libreport version: 2.0.8 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.3.0-1.fc17.x86_64 reason: SELinux is preventing /usr/bin/totem-video-thumbnailer from 'write' accesses on the directory test. time: Čt 22. březen 2012, 12:14:35 CET description: :SELinux is preventing /usr/bin/totem-video-thumbnailer from 'write' accesses on the directory test. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that totem-video-thumbnailer should be allowed write access on the test directory by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep totem-video-thu /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 :Target Context unconfined_u:object_r:user_home_dir_t:s0 :Target Objects test [ dir ] :Source totem-video-thu :Source Path /usr/bin/totem-video-thumbnailer :Port <Neznámé> :Host (removed) :Source RPM Packages totem-3.3.90-2.fc17.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-104.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.3.0-1.fc17.x86_64 #1 : SMP Mon Mar 19 03:03:39 UTC 2012 x86_64 x86_64 :Alert Count 2 :First Seen Čt 22. březen 2012, 12:42:41 CET :Last Seen Čt 22. březen 2012, 12:13:58 CET :Local ID 947da3f2-a14a-422e-bd11-a22d0ce0d154 : :Raw Audit Messages :type=AVC msg=audit(1332414838.321:300): avc: denied { write } for pid=1856 comm="totem-video-thu" name="test" dev="dm-2" ino=26476545 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir : : :type=SYSCALL msg=audit(1332414838.321:300): arch=x86_64 syscall=mkdir success=no exit=EACCES a0=1a36b40 a1=1ff a2=2 a3=7fff2916aef0 items=0 ppid=1654 pid=1856 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm=totem-video-thu exe=/usr/bin/totem-video-thumbnailer subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) : :Hash: totem-video-thu,thumb_t,user_home_dir_t,dir,write : :audit2allowunable to open /sys/fs/selinux/policy: Permission denied : : :audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied : :
Filip, how did you get this? I mean how did you create "test" dir?
(In reply to comment #1) > Filip, > how did you get this? I mean how did you create "test" dir? I plugged a USB thumb drive, it was automounted. Then I opened some directory (on it) which contained audio (mp3) files and after hovering over one of them, the avc denial appeared. The user logged in is called test, so the directory is /home/test.
Filip can you run in permissive mode and see what file/directory it creates. It will be labeled user_home_dir_t.
(In reply to comment #3) > Filip can you run in permissive mode and see what file/directory it creates. > It will be labeled user_home_dir_t. Some files were created in ~/.thumbnails/fail/gnome-thumbnail-factory: > ./.thumbnails/fail/gnome-thumbnail-factory/dc8de19273cb3057e91a08c4c9832ede.png > ./.thumbnails/fail/gnome-thumbnail-factory/f8c6610fd5bb84925d072ef1c23af074.png > ./.thumbnails/fail/gnome-thumbnail-factory/dba52bdd11643ccdfef1db9d68c9dd1b.png -rw-------. test test unconfined_u:object_r:user_home_t:s0 ./.thumbnails/fail/gnome-thumbnail-factory/dc8de19273cb3057e91a08c4c9832ede.png dc8de19273cb3057e91a08c4c9832ede.png: PNG image data, 1 x 1, 8-bit/color RGBA, non-interlaced
Great thanks.
Fixed in selinux-policy-3.10.0-106.fc17
selinux-policy-3.10.0-106.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-106.fc17
Package selinux-policy-3.10.0-106.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-106.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-4694/selinux-policy-3.10.0-106.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-106.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.