Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2042696 - After latest selinux-policy update getting constant errors from tumblerd
Summary: After latest selinux-policy update getting constant errors from tumblerd
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 35
Hardware: x86_64
OS: Linux
medium
high
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 2041085 2041932 2042108 2042666 2043844 2044422 2048076 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-01-19 23:45 UTC by Robert Moskowitz
Modified: 2022-02-10 18:45 UTC (History)
29 users (show)

Fixed In Version: selinux-policy-35.13-1.fc35
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-02-04 01:22:58 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1016 0 None Merged Allow tumblerd write to session_dbusd tmp socket files 2022-01-25 18:05:13 UTC

Internal Links: 2042373

Description Robert Moskowitz 2022-01-19 23:45:03 UTC
Description of problem:

System:  F35 with Xfce UI

Constant Selinuc policy errors triggered by tumblerd

Version-Release number of selected component (if applicable):

selinux-policy-targeted-35.10-1.fc35.noarch

How reproducible:

Applied latest update:

selinux-policy-targeted-35.8-1.fc35.noarch to selinux-policy-targeted-35.10-1.fc35.noarch




Additional info:

Details:

SELinux is preventing tumblerd from write access on the sock_file bus.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that tumblerd should be allowed write access on the bus sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'tumblerd' --raw | audit2allow -M my-tumblerd
# semodule -X 300 -i my-tumblerd.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Context                system_u:object_r:session_dbusd_tmp_t:s0
Target Objects                bus [ sock_file ]
Source                        tumblerd
Source Path                   tumblerd
Port                          <Unknown>
Host                          lx140e.htt-consult.com
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-35.10-1.fc35.noarch
Local Policy RPM              selinux-policy-targeted-35.10-1.fc35.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     lx140e.htt-consult.com
Platform                      Linux lx140e.htt-consult.com
                              5.15.14-200.fc35.x86_64 #1 SMP Tue Jan 11 16:49:27
                              UTC 2022 x86_64 x86_64
Alert Count                   10
First Seen                    2022-01-19 18:30:28 EST
Last Seen                     2022-01-19 18:37:36 EST
Local ID                      efb2e4f1-0433-4b8f-9a60-37e76ac5d4af

Raw Audit Messages
type=AVC msg=audit(1642635456.954:3314): avc:  denied  { write } for  pid=104519 comm="tumblerd" name="bus" dev="tmpfs" ino=40 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=0


Hash: tumblerd,thumb_t,session_dbusd_tmp_t,sock_file,write

Comment 1 Robert Moskowitz 2022-01-19 23:46:34 UTC
I just told the selinux browser to ignore this error as it keeps coming up.  Very annoying.

Comment 2 Zdenek Pytela 2022-01-20 16:16:31 UTC
Please update to selinux-policy-35.11-1.fc35

I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/1016

Comment 3 Zdenek Pytela 2022-01-20 16:21:58 UTC
*** Bug 2042666 has been marked as a duplicate of this bug. ***

Comment 4 Robert Moskowitz 2022-01-20 16:24:48 UTC
OK.  I just ran:

dnf update https://kojipkgs.fedoraproject.org//packages/selinux-policy/35.11/1.fc35/noarch/selinux-policy-35.11-1.fc35.noarch.rpm https://kojipkgs.fedoraproject.org//packages/selinux-policy/35.11/1.fc35/noarch/selinux-policy-targeted-35.11-1.fc35.noarch.rpm

which seems to have updated policy to 35.11-1.  I also updated policy-targeted, as they seem to go together.

Now how do I turn of the 'ignore' setting I had set so I can see if this really fixed the problem.

thanks

Comment 5 Robert Moskowitz 2022-01-20 16:54:51 UTC
I opened up SELinux Alert Browser and see I am still getting the errors:

SELinux is preventing tumblerd from write access on the sock_file bus.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that tumblerd should be allowed write access on the bus sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'tumblerd' --raw | audit2allow -M my-tumblerd
# semodule -X 300 -i my-tumblerd.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Context                system_u:object_r:session_dbusd_tmp_t:s0
Target Objects                bus [ sock_file ]
Source                        tumblerd
Source Path                   tumblerd
Port                          <Unknown>
Host                          lx140e.htt-consult.com
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-35.11-1.fc35.noarch
Local Policy RPM              selinux-policy-targeted-35.11-1.fc35.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     lx140e.htt-consult.com
Platform                      Linux lx140e.htt-consult.com
                              5.15.14-200.fc35.x86_64 #1 SMP Tue Jan 11 16:49:27
                              UTC 2022 x86_64 x86_64
Alert Count                   155
First Seen                    2022-01-19 18:30:28 EST
Last Seen                     2022-01-20 11:50:21 EST
Local ID                      efb2e4f1-0433-4b8f-9a60-37e76ac5d4af

Raw Audit Messages
type=AVC msg=audit(1642697421.643:4939): avc:  denied  { write } for  pid=129496 comm="tumblerd" name="bus" dev="tmpfs" ino=40 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=0


Hash: tumblerd,thumb_t,session_dbusd_tmp_t,sock_file,write

Comment 6 Zdenek Pytela 2022-01-20 17:38:09 UTC
This particular problem has not been addressed, there is just a PR for it.

