Bug 961374 - SELinux is preventing /usr/bin/totem-video-thumbnailer from using the 'dac_override' capabilities.
SELinux is preventing /usr/bin/totem-video-thumbnailer from using the 'dac_ov...
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
18
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:a02dbaa01b695595b30129675f4...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-09 09:46 EDT by hywel
Modified: 2016-09-20 20:01 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-05-09 10:10:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description hywel 2013-05-09 09:46:14 EDT
Description of problem:
SELinux is preventing /usr/bin/totem-video-thumbnailer from using the 'dac_override' capabilities.

*****  Plugin dac_override (91.4 confidence) suggests  ***********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it, 
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that totem-video-thumbnailer should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep totem-video-thu /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Objects                 [ capability ]
Source                        totem-video-thu
Source Path                   /usr/bin/totem-video-thumbnailer
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           evince-3.6.1-2.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-91.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.8.8-203.fc18.x86_64 #1 SMP Wed
                              Apr 24 13:12:26 UTC 2013 x86_64 x86_64
Alert Count                   10
First Seen                    2013-04-26 20:00:51 EDT
Last Seen                     2013-04-26 20:01:51 EDT
Local ID                      a50b2141-55c0-483f-9842-9cd52fbe4284

Raw Audit Messages
type=AVC msg=audit(1367020911.45:1059): avc:  denied  { dac_override } for  pid=16364 comm="evince-thumbnai" capability=1  scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tclass=capability


type=AVC msg=audit(1367020911.45:1059): avc:  denied  { dac_read_search } for  pid=16364 comm="evince-thumbnai" capability=2  scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tclass=capability


type=SYSCALL msg=audit(1367020911.45:1059): arch=x86_64 syscall=open success=no exit=EACCES a0=12b8bd0 a1=0 a2=0 a3=aaaaaaaaaaaaaaab items=0 ppid=16047 pid=16364 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=2 tty=pts0 comm=evince-thumbnai exe=/usr/bin/evince-thumbnailer subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)

Hash: totem-video-thu,thumb_t,thumb_t,capability,dac_override

audit2allow

#============= thumb_t ==============
allow thumb_t self:capability { dac_read_search dac_override };

audit2allow -R
require {
	type thumb_t;
	class capability { dac_read_search dac_override };
}

#============= thumb_t ==============
allow thumb_t self:capability { dac_read_search dac_override };


Additional info:
hashmarkername: setroubleshoot
kernel:         3.8.11-200.fc18.x86_64
type:           libreport

Potential duplicate: bug 848455
Comment 1 Daniel Walsh 2013-05-09 10:10:03 EDT
Running nautilus and thumbnail drivers as root is not supported and is dangerous.

We can not fix these AVCs, and they should be ignored if you intend to run nautilus or X as root.
Comment 2 Jamie 2013-05-27 14:09:16 EDT
 I just added to this, and I dont know about past, who reported, or if I ever did before., but this time I was not logged in as root when I ran into the error. I had to log in as root only in the console  to run the fix suggested  by SEL.(sudo is annoying so I use su root until I am done and then close console).
Comment 3 Jamie 2013-05-27 14:18:44 EDT
(In reply to Daniel Walsh from comment #1)
> Running nautilus and thumbnail drivers as root is not supported and is
> dangerous.
> 
> We can not fix these AVCs, and they should be ignored if you intend to run
> nautilus or X as root.

 Hi Dan,
 
 I just submitted a new report for this totem-video-thumbnailer which you closed because someone reported it and was root. I hope you can give it another look. I was not logged in as root or using nautillus. ;) SEL suggested I do the following, and I got the following output (please ignore the irrelevent parts)

[jamie@jfm ~]$ auditctl -w /etc/shadow -p w
bash: /usr/sbin/auditctl: Permission denied
[jamie@jfm ~]$ sudo auditctl -w /etc/shadow -p w
[sudo] password for jamie: 
[jamie@jfm ~]$ totem
totem                    totem-audio-preview      totem-video-thumbnailer
[jamie@jfm ~]$ totem-video-thumbnailer 

** (totem-video-thumbnailer:1871): WARNING **: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-Adl9fHHxK9: Permission denied
Usage:
  totem-video-thumbnailer [OPTION...] [INPUT FILE] [OUTPUT FILE] Thumbnail movies

