Bug 1421170 - SELinux is preventing atril-thumbnail from 'append' accesses on the file missfont.log.
Summary: SELinux is preventing atril-thumbnail from 'append' accesses on the file miss...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 25
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:bd5644738cb71160ef9bc65d2d3...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-10 14:17 UTC by Sam Tygier
Modified: 2017-02-12 06:12 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-02-12 06:12:21 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Sam Tygier 2017-02-10 14:17:37 UTC 
Description of problem:
It think this is triggered by atril-thumbnailer trying the make thumbnail for a dvi file.
SELinux is preventing atril-thumbnail from 'append' accesses on the file missfont.log.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that atril-thumbnail should be allowed append access on the missfont.log file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'atril-thumbnail' --raw | audit2allow -M my-atrilthumbnail
# semodule -X 300 -i my-atrilthumbnail.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:home_root_t:s0
Target Objects                missfont.log [ file ]
Source                        atril-thumbnail
Source Path                   atril-thumbnail
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-225.6.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.9.7-201.fc25.x86_64 #1 SMP Thu
                              Feb 2 23:32:42 UTC 2017 x86_64 x86_64
Alert Count                   170
First Seen                    2017-01-23 16:45:16 GMT
Last Seen                     2017-02-10 14:16:12 GMT
Local ID                      2792ec7f-7b0d-4297-b01c-68bf99f1b952

Raw Audit Messages
type=AVC msg=audit(1486736172.599:1206): avc:  denied  { append } for  pid=25976 comm="atril-thumbnail" name="missfont.log" dev="dm-0" ino=1257 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:home_root_t:s0 tclass=file permissive=0


Hash: atril-thumbnail,thumb_t,home_root_t,file,append

Version-Release number of selected component:
selinux-policy-3.13.1-225.6.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.9.7-201.fc25.x86_64
type:           libreport
Comment 1 Daniel Walsh 2017-02-10 22:18:06 UTC 
This looks like you have a labeling issue on your homedir.
home_root_t is the label of /home.

thumbnails are probably writing in a place like /home/dwalsh which should be labeled differently.

restorecon -R -V /home

First to see if this solves your issues.
Comment 2 Sam Tygier 2017-02-11 08:47:18 UTC 
Seems like every folder in home needed relabelling: 

restorecon reset /home/sam context unconfined_u:object_r:home_root_t:s0->unconfined_u:object_r:user_home_dir_t:s0
...

Would this have been from installing F25, and then copying a F23 home folder across from a backup drive? Should this also fix my Bug 1411293 ?
Comment 3 Daniel Walsh 2017-02-12 06:12:21 UTC 
Yes depending on how you copied it back.  But you should always relabel a directory that you restore.  Please reopen this bug if it happens again.
Note You need to log in before you can comment on or make changes to this bug.