Bug 870614 - Triggers selinux event while compositing icons
Summary: Triggers selinux event while compositing icons
Keywords:
Status: CLOSED DUPLICATE of bug 825874
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 17
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-10-27 10:07 UTC by Davide Repetto
Modified: 2012-12-03 21:01 UTC (History)
9 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2012-12-03 21:01:20 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Davide Repetto 2012-10-27 10:07:45 UTC 
Description of problem:
=======================
SELinux is preventing /usr/bin/composite from create access on the file magickNVvF6a.


Version-Release number of selected component (if applicable):
=============================================================
gnome-exe-thumbnailer-0.8-3.fc17
  

Additional Information:
Source Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:user_home_dir_t:s0
Target Objects                magickNVvF6a [ file ]
Source                        composite
Source Path                   /usr/bin/composite
Port                          <Sconosciuto>
Host                          dave.idp.it
Source RPM Packages           ImageMagick-6.7.5.6-4.fc17.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-156.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     dave.idp.it
Platform                      Linux dave.idp.it 3.6.2-4.fc17.i686 #1 SMP Wed Oct
                              17 03:22:23 UTC 2012 i686 i686
Alert Count                   15
First Seen                    2012-10-26 21:00:43 CEST
Last Seen                     2012-10-26 21:00:45 CEST
Local ID                      ec8382ba-0483-4a7a-b86b-d91b17f77908

Raw Audit Messages
type=AVC msg=audit(1351278045.898:233358): avc:  denied  { create } for  pid=6614 comm="convert" name="magickNVvF6a" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file


type=SYSCALL msg=audit(1351278045.898:233358): arch=i386 syscall=open success=no exit=EACCES a0=8dc1ab0 a1=80c2 a2=180 a3=b591d1e items=0 ppid=6589 pid=6614 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1146 comm=convert exe=/usr/bin/convert subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)

Hash: composite,thumb_t,user_home_dir_t,file,create

audit2allow

#============= thumb_t ==============
allow thumb_t user_home_dir_t:file create;

audit2allow -R

#============= thumb_t ==============
allow thumb_t user_home_dir_t:file create;
Comment 1 Miroslav Grepl 2012-11-12 15:16:02 UTC 
Any chance 

# restorecon -R -v /home/$YOUR_USERNAME

returns anything?
Comment 2 Davide Repetto 2012-11-13 09:57:20 UTC 
Nope.

[root@dave ~]# restorecon -R -v /home/davide
[root@dave ~]#
Comment 3 Daniel Walsh 2012-11-13 18:11:06 UTC 
Can you get this to happen again?
Comment 4 Davide Repetto 2012-11-14 00:10:52 UTC 
Yes.
Comment 5 Daniel Walsh 2012-11-14 18:37:33 UTC 
Why is ImageMagick creating these files in the HomeDir?  Can it move the creation to ~/.cache?
Comment 6 Pavel Alexeev 2012-11-17 19:40:11 UTC 
I suppose ImageMagick create it in current directory where converting happened.

Is it problem? Is creatint it say in /tmp solve that problem globally?
Comment 7 Miroslav Grepl 2012-11-19 10:05:36 UTC 
Yes, this means it could write anywhere. ~/.cache would be better but /tmp should also work.
Comment 8 Daniel Walsh 2012-11-19 15:07:36 UTC 
Let me explain why this is a problem.  Since you are using a random name, we can not setup a file trans label based on the name.  Which means we would have to allow thumb apps to create files in $HOME.  Since ~/.bashrc or ~/.profile type files are always executed by users this allows a hacked thumb application to take over the machine.  If this is moved to /tmp or ~/.cache we have  alot less risk.
Comment 9 Pavel Alexeev 2012-12-03 21:01:20 UTC 

*** This bug has been marked as a duplicate of bug 825874 ***
Note You need to log in before you can comment on or make changes to this bug.