Description of problem: SELinux is preventing /usr/bin/totem-video-thumbnailer from using the 'dac_override' capabilities. ***** Plugin dac_override (91.4 confidence) suggests *********************** If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system Then turn on full auditing to get path information about the offending file and generate the error again. Do Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent If you see PATH record check ownership/permissions on file, and fix it, otherwise report as a bugzilla. ***** Plugin catchall (9.59 confidence) suggests *************************** If you believe that totem-video-thumbnailer should have the dac_override capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep totem-video-thu /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 Target Context unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 Target Objects [ capability ] Source totem-video-thu Source Path /usr/bin/totem-video-thumbnailer Port <Unknown> Host (removed) Source RPM Packages evince-3.6.1-2.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-91.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.8.8-203.fc18.x86_64 #1 SMP Wed Apr 24 13:12:26 UTC 2013 x86_64 x86_64 Alert Count 10 First Seen 2013-04-26 20:00:51 EDT Last Seen 2013-04-26 20:01:51 EDT Local ID a50b2141-55c0-483f-9842-9cd52fbe4284 Raw Audit Messages type=AVC msg=audit(1367020911.45:1059): avc: denied { dac_override } for pid=16364 comm="evince-thumbnai" capability=1 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tclass=capability type=AVC msg=audit(1367020911.45:1059): avc: denied { dac_read_search } for pid=16364 comm="evince-thumbnai" capability=2 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1367020911.45:1059): arch=x86_64 syscall=open success=no exit=EACCES a0=12b8bd0 a1=0 a2=0 a3=aaaaaaaaaaaaaaab items=0 ppid=16047 pid=16364 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=2 tty=pts0 comm=evince-thumbnai exe=/usr/bin/evince-thumbnailer subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) Hash: totem-video-thu,thumb_t,thumb_t,capability,dac_override audit2allow #============= thumb_t ============== allow thumb_t self:capability { dac_read_search dac_override }; audit2allow -R require { type thumb_t; class capability { dac_read_search dac_override }; } #============= thumb_t ============== allow thumb_t self:capability { dac_read_search dac_override }; Additional info: hashmarkername: setroubleshoot kernel: 3.8.11-200.fc18.x86_64 type: libreport Potential duplicate: bug 848455
Running nautilus and thumbnail drivers as root is not supported and is dangerous. We can not fix these AVCs, and they should be ignored if you intend to run nautilus or X as root.
I just added to this, and I dont know about past, who reported, or if I ever did before., but this time I was not logged in as root when I ran into the error. I had to log in as root only in the console to run the fix suggested by SEL.(sudo is annoying so I use su root until I am done and then close console).
(In reply to Daniel Walsh from comment #1) > Running nautilus and thumbnail drivers as root is not supported and is > dangerous. > > We can not fix these AVCs, and they should be ignored if you intend to run > nautilus or X as root. Hi Dan, I just submitted a new report for this totem-video-thumbnailer which you closed because someone reported it and was root. I hope you can give it another look. I was not logged in as root or using nautillus. ;) SEL suggested I do the following, and I got the following output (please ignore the irrelevent parts) [jamie@jfm ~]$ auditctl -w /etc/shadow -p w bash: /usr/sbin/auditctl: Permission denied [jamie@jfm ~]$ sudo auditctl -w /etc/shadow -p w [sudo] password for jamie: [jamie@jfm ~]$ totem totem totem-audio-preview totem-video-thumbnailer [jamie@jfm ~]$ totem-video-thumbnailer ** (totem-video-thumbnailer:1871): WARNING **: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-Adl9fHHxK9: Permission denied Usage: totem-video-thumbnailer [OPTION...] [INPUT FILE] [OUTPUT FILE] Thumbnail movies Help Options: -h, --help Show help options --help-all Show all help options --help-gst Show GStreamer Options --help-gtk Show GTK+ Options GStreamer Options --gst-version Print the GStreamer version --gst-fatal-warnings Make all warnings fatal --gst-debug-help Print available debug categories and exit --gst-debug-level=LEVEL Default debug level from 1 (only error) to 5 (anything) or 0 for no output --gst-debug=LIST Comma-separated list of category_name:level pairs to set specific levels for the individual categories. Example: GST_AUTOPLUG:5,GST_ELEMENT_*:3 --gst-debug-no-color Disable colored debugging output --gst-debug-disable Disable debugging --gst-plugin-spew Enable verbose plugin loading diagnostics --gst-plugin-path=PATHS Colon-separated paths containing plugins --gst-plugin-load=PLUGINS Comma-separated list of plugins to preload in addition to the list stored in environment variable GST_PLUGIN_PATH --gst-disable-segtrap Disable trapping of segmentation faults during plugin loading --gst-disable-registry-update Disable updating the registry --gst-disable-registry-fork Disable spawning a helper process while scanning the registry GTK+ Options --class=CLASS Program class as used by the window manager --name=NAME Program name as used by the window manager --gdk-debug=FLAGS GDK debugging flags to set --gdk-no-debug=FLAGS GDK debugging flags to unset --gtk-module=MODULES Load additional GTK+ modules --gtk-g-fatal-warnings Make all warnings fatal --gtk-debug=FLAGS GTK+ debugging flags to set --gtk-no-debug=FLAGS GTK+ debugging flags to unset Application Options: -j, --jpeg Output the thumbnail as a JPEG instead of PNG -s, --size Size of the thumbnail in pixels (with --gallery sets the size of individual screenshots) -r, --raw Output the raw picture of the video without scaling or adding borders -l, --no-limit Don't limit the thumbnailing time to 30 seconds -v, --verbose Output debug information -t, --time Choose this time (in seconds) as the thumbnail (can't be used with --gallery) --g-fatal-warnings Make all warnings