Bug 972391 - SELinux is preventing /usr/bin/totem-video-thumbnailer from 'append' accesses on the unix_stream_socket unix_stream_socket.
SELinux is preventing /usr/bin/totem-video-thumbnailer from 'append' accesses...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.0
x86_64 Linux
low Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Michal Trunecka
abrt_hash:a96a137b78ec68b8d09f158593e...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-09 02:19 EDT by Matěj Cepl
Modified: 2014-09-30 19:35 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-16 04:18:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matěj Cepl 2013-06-09 02:19:11 EDT
Description of problem:
SELinux is preventing /usr/bin/totem-video-thumbnailer from 'append' accesses on the unix_stream_socket unix_stream_socket.

*****  Plugin leaks (86.2 confidence) suggests  ******************************

If you want to ignore totem-video-thumbnailer trying to append access the unix_stream_socket unix_stream_socket, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do
# grep /usr/bin/totem-video-thumbnailer /var/log/audit/audit.log | audit2allow -D -M mypol
# semodule -i mypol.pp

*****  Plugin catchall (14.7 confidence) suggests  ***************************

If you believe that totem-video-thumbnailer should be allowed append access on the unix_stream_socket unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep totem-video-thu /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Context                system_u:system_r:xdm_t:s0-s0:c0.c1023
Target Objects                unix_stream_socket [ unix_stream_socket ]
Source                        totem-video-thu
Source Path                   /usr/bin/totem-video-thumbnailer
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           totem-3.8.0-3.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-48.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.10.0-0.rc4.59.el7.x86_64 #1 SMP
                              Mon Jun 3 14:40:03 EDT 2013 x86_64 x86_64
Alert Count                   8
First Seen                    2013-06-08 13:57:48 CEST
Last Seen                     2013-06-09 08:06:50 CEST
Local ID                      4060e79c-0938-41e6-a031-4bdae347eeb5

Raw Audit Messages
type=AVC msg=audit(1370758010.39:8261): avc:  denied  { append } for  pid=18799 comm="totem-video-thu" path="socket:[26612]" dev="sockfs" ino=26612 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=unix_stream_socket


type=SYSCALL msg=audit(1370758010.39:8261): arch=x86_64 syscall=execve success=yes exit=0 a0=7f8f2c008d40 a1=7f8f2c0265c0 a2=7fffc35a3dd0 a3=7f8f380b6600 items=0 ppid=6330 pid=18799 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=1 tty=(none) comm=totem-video-thu exe=/usr/bin/totem-video-thumbnailer subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null)

Hash: totem-video-thu,thumb_t,xdm_t,unix_stream_socket,append

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.10.0-0.rc4.59.el7.x86_64
type:           libreport
Comment 2 Miroslav Grepl 2013-06-12 05:10:06 EDT
Does everything work correctly?
Comment 3 Matěj Cepl 2013-06-12 05:28:17 EDT
(In reply to Miroslav Grepl from comment #2)
> Does everything work correctly?

I don't see any problems, but I am not sure what to look for.
Comment 4 Bastien Nocera 2013-06-12 05:40:57 EDT
What file is it trying to write? This is probably nautilus wrongly detecting something as a video file and letting the thumbnailer loose on it.
Comment 5 Bastien Nocera 2013-06-24 11:08:38 EDT
How do I reproduce this?
Comment 6 Matěj Cepl 2013-06-25 05:43:34 EDT
(In reply to Bastien Nocera from comment #5)
> How do I reproduce this?

Unfortunately, I have no clue. Sealert warning just jumps on me from time to time. Even from studying the SELinux message I cannot decipher what is the concerned file.

wycliff:x86_64# find /usr /var /home /tmp /etc /boot /root /srv -context '*xdm_t*' -print 2>/dev/null |tee /tmp/xdm_t-files.txt
/tmp/.X0-lock
/tmp/.ICE-unix
/tmp/.ICE-unix/4546
/tmp/.X11-unix
/tmp/.X11-unix/X0
wycliff:x86_64#
Comment 7 Bastien Nocera 2013-09-19 05:24:12 EDT
Reassigning to selinux-policy for root causing.

Even if the problem is with totem, nautilus or GStreamer, we cannot fix the bug unless we know how to cause it.

The SELinux warning should show the full command-line path used to launch the triggering application to help root causing.
Comment 8 Miroslav Grepl 2013-09-19 09:01:35 EDT
#============= thumb_t ==============

#!!!! This avc has a dontaudit rule in the current policy
allow thumb_t xdm_t:unix_stream_socket append;
Comment 9 Bastien Nocera 2013-09-19 09:34:25 EDT
Why are you adding a rule for this? In which circumstances would totem's video thumbnailer try to write to a socket in the xdm_t domain?
Comment 10 Miroslav Grepl 2013-09-25 16:26:27 EDT
We don't add the "allow" rule but we add the "dontaudit" rule. It means it won't be allowed and SELinux won't complain about it.
Comment 11 Bastien Nocera 2013-09-25 17:52:47 EDT
Could we try and fix it instead? Is there a way to know why totem-video-thumbnailer required those permissions?
Comment 13 Bastien Nocera 2013-10-15 01:34:58 EDT
Can I have an answer to comment 11?
Comment 14 Miroslav Grepl 2013-10-21 12:26:03 EDT
Not sure if I understand your question from  comment 11.
Comment 15 Bastien Nocera 2013-10-21 12:42:03 EDT
(In reply to Miroslav Grepl from comment #14)
> Not sure if I understand your question from  comment 11.

You added a dontaudit rule which just hides the symptoms of the problem, instead of fixing the problem. How do I reproduce the problem so that we can effectively fix it instead of working around it?
Comment 16 Miroslav Grepl 2013-10-25 03:46:17 EDT
I have no idea how to reproduce it.

# semodule -DB

will turn off dontaudit rules.
Comment 18 Bastien Nocera 2014-01-07 03:03:00 EST
How does one reproduce the problem? I don't see how this problem can be marked as verified when there's no reproducer for it.
Comment 19 Milos Malik 2014-04-15 09:23:30 EDT
Based on comment#0 it is a leaked file descriptor problem. The program which executed totem-video-thumbnailer leaked a fd. If the reporter does not know how to reproduce it I doubt we will find the cause.

I tried following scenarios and the AVC didn't appear even if dontaudit rules were removed from active policy:
 * totem-video-thumbnailer under unconfined_u user in GNOME environment
 * totem-video-thumbnailer under staff_u user in GNOME environment

Thumbnails were generated automatically and manual execution of  totem-video-thumbnailer inside ~/.cache directory also worked well.
Comment 21 Ludek Smid 2014-06-16 04:18:21 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.