Looks like selinux type thumb_t is still denied access to sock_file bus. I have the error for gdk-pixbuf-thum and similarly for the evince-thumbnai (shown in full):
SELinux is preventing gdk-pixbuf-thum from write access on the sock_file bus.
If you believe that evince-thumbnai should be allowed write access on the bus sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'evince-thumbnai' --raw | audit2allow -M my-evincethumbnai
# semodule -X 300 -i my-evincethumbnai.pp
SELinux Policy RPM selinux-policy-targeted-34.23-1.fc34.noarch
Local Policy RPM selinux-policy-targeted-34.23-1.fc34.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name <redacted>
Platform Linux <redacted> 5.15.16-100.fc34.x86_64 #1 SMP
Thu Jan 20 16:34:27 UTC 2022 x86_64 x86_64
Alert Count 376
First Seen 2022-01-25 00:29:53 CET
Last Seen 2022-01-25 00:39:57 CET
Local ID b7d2af66-0438-495a-a43c-e6c0f046f864
Raw Audit Messages
type=AVC msg=audit(1643067597.34:684): avc: denied { write } for pid=11281 comm="evince-thumbnai" name="bus" dev="tmpfs" ino=37 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=0
This update has been submitted for testing by zpytela.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'passed'.
This update has been pushed to testing.
Looks like selinux type thumb_t is still denied access to sock_file bus. I have the error for gdk-pixbuf-thum and similarly for the evince-thumbnai (shown in full):
SELinux is preventing gdk-pixbuf-thum from write access on the sock_file bus.
type=AVC msg=audit(1642217383.944:3610): avc: denied { write } for pid=45515 comm="gdk-pixbuf-thum" name="bus" dev="tmpfs" ino=48 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=0
=================================
SELinux is preventing evince-thumbnai from write access on the sock_file bus.
* Plugin catchall (100. confidence) suggests ******
If you believe that evince-thumbnai should be allowed write access on the bus sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'evince-thumbnai' --raw | audit2allow -M my-evincethumbnai
# semodule -X 300 -i my-evincethumbnai.pp
Additional Information:
Source Context unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Context unconfined_u:object_r:session_dbusd_tmp_t:s0
Target Objects bus [ sock_file ]
Source evince-thumbnai
Source Path evince-thumbnai
Port <Unknown>
Host <redacted>
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-34.23-1.fc34.noarch
Local Policy RPM selinux-policy-targeted-34.23-1.fc34.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name <redacted>
Platform Linux <redacted> 5.15.16-100.fc34.x86_64 #1 SMP
Thu Jan 20 16:34:27 UTC 2022 x86_64 x86_64
Alert Count 376
First Seen 2022-01-25 00:29:53 CET
Last Seen 2022-01-25 00:39:57 CET
Local ID b7d2af66-0438-495a-a43c-e6c0f046f864
Raw Audit Messages
type=AVC msg=audit(1643067597.34:684): avc: denied { write } for pid=11281 comm="evince-thumbnai" name="bus" dev="tmpfs" ino=37 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=0
Hash: evince-thumbnai,thumb_t,session_dbusd_tmp_t,sock_file,write
Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.
@jonathans, this is still the previous build, the denial you are reporting should be addressed by the next one once this gets to stable
@zpytela
OK, thanks.
This update's test gating status has been changed to 'failed'.
This update's test gating status has been changed to 'passed'.
This update has been obsoleted by selinux-policy-34.25-1.fc34.