fatal -g, --gallery Output a gallery of the given number (0 is default) of screenshots (can't be used with --time) -p, --print-progress Only print progress updates (can't be used with --verbose) --display=DISPLAY X display to use [jamie@jfm ~]$ totem Fontconfig warning: "/etc/fonts/conf.d/50-user.conf", line 9: reading configurations from ~/.fonts.conf is deprecated. (totem:1927): Grilo-WARNING **: [registry] grl-registry.c:330: Failed to initialize plugin: '/usr/lib/grilo-0.2/libgrlflickr.so' (totem:1927): Grilo-WARNING **: [registry] grl-registry.c:330: Failed to initialize plugin: '/usr/lib/grilo-0.2/libgrltmdb.so' (totem:1927): Grilo-WARNING **: [registry] grl-registry.c:787: Failed to open module: '/usr/lib/grilo-0.2/libgrlpodcasts.so' (totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files (totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files (totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files (totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files (totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files (totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files (totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files (totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files (totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files (totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files (totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files (totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files (totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files (totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files (totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files (totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files (totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files (totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files (totem:1927): Gtk-WARNING **: Calling Inhibit failed: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SessionManager was not provided by any .service files (totem:1927): GLib-GIO-CRITICAL **: g_file_get_path: assertion `G_IS_FILE (file)' failed (totem:1927): GLib-GObject-CRITICAL **: g_object_unref: assertion `G_IS_OBJECT (object)' failed (totem:1927): GLib-CRITICAL **: g_variant_new_string: assertion `string != NULL' failed (totem:1927): GLib-GIO-CRITICAL **: g_settings_schema_key_type_check: assertion `value != NULL' failed (totem:1927): GLib-CRITICAL **: g_variant_get_type_string: assertion `value != NULL' failed (totem:1927): GLib-GIO-CRITICAL **: g_settings_set_value: key 'screenshot-save-uri' in 'org.gnome.totem' expects type 's', but a GVariant of type '(null)' was given ** (totem-video-thumbnailer:1970): WARNING **: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-Adl9fHHxK9: Permission denied ** (totem-video-thumbnailer:1970): WARNING **: Could not take screenshot: failed to retrieve or convert video frame (totem-video-thumbnailer:1970): GdkPixbuf-CRITICAL **: gdk_pixbuf_composite: assertion `GDK_IS_PIXBUF (src)' failed (totem-video-thumbnailer:1970): GLib-GObject-CRITICAL **: g_object_unref: assertion `G_IS_OBJECT (object)' failed Fontconfig warning: "/etc/fonts/conf.d/50-user.conf", line 9: reading configurations from ~/.fonts.conf is deprecated. (totem:1927): Gtk-WARNING **: GtkMenuBar 0xb600d178 is mapped but visible=1 child_visible=1 parent GtkApplicationWindow 0x9e1e020 mapped=0 [jamie@jfm ~]$ auditctl -w /etc/shadow -p w bash: /usr/sbin/auditctl: Permission denied [jamie@jfm ~]$ su [I had no choice here but to su] Password: [root@jfm james]# [jamie@jfm ~]$ totem (ya ya I am an idiot lol -) bash: [jamie@jfm: command not found... [root@jfm james]# Fontconfig warning: "/etc/fonts/conf.d/50-user.conf", line 9: reading configurations from ~/.fonts.conf is deprecated. bash: Fontconfig: command not found... [root@jfm james]# [root@jfm james]# (totem:1927): Grilo-WARNING **: [registry] grl-registry.c:330: Failed to initialize plugin: '/usr/lib/grilo-0.2/libgrlflickr.so' bash: syntax error near unexpected token `:' [root@jfm james]# [root@jfm james]# (totem:1927): Grilo-WARNING **: [registry] grl-registry.c:330: Failed to initialize plugin: '/usr/lib/grilo-0.2/libgrltmdb.so' bash: syntax error near unexpected token `:' [root@jfm james]# [root@jfm james]# (totem:1927): Grilo-WARNING **: [registry] grl-registry.c:787: Failed to open module: '/usr/lib/grilo-0.2/libgrlpodcasts.so' bash: syntax error near unexpected token `:' [root@jfm james]# ausearch -m avc -ts recent ---- time->Mon May 27 13:55:02 2013 type=PATH msg=audit(1369677302.077:413): item=0 name="/home/james/Pictures/screenshots/" inode=2884257 dev=fd:02 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 type=CWD msg=audit(1369677302.077:413): cwd="/home/james" type=SYSCALL msg=audit(1369677302.077:413): arch=40000003 syscall=5 success=no exit=-13 a0=989be40 a1=8241 a2=1b6 a3=9a8d470 items=1 ppid=1 pid=1970 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=pts0 comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer" subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1369677302.077:413): avc: denied { write } for pid=1970 comm="totem-video-thu" name="screenshots" dev="dm-2" ino=2884257 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir [root@jfm james]# grep totem-video-thu /var/log/audit/audit.log | audit2allow -M mypol ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i mypol.pp [root@jfm james]# semodule -i mypol.pp
happened again among a couple other denials with same totem-video-thumbnailer file. It was denied access to /dev/zero and one other file which i submitted, but dont remember now. At top of this page it recommends auditctrl and ausearch after problem. logged in as root and did following: [root@jfm james]# auditctl -w /etc/shadow -p w Error sending add rule data request (Rule exists) [is this ok?] [root@jfm james]# auditctl -w /etc/shadow -p w Error sending add rule data request (Rule exists) [root@jfm james]# ausearch -m avc -ts recent <no matches> [root@jfm james]# exit
If you can generate the AVC now, you should get the extended data? Please attach the avc info.