858615 – SELinux is preventing /usr/bin/totem-video-thumbnailer from 'create' accesses on the file registry.x86_64.bin.tmpLUSKKW.

Bug 858615 - SELinux is preventing /usr/bin/totem-video-thumbnailer from 'create' accesses on the file registry.x86_64.bin.tmpLUSKKW.

Summary: SELinux is preventing /usr/bin/totem-video-thumbnailer from 'create' accesses...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	18
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:927c3b39bc6b7555bdd07838f0f...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-09-19 08:40 UTC by Abhay
Modified:	2012-10-31 10:33 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-10-24 18:54:18 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
File: type (9 bytes, text/plain) 2012-09-19 08:40 UTC, Abhay	no flags	Details
File: hashmarkername (14 bytes, text/plain) 2012-09-19 08:40 UTC, Abhay	no flags	Details
View All

Description Abhay 2012-09-19 08:40:02 UTC

Additional info:
libreport version: 2.0.13
kernel:         3.3.4-5.fc17.x86_64

description:
:SELinux is preventing /usr/bin/totem-video-thumbnailer from 'create' accesses on the file registry.x86_64.bin.tmpLUSKKW.
:
:*****  Plugin catchall (100. confidence) suggests  ***************************
:
:If you believe that totem-video-thumbnailer should be allowed create access on the registry.x86_64.bin.tmpLUSKKW file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep totem-video-thu /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
:Target Context                unconfined_u:object_r:cache_home_t:s0
:Target Objects                registry.x86_64.bin.tmpLUSKKW [ file ]
:Source                        totem-video-thu
:Source Path                   /usr/bin/totem-video-thumbnailer
:Port                          <Unknown>
:Host                          (removed)
:Source RPM Packages           totem-3.5.90-2.fc18.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.11.1-21.fc18.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.3.4-5.fc17.x86_64 #1 SMP Mon May
:                              7 17:29:34 UTC 2012 x86_64 x86_64
:Alert Count                   2
:First Seen                    2012-09-19 14:08:37 IST
:Last Seen                     2012-09-19 14:08:43 IST
:Local ID                      8c199caa-3298-4d82-a01a-54ddb5b49810
:
:Raw Audit Messages
:type=AVC msg=audit(1348043923.545:161): avc:  denied  { create } for  pid=4702 comm="totem-video-thu" name="registry.x86_64.bin.tmpLUSKKW" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1348043923.545:161): arch=x86_64 syscall=open success=no exit=EACCES a0=16c0740 a1=c2 a2=180 a3=1 items=0 ppid=4647 pid=4702 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=5 comm=totem-video-thu exe=/usr/bin/totem-video-thumbnailer subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)
:
:Hash: totem-video-thu,thumb_t,cache_home_t,file,create
:
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:
:
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
:
:

Comment 1 Abhay 2012-09-19 08:40:07 UTC

Created attachment 614261 [details]
File: type

Comment 2 Abhay 2012-09-19 08:40:10 UTC

Created attachment 614262 [details]
File: hashmarkername

Comment 3 Miroslav Grepl 2012-09-19 12:42:09 UTC

What is a path to "registry.x86_64.bin.tmpLUSKKW"?

I would like to know if this is mislabeling or we need to add new rules. Thank you.

Comment 4 Abhay 2012-09-19 13:12:40 UTC

I guess this is mislabling, because the file was located in /home/abhay/video.

Comment 5 Daniel Walsh 2012-09-20 00:58:46 UTC

~/.cache/thumbnails is mislabled in the current policy it should be labeled 

thumb_home_t,  I just fixed that in policy.

Fixed in selinux-policy-3.11.1-23.fc18.noarch

Comment 6 Fedora Update System 2012-09-26 04:51:25 UTC

selinux-policy-3.11.1-25.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-25.fc18

Comment 7 Fedora Update System 2012-09-26 21:18:45 UTC

Package selinux-policy-3.11.1-25.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-25.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-14807/selinux-policy-3.11.1-25.fc18
then log in and leave karma (feedback).

Comment 8 Zdenek Chmelar 2012-10-11 19:36:07 UTC

I did no activity with Totem, message appeared during empting the trash

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)

Comment 9 Daniel Walsh 2012-10-12 02:24:01 UTC

thumbnailers get executed when you have a nautilus screen, IE a screen showing you files with icons.

Comment 10 Daniel Walsh 2012-10-12 02:27:13 UTC

Fixed in selinux-policy-3.11.1-37.fc18.noarch

Comment 11 Petr Schindler 2012-10-23 11:51:26 UTC

This bug appears when I copy some music and videos from one folder to another.

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)

Comment 12 Mikhail 2012-10-28 07:55:08 UTC

$ rpm -q selinux-policy
selinux-policy-3.11.1-46.fc18.noarch

And problem still there :(

Comment 13 Miroslav Grepl 2012-10-29 16:11:13 UTC

Do you get the same AVC msg?

Comment 14 Mikhail 2012-10-29 17:09:44 UTC

How check this????


so????

