Description of problem: SELinux is preventing atril-thumbnail from using the 'fowner' capabilities. ***** Plugin catchall (100. confidence) suggests ************************** Se ci credi atril-thumbnail dovrebbe avere il fowner capacità di default. Then si dovrebbe riportare il problema come bug. E' possibile generare un modulo di politica locale per consentire questo accesso. Do consentire questo accesso per ora eseguendo: # ausearch -c 'atril-thumbnail' --raw | audit2allow -M my-$MODULE_NOME # semodule -X 300 -i miei-atrilthumbnail.pp Additional Information: Source Context unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 Target Objects Sconosciuto [ capability ] Source atril-thumbnail Source Path atril-thumbnail Port <Sconosciuto> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-38.24-1.fc38.noarch Local Policy RPM selinux-policy-targeted-38.24-1.fc38.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 6.4.9-200.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Aug 8 21:21:11 UTC 2023 x86_64 Alert Count 1 First Seen 2023-08-12 12:04:15 CEST Last Seen 2023-08-12 12:04:15 CEST Local ID 672d6e9d-680c-4151-bb2b-76ecce47f422 Raw Audit Messages type=AVC msg=audit(1691834655.557:997): avc: denied { fowner } for pid=290327 comm="atril-thumbnail" capability=3 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tclass=capability permissive=1 Hash: atril-thumbnail,thumb_t,thumb_t,capability,fowner Version-Release number of selected component: selinux-policy-targeted-38.24-1.fc38.noarch Additional info: reporter: libreport-2.17.11 reason: SELinux is preventing atril-thumbnail from using the 'fowner' capabilities. package: selinux-policy-targeted-38.24-1.fc38.noarch component: selinux-policy hashmarkername: setroubleshoot type: libreport kernel: 6.4.9-200.fc38.x86_64 component: selinux-policy
Created attachment 1983108 [details] File: description
Created attachment 1983109 [details] File: os_info
Davide, Do you know what are the conditions to trigger this issue? If you are able to reproduce it, can you gather denials with full auditing enabled? https://fedoraproject.org/wiki/SELinux/Debugging#Enable_full_auditing