1442237 – SELinux is preventing gdk-pixbuf-thum from using the 'dac_read_search' capabilities.

Bug 1442237 - SELinux is preventing gdk-pixbuf-thum from using the 'dac_read_search' capabilities.

Summary: SELinux is preventing gdk-pixbuf-thum from using the 'dac_read_search' capabi...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	25
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:58ba9cbaaa5b6dc84d18c1d7e95...
Duplicates (9):	1442240 1442242 1442243 1442244 1442245 1442246 1442248 1442249 1442251 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-04-13 20:14 UTC by xzj8b3
Modified:	2017-04-13 20:51 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2017-04-13 20:48:55 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description xzj8b3 2017-04-13 20:14:02 UTC

Description of problem:
SELinux is preventing gdk-pixbuf-thum from using the 'dac_read_search' capabilities.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

If si vuole aiutare ad identificare se al dominio serva questo accesso o se si possiede un file con i permessi sbagliati sul sistema
Then attivare l'auditing completo per ottenere le informazioni del percorso del file incriminato e generare nuovamente l'errore.
Do

Attivare il controllo completo auditing
# auditctl -w /etc/shadow -p w
Provare a ricreare AVC. Eseguire quindi
# ausearch -m avc -ts recent
Qualora si noti il record PATH, controllare la proprietà/i permessi sul file e correggerli,
altrimenti registrare un bugzilla.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If si pensa che gdk-pixbuf-thum dovrebbe avere funzionalità dac_read_search in modo predefinito.
Then si dovrebbe riportare il problema come bug.
E' possibile generare un modulo di politica locale per consentire questo accesso.
Do
allow this access for now by executing:
# ausearch -c 'gdk-pixbuf-thum' --raw | audit2allow -M my-gdkpixbufthum
# semodule -X 300 -i my-gdkpixbufthum.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Objects                Unknown [ capability ]
Source                        gdk-pixbuf-thum
Source Path                   gdk-pixbuf-thum
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-225.11.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.10.8-200.fc25.x86_64 #1 SMP Fri
                              Mar 31 13:20:22 UTC 2017 x86_64 x86_64
Alert Count                   27
First Seen                    2017-04-11 01:00:55 CEST
Last Seen                     2017-04-11 01:00:57 CEST
Local ID                      d0c42285-c887-4a59-8e0d-996fab7c9945

Raw Audit Messages
type=AVC msg=audit(1491865257.150:334): avc:  denied  { dac_read_search } for  pid=5808 comm="totem-video-thu" capability=2  scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tclass=capability permissive=0


Hash: gdk-pixbuf-thum,thumb_t,thumb_t,capability,dac_read_search

Version-Release number of selected component:
selinux-policy-3.13.1-225.11.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.10.8-200.fc25.x86_64
type:           libreport

Potential duplicate: bug 1438942

Comment 1 Daniel Walsh 2017-04-13 20:48:55 UTC

Looks like you are running Windows as root, which is very dangerous and not supported with SELinux.

Comment 2 Daniel Walsh 2017-04-13 20:49:24 UTC

*** Bug 1442240 has been marked as a duplicate of this bug. ***

Comment 3 Daniel Walsh 2017-04-13 20:49:59 UTC

*** Bug 1442246 has been marked as a duplicate of this bug. ***

Comment 4 Daniel Walsh 2017-04-13 20:50:07 UTC

*** Bug 1442245 has been marked as a duplicate of this bug. ***

Comment 5 Daniel Walsh 2017-04-13 20:50:16 UTC

*** Bug 1442244 has been marked as a duplicate of this bug. ***

Comment 6 Daniel Walsh 2017-04-13 20:50:24 UTC

*** Bug 1442243 has been marked as a duplicate of this bug. ***

Comment 7 Daniel Walsh 2017-04-13 20:50:53 UTC

*** Bug 1442242 has been marked as a duplicate of this bug. ***

Comment 8 Daniel Walsh 2017-04-13 20:51:26 UTC

*** Bug 1442248 has been marked as a duplicate of this bug. ***

Comment 9 Daniel Walsh 2017-04-13 20:51:33 UTC

*** Bug 1442249 has been marked as a duplicate of this bug. ***

Comment 10 Daniel Walsh 2017-04-13 20:51:52 UTC

*** Bug 1442251 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.