Help Options:
  -h, --help                        Show help options
  --help-all                        Show all help options
  --help-gst                        Show GStreamer Options
  --help-gtk                        Show GTK+ Options

GStreamer Options
  --gst-version                     Print the GStreamer version
  --gst-fatal-warnings              Make all warnings fatal
  --gst-debug-help                  Print available debug categories and exit
  --gst-debug-level=LEVEL           Default debug level from 1 (only error) to 5 (anything) or 0 for no output
  --gst-debug=LIST                  Comma-separated list of category_name:level pairs to set specific levels for the individual categories. Example: GST_AUTOPLUG:5,GST_ELEMENT_*:3
  --gst-debug-no-color              Disable colored debugging output
  --gst-debug-disable               Disable debugging
  --gst-plugin-spew                 Enable verbose plugin loading diagnostics
  --gst-plugin-path=PATHS           Colon-separated paths containing plugins
  --gst-plugin-load=PLUGINS         Comma-separated list of plugins to preload in addition to the list stored in environment variable GST_PLUGIN_PATH
  --gst-disable-segtrap             Disable trapping of segmentation faults during plugin loading
  --gst-disable-registry-update     Disable updating the registry
  --gst-disable-registry-fork       Disable spawning a helper process while scanning the registry

GTK+ Options
  --class=CLASS                     Program class as used by the window manager
  --name=NAME                       Program name as used by the window manager
  --gdk-debug=FLAGS                 GDK debugging flags to set
  --gdk-no-debug=FLAGS              GDK debugging flags to unset
  --gtk-module=MODULES              Load additional GTK+ modules
  --gtk-g-fatal-warnings            Make all warnings fatal
  --gtk-debug=FLAGS                 GTK+ debugging flags to set
  --gtk-no-debug=FLAGS              GTK+ debugging flags to unset

Application Options:
  -j, --jpeg                        Output the thumbnail as a JPEG instead of PNG
  -s, --size                        Size of the thumbnail in pixels (with --gallery sets the size of individual screenshots)
  -r, --raw                         Output the raw picture of the video without scaling or adding borders
  -l, --no-limit                    Don't limit the thumbnailing time to 30 seconds
  -v, --verbose                     Output debug information
  -t, --time                        Choose this time (in seconds) as the thumbnail (can't be used with --gallery)
  --g-fatal-warnings                Make all warnings fatal
  -g, --gallery                     Output a gallery of the given number (0 is default) of screenshots (can't be used with --time)
  -p, --print-progress              Only print progress updates (can't be used with --verbose)
  --display=DISPLAY                 X display to use

[jamie@jfm ~]$ totem
Fontconfig warning: "/etc/fonts/conf.d/50-user.conf", line 9: reading configurations from ~/.fonts.conf is deprecated.

(totem:1927): Grilo-WARNING **: [registry] grl-registry.c:330: Failed to initialize plugin: '/usr/lib/grilo-0.2/libgrlflickr.so'

(totem:1927): Grilo-WARNING **: [registry] grl-registry.c:330: Failed to initialize plugin: '/usr/lib/grilo-0.2/libgrltmdb.so'

(totem:1927): Grilo-WARNING **: [registry] grl-registry.c:787: Failed to open module: '/usr/lib/grilo-0.2/libgrlpodcasts.so'

(totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files

(totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files

(totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files

(totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files

(totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files

(totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files

(totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files

(totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files

(totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files

(totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files

(totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files

(totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files

(totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files

(totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files

(totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files

(totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files

(totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files

(totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files

(totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files

(totem:1927): GLib-GIO-CRITICAL **: g_file_get_path: assertion `G_IS_FILE (file)' failed

(totem:1927): GLib-GObject-CRITICAL **: g_object_unref: assertion `G_IS_OBJECT (object)' failed

(totem:1927): GLib-CRITICAL **: g_variant_new_string: assertion `string != NULL' failed

(totem:1927): GLib-GIO-CRITICAL **: g_settings_schema_key_type_check: assertion `value != NULL' failed

(totem:1927): GLib-CRITICAL **: g_variant_get_type_string: assertion `value != NULL' failed