Comment 7 Zdenek Pytela 2022-01-25 16:59:32 UTC
*** Bug 2042108 has been marked as a duplicate of this bug. ***

Comment 8 ezwinglet 2022-01-25 23:35:45 UTC
Similar problem has been detected:

When viewing image files (JPG, PNG, etc.) in Fedora 35 using the Eye of MATE Image Viewer, this SELinux alert pops up randomly.  This began a couple of weeks ago whwen some SELinux updates came down from the @fedora repositories.  Some further updates came down the next day or the day after, also to SELinux, but did not resolve this particular alert.    Sometimes this occurs when browsing through photos in the viewer, sometimes it occurs when a photo is opened and closed rapidly, the behavior appears random and does not necessarily correlate to any sort of file system action such as a deletion, rename, movement, etc.

hashmarkername: setroubleshoot
kernel:         5.15.14-200.fc35.x86_64
package:        selinux-policy-targeted-35.11-1.fc35.noarch
reason:         SELinux is preventing gdk-pixbuf-thum from 'write' accesses on the sock_file bus.
type:           libreport

Comment 9 Zdenek Pytela 2022-01-26 14:10:38 UTC
*** Bug 2044422 has been marked as a duplicate of this bug. ***

Comment 10 Zdenek Pytela 2022-01-26 15:46:44 UTC
*** Bug 2041932 has been marked as a duplicate of this bug. ***

Comment 11 Zdenek Pytela 2022-01-26 15:49:34 UTC
*** Bug 2041085 has been marked as a duplicate of this bug. ***

Comment 12 James Caldwell 2022-01-27 02:36:46 UTC
Similar problem has been detected:

When I enter my ~/Pictures folder. I've run the following in my home folder and it does not correct the issue.

restorecon -R -v ~

Using Fedora 35 with LXDE and PCManFM file manager  aka Lightweight file manager
using LibFM ver. 1.3.2

hashmarkername: setroubleshoot
kernel:         5.15.16-200.fc35.x86_64
package:        selinux-policy-targeted-35.11-1.fc35.noarch
reason:         SELinux is preventing evince-thumbnai from 'write' accesses on the sock_file bus.
type:           libreport

Comment 13 atstjx 2022-01-30 04:05:25 UTC
Similar problem has been detected:

I opened a pdf file from within nemo file explorer. Unsure if there is any connection, but it was coincident.

hashmarkername: setroubleshoot
kernel:         5.15.16-200.fc35.x86_64
package:        selinux-policy-targeted-35.11-1.fc35.noarch
reason:         SELinux is preventing gdk-pixbuf-thum from 'write' accesses on the sock_file bus.
type:           libreport

Comment 14 Ian McInerney 2022-01-30 17:33:00 UTC
@zpytela I see that there is a build of the 35.12 policy for Rawhide, but there isn't one for F35 yet. Can you also build & submit it for F35 so that this error is fixed there?

Comment 15 Zdenek Pytela 2022-01-31 10:34:19 UTC
(In reply to Ian McInerney from comment #14)
> @zpytela I see that there is a build of the 35.12 policy for
> Rawhide, but there isn't one for F35 yet. Can you also build & submit it for
> F35 so that this error is fixed there?

There will be a new build soon.

Comment 16 Zdenek Pytela 2022-01-31 11:52:19 UTC
*** Bug 2048076 has been marked as a duplicate of this bug. ***

Comment 17 thedatum+bz 2022-02-02 00:20:08 UTC
Similar problem has been detected:

Problem occurs while browsing through files and folders in Caja file manager.

hashmarkername: setroubleshoot
kernel:         5.15.18-200.fc35.x86_64
package:        selinux-policy-targeted-35.11-1.fc35.noarch
reason:         SELinux is preventing atril-thumbnail from 'write' accesses on the sock_file bus.
type:           libreport

Comment 18 Fedora Update System 2022-02-02 12:11:04 UTC
FEDORA-2022-20f36a8b0e has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-20f36a8b0e

Comment 19 Fedora Update System 2022-02-03 01:35:20 UTC
FEDORA-2022-20f36a8b0e has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-20f36a8b0e`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-20f36a8b0e

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 20 Fedora Update System 2022-02-04 01:22:58 UTC
FEDORA-2022-20f36a8b0e has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 21 Nicolas Sapa 2022-02-04 22:36:35 UTC
Similar problem has been detected:

Opening a folder with PNG image with Caja

hashmarkername: setroubleshoot
kernel:         5.15.16-200.fc35.x86_64
package:        selinux-policy-targeted-35.11-1.fc35.noarch
reason:         SELinux is preventing gdk-pixbuf-thum from 'write' accesses on the sock_file bus.
type:           libreport

Comment 22 Zdenek Pytela 2022-02-08 18:04:12 UTC
*** Bug 2043844 has been marked as a duplicate of this bug. ***

Comment 23 Miguel Bolivar 2022-02-10 18:45:41 UTC
Similar problem has been detected:

i just try to rotate an image in pictures folder that was from a print screen

hashmarkername: setroubleshoot
kernel:         5.15.17-200.fc35.x86_64
package:        selinux-policy-targeted-35.11-1.fc35.noarch
reason:         SELinux is preventing gdk-pixbuf-thum from 'write' accesses on the sock_file bus.
type:           libreport


Note You need to log in before you can comment on or make changes to this bug.