Description of problem: Searching in nautilus SELinux is preventing /usr/bin/evince-thumbnailer from 'execute' accesses on the file /home/carlos/gnome/install/lib64/libgtk-3.so.0.703.0. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that evince-thumbnailer should be allowed execute access on the libgtk-3.so.0.703.0 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep evince-thumbnai /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 Target Context unconfined_u:object_r:user_home_t:s0 Target Objects /home/carlos/gnome/install/lib64/libgtk-3.so.0.703 .0 [ file ] Source evince-thumbnai Source Path /usr/bin/evince-thumbnailer Port <Unknown> Host (removed) Source RPM Packages totem-3.6.3-1.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-60.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.6.9-4.fc18.x86_64 #1 SMP Tue Dec 4 14:12:51 UTC 2012 x86_64 x86_64 Alert Count 4 First Seen 2012-12-08 01:03:34 CET Last Seen 2012-12-08 01:03:38 CET Local ID ede95a9c-f3f8-43db-bc81-4acc7580b3ef Raw Audit Messages type=AVC msg=audit(1354925018.136:614): avc: denied { execute } for pid=26810 comm="totem-video-thu" path="/home/carlos/gnome/install/lib64/libgtk-3.so.0.703.0" dev="dm-2" ino=40769942 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file type=SYSCALL msg=audit(1354925018.136:614): arch=x86_64 syscall=mmap success=no exit=EACCES a0=0 a1=6fc3c8 a2=5 a3=802 items=0 ppid=26742 pid=26810 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts2 ses=1 comm=totem-video-thu exe=/usr/bin/totem-video-thumbnailer subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) Hash: evince-thumbnai,thumb_t,user_home_t,file,execute audit2allow #============= thumb_t ============== allow thumb_t user_home_t:file execute; audit2allow -R #============= thumb_t ============== allow thumb_t user_home_t:file execute; Additional info: hashmarkername: setroubleshoot kernel: 3.6.9-4.fc18.x86_64 type: libreport
*** Bug 885274 has been marked as a duplicate of this bug. ***
This looks like a pretty weird setup which we do not want to support. I guess you could label the content as lib_t to make this work. chcon -t lib_t -R "/home/carlos/gnome/install/lib64 And then this would be allowed, but we do not want thumb nailers executing random code in your homedir.
This is a jhbuild install of gnome. It is the default installation of jhbuild to develop gnome. So, do I have to file a bug against jhbuild? I guess if I change the name of the directory jhbuild won't work.
I take your LIBDIR gets pointed to this directory. I guess you can just add an allow rule for this access, using audit2allow or change the label on the thumb code to bin_t. I don't think there is a real good solution to this. Since you are using confined applications against libraries in your homedir.
Ok, thanks Daniel
*** Bug 972712 has been marked as a duplicate of this bug. ***