(totem:1927): GLib-GIO-CRITICAL **: g_settings_set_value: key 'screenshot-save-uri' in 'org.gnome.totem' expects type 's', but a GVariant of type '(null)' was given

** (totem-video-thumbnailer:1970): WARNING **: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-Adl9fHHxK9: Permission denied

** (totem-video-thumbnailer:1970): WARNING **: Could not take screenshot: failed to retrieve or convert video frame

(totem-video-thumbnailer:1970): GdkPixbuf-CRITICAL **: gdk_pixbuf_composite: assertion `GDK_IS_PIXBUF (src)' failed

(totem-video-thumbnailer:1970): GLib-GObject-CRITICAL **: g_object_unref: assertion `G_IS_OBJECT (object)' failed
Fontconfig warning: "/etc/fonts/conf.d/50-user.conf", line 9: reading configurations from ~/.fonts.conf is deprecated.

(totem:1927): Gtk-WARNING **: GtkMenuBar 0xb600d178 is mapped but visible=1 child_visible=1 parent GtkApplicationWindow 0x9e1e020 mapped=0


[jamie@jfm ~]$ auditctl -w /etc/shadow -p w
bash: /usr/sbin/auditctl: Permission denied   


[jamie@jfm ~]$ su  [I had no choice here but to su]
Password: 
[root@jfm james]# [jamie@jfm ~]$ totem  (ya ya I am an idiot lol -)
bash: [jamie@jfm: command not found...
[root@jfm james]# Fontconfig warning: "/etc/fonts/conf.d/50-user.conf", line 9: reading configurations from ~/.fonts.conf is deprecated.
bash: Fontconfig: command not found...
[root@jfm james]# 
[root@jfm james]# (totem:1927): Grilo-WARNING **: [registry] grl-registry.c:330: Failed to initialize plugin: '/usr/lib/grilo-0.2/libgrlflickr.so'
bash: syntax error near unexpected token `:'
[root@jfm james]# 
[root@jfm james]# (totem:1927): Grilo-WARNING **: [registry] grl-registry.c:330: Failed to initialize plugin: '/usr/lib/grilo-0.2/libgrltmdb.so'
bash: syntax error near unexpected token `:'
[root@jfm james]# 
[root@jfm james]# (totem:1927): Grilo-WARNING **: [registry] grl-registry.c:787: Failed to open module: '/usr/lib/grilo-0.2/libgrlpodcasts.so'
bash: syntax error near unexpected token `:'
[root@jfm james]# ausearch -m avc -ts recent
----
time->Mon May 27 13:55:02 2013
type=PATH msg=audit(1369677302.077:413): item=0 name="/home/james/Pictures/screenshots/" inode=2884257 dev=fd:02 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0
type=CWD msg=audit(1369677302.077:413):  cwd="/home/james"
type=SYSCALL msg=audit(1369677302.077:413): arch=40000003 syscall=5 success=no exit=-13 a0=989be40 a1=8241 a2=1b6 a3=9a8d470 items=1 ppid=1 pid=1970 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=pts0 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1369677302.077:413): avc:  denied  { write } for  pid=1970 comm="totem-video-thu" name="screenshots" dev="dm-2" ino=2884257 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
[root@jfm james]# grep totem-video-thu /var/log/audit/audit.log | audit2allow -M mypol
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mypol.pp

[root@jfm james]# semodule -i mypol.pp
Comment 4 Jamie 2013-05-27 19:17:57 EDT
happened again among a couple other denials with same totem-video-thumbnailer file. It was denied access to /dev/zero and one other file which i submitted, but dont remember now. At top of this page it recommends auditctrl and ausearch after problem. 


logged in as root and did following:
[root@jfm james]#  auditctl -w /etc/shadow -p w
Error sending add rule data request (Rule exists)   [is this ok?]

[root@jfm james]#  auditctl -w /etc/shadow -p w
Error sending add rule data request (Rule exists)

[root@jfm james]# ausearch -m avc -ts recent
<no matches>

[root@jfm james]# exit
Comment 5 Daniel Walsh 2013-05-28 13:07:50 EDT
If you can generate the AVC now, you should get the extended data? Please attach the avc info.

Note You need to log in before you can comment on or make changes to this bug.