# cat /var/log/audit/audit.log | grep totem-video-thumbnailer


type=SYSCALL msg=audit(1351430384.195:1125): arch=40000003 syscall=5 success=no exit=-13 a0=906e110 a1=80c2 a2=180 a3=c items=0 ppid=7020 pid=24791 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)
type=SYSCALL msg=audit(1351430384.196:1126): arch=40000003 syscall=5 success=no exit=-13 a0=908c738 a1=80c2 a2=180 a3=c items=0 ppid=7020 pid=24791 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)
type=SYSCALL msg=audit(1351440660.812:1161): arch=40000003 syscall=5 success=no exit=-13 a0=84f5ca8 a1=80c2 a2=180 a3=c items=0 ppid=7020 pid=27605 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)
type=SYSCALL msg=audit(1351440660.813:1162): arch=40000003 syscall=5 success=no exit=-13 a0=84f5ca8 a1=80c2 a2=180 a3=c items=0 ppid=7020 pid=27605 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)
type=SYSCALL msg=audit(1351440660.994:1163): arch=40000003 syscall=5 success=no exit=-13 a0=919f110 a1=80c2 a2=180 a3=c items=0 ppid=7020 pid=27625 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)
type=SYSCALL msg=audit(1351440660.994:1164): arch=40000003 syscall=5 success=no exit=-13 a0=91bd738 a1=80c2 a2=180 a3=c items=0 ppid=7020 pid=27625 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)
type=SYSCALL msg=audit(1351442452.956:1178): arch=40000003 syscall=5 success=no exit=-13 a0=8356110 a1=80c2 a2=180 a3=c items=0 ppid=7020 pid=29060 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)
type=SYSCALL msg=audit(1351442452.956:1179): arch=40000003 syscall=5 success=no exit=-13 a0=8374738 a1=80c2 a2=180 a3=c items=0 ppid=7020 pid=29060 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)
type=SYSCALL msg=audit(1351530390.257:322): arch=40000003 syscall=5 success=no exit=-13 a0=8c84ca8 a1=80c2 a2=180 a3=c items=0 ppid=3994 pid=4018 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)
type=SYSCALL msg=audit(1351530390.257:323): arch=40000003 syscall=5 success=no exit=-13 a0=8c84ca8 a1=80c2 a2=180 a3=c items=0 ppid=3994 pid=4018 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)
[root@localhost ~]#

Comment 15 Miroslav Grepl 2012-10-29 18:27:02 UTC

Try to re-test it and execute

# ausearch -m avc -ts recent

Comment 16 Daniel Walsh 2012-10-30 19:36:07 UTC

Petr

 ls -ldZ ~/.cache/thumbnails 
drwx------. dwalsh dwalsh staff_u:object_r:thumb_home_t:s0 /home/dwalsh/.cache/thumbnails

Comment 17 Mikhail 2012-10-30 19:39:04 UTC

# ausearch -m avc -ts recent
----
time->Wed Oct 31 01:34:06 2012
type=SYSCALL msg=audit(1351625646.830:559): arch=40000003 syscall=5 success=no exit=-13 a0=9c47ca8 a1=80c2 a2=180 a3=d items=0 ppid=9392 pid=21907 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1351625646.830:559): avc:  denied  { create } for  pid=21907 comm="totem-video-thu" name="registry.i686.bin.tmpO2NHNW" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=file
----
time->Wed Oct 31 01:34:06 2012
type=SYSCALL msg=audit(1351625646.830:560): arch=40000003 syscall=5 success=no exit=-13 a0=9c47ca8 a1=80c2 a2=180 a3=d items=0 ppid=9392 pid=21907 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1351625646.830:560): avc:  denied  { create } for  pid=21907 comm="totem-video-thu" name="registry.i686.bin.tmpQ0NHNW" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=file
----
time->Wed Oct 31 01:34:19 2012
type=SYSCALL msg=audit(1351625659.688:562): arch=40000003 syscall=5 success=no exit=-13 a0=8abeca8 a1=80c2 a2=180 a3=d items=0 ppid=9392 pid=21958 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1351625659.688:562): avc:  denied  { create } for  pid=21958 comm="totem-video-thu" name="registry.i686.bin.tmpNK1ENW" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=file
----
time->Wed Oct 31 01:34:19 2012
type=SYSCALL msg=audit(1351625659.688:561): arch=40000003 syscall=5 success=no exit=-13 a0=8abeca8 a1=80c2 a2=180 a3=d items=0 ppid=9392 pid=21958 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1351625659.688:561): avc:  denied  { create } for  pid=21958 comm="totem-video-thu" name="registry.i686.bin.tmpQQ1ENW" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=file
----
time->Wed Oct 31 01:34:41 2012
type=SYSCALL msg=audit(1351625681.690:564): arch=40000003 syscall=5 success=no exit=-13 a0=836dca8 a1=80c2 a2=180 a3=d items=0 ppid=9392 pid=22013 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1351625681.690:564): avc:  denied  { create } for  pid=22013 comm="totem-video-thu" name="registry.i686.bin.tmpTZZENW" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=file
----
time->Wed Oct 31 01:34:41 2012
type=SYSCALL msg=audit(1351625681.690:563): arch=40000003 syscall=5 success=no exit=-13 a0=836dca8 a1=80c2 a2=180 a3=d items=0 ppid=9392 pid=22013 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1351625681.690:563): avc:  denied  { create } for  pid=22013 comm="totem-video-thu" name="registry.i686.bin.tmpS4ZENW" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:cache_home_t:s0 tclass=file

Comment 18 Mikhail 2012-10-30 19:40:05 UTC

$ ls -ldZ ~/.cache/thumbnails 
drwx------. mikhail mikhail unconfined_u:object_r:thumb_home_t:s0 /home/mikhail/.cache/thumbnails

Comment 19 Daniel Walsh 2012-10-31 10:33:17 UTC

Mikhail do you think this file is being created in the ~/.cache directory or one of the subdirs?

Can you execute 

auditctl -w /etc/shadow -p w

And then generate the AVC's.  This should generate full path information on where the file is created.

I just want to see if there is a specific subdir where the thumbnailer is using rather then allow thumbnailers to write anywhere in ~/.cache

Note You need to log in before you can comment on or make changes to this bug.