Bug 848452 - SELinux is preventing /usr/libexec/gstreamer-0.10/gst-plugin-scanner from using the 'sys_nice' capabilities.
SELinux is preventing /usr/libexec/gstreamer-0.10/gst-plugin-scanner from usi...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
i686 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:0ea717d7c497a8be2a913d64f93...
:
: 848455 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-15 12:15 EDT by Paulo Edson
Modified: 2012-08-15 15:19 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-15 15:19:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Paulo Edson 2012-08-15 12:15:56 EDT
libreport version: 2.0.10
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.5.1-1.fc17.i686
time:           Qua 15 Ago 2012 13:15:13 BRT

description:
:SELinux is preventing /usr/libexec/gstreamer-0.10/gst-plugin-scanner from using the 'sys_nice' capabilities.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If você acredita que o gst-plugin-scanner deva ser permitido a capacidade de sys_nice  por default.
:Then você precisa reportar este como um erro.
:Você pode gerar um módulo de política local para permitir este acesso.
:Do
:permitir este acesso agora executando:
:# grep gst-plugin-scan /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
:Target Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
:Target Objects                 [ capability ]
:Source                        gst-plugin-scan
:Source Path                   /usr/libexec/gstreamer-0.10/gst-plugin-scanner
:Port                          <Desconhecido>
:Host                          (removed)
:Source RPM Packages           gstreamer-0.10.36-1.fc17.i686
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-145.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.5.1-1.fc17.i686 #1 SMP Thu Aug 9
:                              18:12:27 UTC 2012 i686 i686
:Alert Count                   4
:First Seen                    2012-08-10 14:15:59 BRT
:Last Seen                     2012-08-13 13:45:29 BRT
:Local ID                      a02bd71c-47b2-48fd-b6c9-59eaff73a5d4
:
:Raw Audit Messages
:type=AVC msg=audit(1344876329.453:212): avc:  denied  { sys_nice } for  pid=5769 comm="gst-plugin-scan" capability=23  scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tclass=capability
:
:
:type=SYSCALL msg=audit(1344876329.453:212): arch=i386 syscall=sched_setscheduler success=yes exit=0 a0=1689 a1=0 a2=bfaf92bc a3=b77776c0 items=0 ppid=5768 pid=5769 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm=gst-plugin-scan exe=/usr/libexec/gstreamer-0.10/gst-plugin-scanner subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)
:
:Hash: gst-plugin-scan,thumb_t,thumb_t,capability,sys_nice
:
:audit2allow
:
:#============= thumb_t ==============
:allow thumb_t self:capability sys_nice;
:
:audit2allow -R
:
:#============= thumb_t ==============
:allow thumb_t self:capability sys_nice;
:
Comment 1 Daniel Walsh 2012-08-15 14:16:59 EDT
Eric, is this a case of the MAC Check happening before the DAC Check?  I doubt the thumb process has the ability to raise its priority.
Comment 2 Daniel Walsh 2012-08-15 14:18:22 EDT
*** Bug 848455 has been marked as a duplicate of this bug. ***
Comment 3 Eric Paris 2012-08-15 14:25:05 EDT
uid=0 gid=0

this is being run as root.  is it setuid or something?
Comment 4 Daniel Walsh 2012-08-15 15:19:23 EDT
oops. sorry I scanned for this, but read the pid instead of the UID.

Paulo do not run nautilus as root.  SELinux is potentially saving you from some dangerous code.

Note You need to log in before you can comment on or make changes to this bug.