
Modify selinux policy via repetitions of the following steps:

0. Run "setenforce 1" to go back to enforcing mode.

1. Open a folder with images in Thunar (it is not required to restart thunar, just go to parent dir and back)

2. (optional): check /var/log/audit/audit.log; there must be a line like:
type=AVC msg=audit(1456332407.222:284): avc:  denied  { add_name } for  pid=1369 comm="pool" name="0dc587ea8551e5fcdb39b3599e9d4d68-1456332407-223458.png" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=dir permissive=0

3. grep <keyword> /var/log/audit/audit.log |audit2allow -M thumbs-pol

As there are several permission to set, the lines in audit.log will differ after policy update. However, those must contain a common keyword. In my case, it was 'comm="pool"'. My command looked as:
grep 'comm="pool"' /var/log/audit/audit.log |audit2allow -M thumbs-pol

4. Update policy via:
semodule -i thumbs-pol.pp 

5. Go to step 1 and check if the thumbnails are displayed, continue to step 2 or 3 if not. Note that the type=AVC messages will differ.
Comment 1 a.o.shyichuk 2016-02-24 12:34 EST
Created attachment 1130278 [details]
Cropped audit.log
Comment 2 a.o.shyichuk 2016-02-24 12:36 EST
Created attachment 1130279 [details]
My policy file for thumbnails, should work as a patch
Comment 3 a.o.shyichuk 2016-02-24 12:36 EST
Created attachment 1130280 [details]
.te file, corresponding to the .pp file
Comment 4 a.o.shyichuk 2016-02-24 14:08 EST
Created attachment 1130300 [details]
The .pp file that worked for me
Comment 5 a.o.shyichuk 2016-02-24 14:09 EST
Created attachment 1130301 [details]
The .pp file that worked for me
Comment 6 a.o.shyichuk 2016-02-24 14:09 EST
Created attachment 1130302 [details]
The .te file corresponding to the .pp file
Comment 7 a.o.shyichuk 2016-02-24 14:12 EST
Created attachment 1130303 [details]
Crooped log with message examples
Comment 8 Lukas Vrabec 2016-02-24 16:57:54 EST
Hi, 

Problem here is mislabeled homedir on your system. 
To fix this issue please run:
# restorecon -Rv /home/


I removed text in doc text, because it's not proper fix. 


Thank you.

Note You need to log in before you can comment on or make changes to this bug.