Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 807005 - SELinux is preventing /usr/bin/totem-video-thumbnailer from 'getattr' accesses on the file .
Summary: SELinux is preventing /usr/bin/totem-video-thumbnailer from 'getattr' accesse...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 17
Hardware: i686
OS: Unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
Whiteboard: abrt_hash:7a8c947c1b41d3e963c37648cef...
: 807004 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2012-03-26 18:15 UTC by Mikhail
Modified: 2012-03-27 06:58 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-03-27 06:48:01 UTC
Type: ---

Attachments (Terms of Use)

Description Mikhail 2012-03-26 18:15:33 UTC
libreport version: 2.0.8
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.3.0-1.fc17.i686.PAE
reason:         SELinux is preventing /usr/bin/totem-video-thumbnailer from 'getattr' accesses on the file .
time:           Tue 27 Mar 2012 12:15:24 AM YEKT

:SELinux is preventing /usr/bin/totem-video-thumbnailer from 'getattr' accesses on the file .
:*****  Plugin file (36.8 confidence) suggests  *******************************
:If you think this is caused by a badly mislabeled machine.
:Then you need to fully relabel.
:touch /.autorelabel; reboot
:*****  Plugin file (36.8 confidence) suggests  *******************************
:If you think this is caused by a badly mislabeled machine.
:Then you need to fully relabel.
:touch /.autorelabel; reboot
:*****  Plugin catchall_labels (23.2 confidence) suggests  ********************
:If you want to allow totem-video-thumbnailer to have getattr access on the  file
:Then you need to change the label on $FIX_TARGET_PATH
:# semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH'
:where FILE_TYPE is one of the following: xdm_tmp_t, user_home_type, sysctl_crypto_t, net_conf_t, cert_t, etc_t, user_tmp_t, logfile, user_tmp_type, gstreamer_home_t, sssd_public_t, abrt_t, lib_t, ld_so_t, xdm_home_t, cpu_online_t, abrt_helper_exec_t, thumb_tmp_t, user_home_t, krb5_conf_t, passwd_file_t, bin_t, locale_t, dosfs_t, etc_t, fonts_t, proc_t, thumb_t, sysfs_t, usr_t, textrel_shlib_t, rpm_script_tmp_t, user_tmp_t, audio_home_t, fonts_cache_t, ld_so_cache_t, abrt_var_cache_t, samba_var_t, thumb_exec_t, thumb_home_t, shell_exec_t, sosreport_tmp_t, rpm_tmp_t, net_conf_t, admin_home_t, abrt_var_run_t, data_home_t, user_cron_spool_t, krb5_host_rcache_t. 
:Then execute: 
:restorecon -v '$FIX_TARGET_PATH'
:*****  Plugin catchall (5.04 confidence) suggests  ***************************
:If you believe that totem-video-thumbnailer should be allowed getattr access on the  file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:allow this access for now by executing:
:# grep totem-video-thu /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:Additional Information:
:Source Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
:Target Context                system_u:object_r:file_t:s0
:Target Objects                 [ file ]
:Source                        totem-video-thu
:Source Path                   /usr/bin/totem-video-thumbnailer
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           totem-3.3.92-1.fc17.i686
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-106.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.3.0-1.fc17.i686.PAE #1 SMP Mon Mar 19
:                              03:11:34 UTC 2012 i686 i686
:Alert Count                   2
:First Seen                    Tue 27 Mar 2012 12:12:48 AM YEKT
:Last Seen                     Tue 27 Mar 2012 12:13:19 AM YEKT
:Local ID                      ce745237-87c0-4a56-8a5c-286e66786320
:Raw Audit Messages
:type=AVC msg=audit(1332785599.41:183): avc:  denied  { getattr } for  pid=4462 comm="totem-video-thu" path=2F686F6D652F6576612FD097D0B0D0B3D180D183D0B7D0BAD0B82F4F745F7A616B6174615F646F5F72617373766574615F335F5B746F7272656E74732E72755D2E617669 dev="sdb1" ino=27920859 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file
:type=SYSCALL msg=audit(1332785599.41:183): arch=i386 syscall=stat64 success=no exit=EACCES a0=96a1090 a1=bf971e60 a2=4b7ffff4 a3=bf971e60 items=0 ppid=2521 pid=4462 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm=totem-video-thu exe=/usr/bin/totem-video-thumbnailer subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)
:Hash: totem-video-thu,thumb_t,file_t,file,getattr
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied

Comment 1 Miroslav Grepl 2012-03-27 06:48:01 UTC
Did you add a new disk?

You will need to execute the restorecon tool

$ restorecon -R -v MOUNTPOINT

You probably need

$ restorecon -R -v ~/

Comment 2 Miroslav Grepl 2012-03-27 06:58:56 UTC
*** Bug 807004 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.