Bug 806470 - SELinux is preventing /usr/bin/evince-thumbnailer from 'read' accesses on the file Fedora-16-Release_Notes-en-US.pdf.
Summary: SELinux is preventing /usr/bin/evince-thumbnailer from 'read' accesses on the...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 17
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:6cb689075c1036dfd66405ba084...
: 806146 807058 807060 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-03-23 20:56 UTC by Flóki Pálsson
Modified: 2012-04-04 21:10 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.10.0-110.fc17
Clone Of:
Environment:
Last Closed: 2012-04-04 21:10:34 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Flóki Pálsson 2012-03-23 20:56:11 UTC
libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.3.0-1.fc17.x86_64
reason:         SELinux is preventing /usr/bin/evince-thumbnailer from 'read' accesses on the file Fedora-16-Release_Notes-en-US.pdf.
time:           fös 23.mar 2012, 20:55:56 GMT

description:
:SELinux is preventing /usr/bin/evince-thumbnailer from 'read' accesses on the file Fedora-16-Release_Notes-en-US.pdf.
:
:*****  Plugin catchall_labels (83.8 confidence) suggests  ********************
:
:If you want to allow evince-thumbnailer to have read access on the Fedora-16-Release_Notes-en-US.pdf file
:Then you need to change the label on Fedora-16-Release_Notes-en-US.pdf
:Do
:# semanage fcontext -a -t FILE_TYPE 'Fedora-16-Release_Notes-en-US.pdf'
:where FILE_TYPE is one of the following: fonts_cache_t, thumb_exec_t, shell_exec_t, sysctl_crypto_t, user_cron_spool_t, cert_t, data_home_t, etc_t, user_home_type, sssd_public_t, abrt_t, lib_t, ld_so_t, net_conf_t, cpu_online_t, afs_cache_t, abrt_helper_exec_t, krb5_conf_t, user_tmp_type, passwd_file_t, gstreamer_home_t, textrel_shlib_t, xdm_home_t, rpm_script_tmp_t, thumb_tmp_t, ld_so_cache_t, bin_t, samba_var_t, locale_t, dosfs_t, etc_t, fonts_t, thumb_t, proc_t, usr_t, sysfs_t, net_conf_t, abrt_var_run_t, audio_home_t. 
:Then execute: 
:restorecon -v 'Fedora-16-Release_Notes-en-US.pdf'
:
:
:*****  Plugin catchall (17.1 confidence) suggests  ***************************
:
:If you believe that evince-thumbnailer should be allowed read access on the Fedora-16-Release_Notes-en-US.pdf file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep evince-thumbnai /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
:Target Context                unconfined_u:object_r:default_t:s0
:Target Objects                Fedora-16-Release_Notes-en-US.pdf [ file ]
:Source                        evince-thumbnai
:Source Path                   /usr/bin/evince-thumbnailer
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           evince-3.3.90-1.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-104.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.3.0-1.fc17.x86_64 #1 SMP Mon Mar 19
:                              03:03:39 UTC 2012 x86_64 x86_64
:Alert Count                   2
:First Seen                    fös 23.mar 2012, 20:50:13 GMT
:Last Seen                     fös 23.mar 2012, 20:52:31 GMT
:Local ID                      ed106bfe-e86f-4e51-bce5-fb83584e4472
:
:Raw Audit Messages
:type=AVC msg=audit(1332535951.357:97): avc:  denied  { read } for  pid=2432 comm="evince-thumbnai" name="Fedora-16-Release_Notes-en-US.pdf" dev="sdc1" ino=12017669 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:default_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1332535951.357:97): arch=x86_64 syscall=open success=no exit=EACCES a0=78a700 a1=0 a2=0 a3=aaaaaaaaaaaaaaab items=0 ppid=1832 pid=2432 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm=evince-thumbnai exe=/usr/bin/evince-thumbnailer subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)
:
:Hash: evince-thumbnai,thumb_t,default_t,file,read
:
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:
:
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
:
:

Comment 1 Flóki Pálsson 2012-03-23 21:10:35 UTC
This happes while copying pdf to folder with
drwxrwxr-x. floki floki system_u:object_r:default_t:s0   skjöl


Copy file Fedora-16-Release_Notes-en-US.pdf  
-rw-rw-r--. floki floki unconfined_u:object_r:user_tmp_t:s0 Fedora16-Release_Notes-en-US.pdf
 
from  folder 
home/floki/Niðurhal ( Download )
with
drwxr-xr-x. floki floki unconfined_u:object_r:user_home_t:s0 Niðurhal
in /home/floki/Niðurhal ( Download )

to folder
/mnt/tonlist/tonlist/þættir/ymislegt/skjöl
with
drwxrwxr-x. floki floki system_u:object_r:default_t:s0   skjöl

See also Bug 806146
	

Copying completes ok.
And viewing file is ok

Comment 2 Flóki Pálsson 2012-03-24 01:35:19 UTC
In F14 then there is no sealert when copying pdf into  same folder
/mnt/tonlist/tonlist/þættir/ymislegt/skjöl

Comment 3 Miroslav Grepl 2012-03-26 10:10:25 UTC
*** Bug 806146 has been marked as a duplicate of this bug. ***

Comment 4 Miroslav Grepl 2012-03-26 10:38:37 UTC
What is /mnt/tonlist? I mean what kind of data is mounted there?

Comment 5 Flóki Pálsson 2012-03-26 21:35:33 UTC
>What is /mnt/tonlist? I mean what kind of data is mounted there?
Nothinfg specal.
It is a partion where I keep data, for exaple docoments and music.
I is mouted with fstab
UUID="ca6b045e-79a6-446f-877b-xx..."	/mnt/tonlist	ext3	defaults        0 0

Comment 6 Miroslav Grepl 2012-03-27 06:49:18 UTC
*** Bug 807058 has been marked as a duplicate of this bug. ***

Comment 7 Miroslav Grepl 2012-03-27 06:51:38 UTC
*** Bug 807060 has been marked as a duplicate of this bug. ***

Comment 8 Miroslav Grepl 2012-03-27 18:04:22 UTC
I think we could add support for nfs/cifs and public content to handle these configurations.

For now try to execute

$ chcon -R -t user_home_t /mnt/tonlist/*

Comment 9 Daniel Walsh 2012-03-27 19:00:24 UTC
default_t is the label of non standard directories created under /.  I believe the file was created in one of these directories and then moved under /mnt.

The problem here is whether we allow thumb_t to read any non security file on the system.

Comment 10 Miroslav Grepl 2012-03-28 07:36:38 UTC
I made thumb as userdom_home_reader to see if this is enough. Probably not but we could try it for now.

Comment 11 Flóki Pálsson 2012-03-28 20:16:21 UTC
Comment #8
>$ chcon -R -t user_home_t /mnt/tonlist/*
Yes.
That works.
I can not remember why "system_u:object_r:default_t:s0" is on the data disk /mnt/tonlist. But i changeed it to that at some point in time.

Comment 12 Fedora Update System 2012-04-03 07:43:49 UTC
selinux-policy-3.10.0-110.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-110.fc17

Comment 13 Fedora Update System 2012-04-04 21:10:34 UTC
selinux-policy-3.10.0-110.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.