Description of problem: Nothing special, it happens in the background when a pdf is stored somewhere, e.g. Desktop SELinux is preventing /usr/bin/evince-thumbnailer from 'name_bind' accesses on the udp_socket . ***** Plugin catchall (100. confidence) suggests *************************** If you believe that evince-thumbnailer should be allowed name_bind access on the udp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep evince-thumbnai /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 Target Context system_u:object_r:hi_reserved_port_t:s0 Target Objects [ udp_socket ] Source evince-thumbnai Source Path /usr/bin/evince-thumbnailer Port 774 Host (removed) Source RPM Packages evince-3.6.1-2.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-67.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 3.7.2-201.fc18.x86_64 #1 SMP Fri Jan 11 22:16:23 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-01-18 17:35:32 CET Last Seen 2013-01-18 17:35:32 CET Local ID 4a3ab3b3-e902-49e6-b36c-836dc3597470 Raw Audit Messages type=AVC msg=audit(1358526932.628:666): avc: denied { name_bind } for pid=26038 comm="evince-thumbnai" src=774 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket type=AVC msg=audit(1358526932.628:666): avc: denied { node_bind } for pid=26038 comm="evince-thumbnai" src=774 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket type=SYSCALL msg=audit(1358526932.628:666): arch=x86_64 syscall=bind success=no exit=EACCES a0=8 a1=7fff1765a770 a2=10 a3=4560 items=0 ppid=6605 pid=26038 auid=9377 uid=9377 gid=20 euid=9377 suid=9377 fsuid=9377 egid=20 sgid=20 fsgid=20 ses=11 tty=(none) comm=evince-thumbnai exe=/usr/bin/evince-thumbnailer subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) Hash: evince-thumbnai,thumb_t,hi_reserved_port_t,udp_socket,name_bind audit2allow #============= thumb_t ============== allow thumb_t hi_reserved_port_t:udp_socket name_bind; allow thumb_t node_t:udp_socket node_bind; audit2allow -R #============= thumb_t ============== allow thumb_t hi_reserved_port_t:udp_socket name_bind; allow thumb_t node_t:udp_socket node_bind; Additional info: hashmarkername: setroubleshoot kernel: 3.7.2-201.fc18.x86_64 type: libreport
I don't believe we want thumbnailers communicating over the network.
Additional info: it's a NFS-mounted home directory and I enabled use_nfs_home_dirs
Are you using ypbind?
NIS, yes
ok that is causing the prolem. Added dontaudit's in git 6d173c84efdf37d4939239fea1727f1bd6ab086b 55d2723e0e47f4fabe976fadd0328f3e9bccf2a4 Checked into git
Added.
selinux-policy-3.11.1-73.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-73.fc18
Package selinux-policy-3.11.1-73.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-73.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-1272/selinux-policy-3.11.1-73.fc18 then log in and leave karma (feedback).
selinux-policy-3.11.1-73.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.