Bug 1460248 - Selinux is preventing evince-thumbnailer to create/write to it's own context?
Selinux is preventing evince-thumbnailer to create/write to it's own context?
Status: NEW
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
27
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lukas Vrabec
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-09 09:20 EDT by David Hill
Modified: 2017-08-15 04:47 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Hill 2017-06-09 09:20:53 EDT
Description of problem:
Selinux is preventing evince-thumbnailer to create/write to it's own context?

type=AVC msg=audit(1495129970.131:11760): avc:  denied  { create } for  pid=17878 comm="evince-thumbnai" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1
type=AVC msg=audit(1495129970.132:11761): avc:  denied  { write } for  pid=17878 comm="evince-thumbnai" name="socket" dev="tmpfs" ino=350 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=sock_file permissive=1


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Update to latest policies
2. Set selinux to permissive
3. Reboot
4. Make us of evince-thumbnailer

Actual results:
Blocked

Expected results:
Allowed or hidden

Additional info:
Comment 1 Daniel Walsh 2017-06-09 10:05:32 EDT
This looks like the thumnail driver is strying to write to a sock_file ownered by syslog?
Comment 2 David Hill 2017-06-09 11:08:02 EDT
Yeah I don't understand why it would want to do that.
Comment 3 Daniel Walsh 2017-06-09 11:11:21 EDT
Probably sending a syslog message.  But I am not sure we want thumbnailers writing to syslog.
Comment 4 David Hill 2017-06-09 11:13:45 EDT
Perhaps it should be dont audit then...  We can always turn on all dont audit with semodule I thin.
Comment 5 Jan Kurik 2017-08-15 04:47:03 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.

Note You need to log in before you can comment on or make changes to this bug.