Description of problem: Additional info can be found here: https://discussion.fedoraproject.org/t/selinux-is-preventing-bwrap-from-mounton-access-on-the-directory-tmp/175344 SELinux is preventing bwrap from 'mounton' accesses on the directory /tmp. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that bwrap should be allowed mounton access on the tmp directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'bwrap' --raw | audit2allow -M my-bwrap # semodule -X 300 -i my-bwrap.pp Additional Information: Source Context unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 Target Context system_u:object_r:tmp_t:s0 Target Objects /tmp [ dir ] Source bwrap Source Path bwrap Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-42.17-1.fc43.noarch Local Policy RPM selinux-policy-targeted-42.17-1.fc43.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.17.8-300.fc43.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Nov 14 01:47:12 UTC 2025 x86_64 Alert Count 22 First Seen 2025-12-01 20:13:32 EET Last Seen 2025-12-01 20:29:08 EET Local ID ca7d8cb1-8a2c-4876-9e92-cab37a3c807f Raw Audit Messages type=AVC msg=audit(1764613748.383:538): avc: denied { mounton } for pid=53071 comm="bwrap" path="/tmp" dev="tmpfs" ino=1 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:tmp_t:s0 tclass=dir permissive=0 Hash: bwrap,thumb_t,tmp_t,dir,mounton Version-Release number of selected component: selinux-policy-targeted-42.17-1.fc43.noarch Additional info: reporter: libreport-2.17.15 reason: SELinux is preventing bwrap from 'mounton' accesses on the directory /tmp. package: selinux-policy-targeted-42.17-1.fc43.noarch component: selinux-policy hashmarkername: setroubleshoot type: libreport kernel: 6.17.8-300.fc43.x86_64 comment: Additional info can be found here: https://discussion.fedoraproject.org/t/selinux-is-preventing-bwrap-from-mounton-access-on-the-directory-tmp/175344 component: selinux-policy
Created attachment 2116993 [details] File: description
Created attachment 2116994 [details] File: os_info
I commented over on the Fedora discussion page where you have a thread up. Two ways to deal with this until there is an SELinux policy fix. The first would be to build that module using the commands shown at the top of your first post. If you do that things should go back to working normally and you should not get any alerts. THe other way would be to use semanage to set thumb_t to permissive. If you do that the alerts will still show up but the thumbnail problem of not showing up should go away. At least you know what is causing the issue... In my case thunb_t is set to permissive. So I am still getting the alerts when downloading PDF files but the process is successful. I could generate the module but I don't really do a lot of PDF downloading so I will just live with the alerts for now. And if the alerts go away then I know that they have fixed the SELinux policy upstream.
*** This bug has been marked as a duplicate of bug 2415016 ***