Bug 1370317 - SELinux is preventing evince-thumbnai from using the 'dac_override' capabilities.
Summary: SELinux is preventing evince-thumbnai from using the 'dac_override' capabilit...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 24
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:05443624bfca785cc15b3ab2659...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-25 23:58 UTC by Emerson Santos
Modified: 2020-10-19 12:04 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-08-26 15:06:21 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Emerson Santos 2016-08-25 23:58:09 UTC 
Description of problem:
SELinux is preventing evince-thumbnai from using the 'dac_override' capabilities.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

If você deseja ajudar a identificar se o domínio precisa deste acesso ou se você possui um arquivo com as permissões erradas em seu sistema.
Then ligue a auditoria completa para obter informações de caminho sobre ofender arquivo e gerar um erro novamente.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If você acredita que o evince-thumbnai deva ser permitido a capacidade de dac_override  por default.
Then você deve informar que este é um erro.
Você pode gerar um módulo de política local para permitir este acesso.
Do
allow this access for now by executing:
# ausearch -c 'evince-thumbnai' --raw | audit2allow -M my-evincethumbnai
# semodule -X 300 -i my-evincethumbnai.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Objects                Unknown [ capability ]
Source                        evince-thumbnai
Source Path                   evince-thumbnai
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-191.13.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.6.7-300.fc24.x86_64 #1 SMP Wed
                              Aug 17 18:48:43 UTC 2016 x86_64 x86_64
Alert Count                   72
First Seen                    2016-08-25 20:54:54 BRT
Last Seen                     2016-08-25 20:55:34 BRT
Local ID                      9ac06e29-617c-47bd-9924-033a8cd2b439

Raw Audit Messages
type=AVC msg=audit(1472169334.431:373): avc:  denied  { dac_override } for  pid=2680 comm="gnome-thumbnail" capability=1  scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tclass=capability permissive=0


Hash: evince-thumbnai,thumb_t,thumb_t,capability,dac_override

Version-Release number of selected component:
selinux-policy-3.13.1-191.13.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.6.7-300.fc24.x86_64
type:           libreport

Potential duplicate: bug 1295226
Comment 1 Daniel Walsh 2016-08-26 15:06:21 UTC 
You should never run graphical tools as root.
Comment 2 antonio montagnani 2020-10-19 12:04:00 UTC 
it happened just after updating to f<33
Note You need to log in before you can comment on or make changes to this bug.