subject:"puzzling SELinux alert."

Re: puzzling SELinux alert. [SOLVED]

2021-05-13 Thread Tim via users

On Wed, 2021-05-12 at 12:55 -0600, home user wrote:
> That's as much of an answer as I can give.
> This all applies to both the SELinux problems and what was addressed
> in my "System Failure?" thread.

DNF has a history command, which shows what was installed at various
stages.  If you type "dnf history", you get a table of events.  Then
you can use "dnf info" followed by the entry number you're interested
in, you'll see what packages were installed/updated that time. 

-- 

uname -rsvp
Linux 3.10.0-1160.25.1.el7.x86_64 #1 SMP Wed Apr 28 21:49:45 UTC 2021 x86_64

Boilerplate:  All unexpected mail to my mailbox is automatically deleted.
I will only get to see the messages that are posted to the mailing list.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert. [SOLVED]

2021-05-12 Thread home user


On 5/11/21 2:05 PM, Eddie O'Connor wrote:
I'm wondering?the ugrade/patches fixed it?would it have been 
fixed "sooner" if you had run the dnf upgrade sooner? or was it the 
"latest" upgrade/patch that did it?...


On Tue, May 11, 2021, 12:35 PM home user > wrote:


The SELinux alerts stopped on Thursday April 29.  That would have been
when I did weekly patches ("dnf upgrade"). I also did weekly patches on
Thursday, May 06. Since the alerts did not start showing up again, I'm
now confident they're really fixed.

I've added a comment to
"https://bugzilla.redhat.com/show_bug.cgi?id=1951668
" saying what I
said
in the preceding paragraph of this post.

I don't know what in the patches fixed things, but this workstation is
fixed.

I thank everyone who tried help.  I've marked this thread SOLVED.

Bill.


1. before April 08, f32: no SELinux alerts.
2. April 08: upgrade from f32 to f33 (dnf system-upgrade [etc]).
3. April 08, f33: patch (dnf upgrade); dnf reported "nothing to do".
4. f33: SELinux alerts occurring.
5. April 15, f33: patch (dnf upgrade).
6. f33: SELinux alerts continue.
7. April 22, f33: patch (dnf upgrade).
8. SELinux alerts continue.
9. April 29, f33: patch (dnf upgrade).
10. f33: no more SELinux alerts.
11. May 06, f33: patch (dnf upgrade).
12. f33: Still no more SELinux alerts.
Reasonable, probable, but not certain conclusions:
a. The April 08 upgrade (step 2 above) introduced the problems.
b. Whatever fixed the problems in f33 was released sometime between 
April 22 and April 29.

c. Something in my April 29 f33 patching (step 9 above) fixed the problems.
That's as much of an answer as I can give.
This all applies to both the SELinux problems and what was addressed in 
my "System Failure?" thread.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert. [SOLVED]

2021-05-11 Thread Eddie O'Connor

I'm wondering?the ugrade/patches fixed it?would it have been fixed
"sooner" if you had run the dnf upgrade sooner? or was it the "latest"
upgrade/patch that did it?...

On Tue, May 11, 2021, 12:35 PM home user  wrote:

> The SELinux alerts stopped on Thursday April 29.  That would have been
> when I did weekly patches ("dnf upgrade"). I also did weekly patches on
> Thursday, May 06. Since the alerts did not start showing up again, I'm
> now confident they're really fixed.
>
> I've added a comment to
> "https://bugzilla.redhat.com/show_bug.cgi?id=1951668"; saying what I said
> in the preceding paragraph of this post.
>
> I don't know what in the patches fixed things, but this workstation is
> fixed.
>
> I thank everyone who tried help.  I've marked this thread SOLVED.
>
> Bill.
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
>
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert. [SOLVED]

2021-05-11 Thread home user

The SELinux alerts stopped on Thursday April 29.  That would have been 
when I did weekly patches ("dnf upgrade"). I also did weekly patches on 
Thursday, May 06. Since the alerts did not start showing up again, I'm 
now confident they're really fixed.


I've added a comment to 
"https://bugzilla.redhat.com/show_bug.cgi?id=1951668"; saying what I said 
in the preceding paragraph of this post.


I don't know what in the patches fixed things, but this workstation is 
fixed.


I thank everyone who tried help.  I've marked this thread SOLVED.

Bill.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert.

2021-04-20 Thread home user

This morning, I was able to get SELinux alerts when running 
totem-video-thumbnailer.  I submitted a bug.  Here's the link:

"https://bugzilla.redhat.com/show_bug.cgi?id=1951668";.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert.

2021-04-16 Thread home user


On 4/16/21 8:51 PM, Tim via users wrote:

On Fri, 2021-04-16 at 11:27 -0500, Roger Heflin wrote:

given a video file and an png file to output it fails on my system
also (and that is with selinux as permissive and as root, so it seems
to have many issues and is simply broken in most if not all use
cases), and I don't know that I have seen a video thumbnail in a
while in gthumb and similar tools.


The file browsers on Gnome/MATE haven't been able to create thumbnails
for video files on my computers in many years.  Nothing that I tried
made it work again, and I gave up long ago.

It was a handy feature being able to see some image inside of a
stupidly named video file, to work out which was which.


My experience is that sometimes I do get images from the video, and 
sometimes I just get a right-pointing arrow centered in an old-fashioned 
CRT TV screen.  I haven't been able to discern a pattern as to when I 
get which.  I do notice that the odds of getting pictures is better when 
the display is in grid mode rather than list mode.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert.

2021-04-16 Thread Tim via users

On Fri, 2021-04-16 at 11:27 -0500, Roger Heflin wrote:
> given a video file and an png file to output it fails on my system
> also (and that is with selinux as permissive and as root, so it seems
> to have many issues and is simply broken in most if not all use
> cases), and I don't know that I have seen a video thumbnail in a
> while in gthumb and similar tools.

The file browsers on Gnome/MATE haven't been able to create thumbnails
for video files on my computers in many years.  Nothing that I tried
made it work again, and I gave up long ago.

It was a handy feature being able to see some image inside of a
stupidly named video file, to work out which was which.

-- 

uname -rsvp
Linux 3.10.0-1160.21.1.el7.x86_64 #1 SMP Tue Mar 16 18:28:22 UTC 2021 x86_64

Boilerplate:  All unexpected mail to my mailbox is automatically deleted.
I will only get to see the messages that are posted to the mailing list.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert.

2021-04-16 Thread home user

On 4/16/21 10:27 AM, Roger Heflin wrote:

That matches what Ed had called out that it was a GL* command.

I guess that also tells you why you did not notice the failing..

given a video file and an png file to output it fails on my system
also (and that is with selinux as permissive and as root, so it seems
to have many issues and is simply broken in most if not all use
cases), and I don't know that I have seen a video thumbnail in a while
in gthumb and similar tools.

And that tool seems to be very complicated for just creating a
thumbnail as it connects to X and pulseaudio and GLX, I am guessing
someone took a gui app and made it work to generate one.  I sure
whoever decided to use this tool only knew about the this way to
generate a thumbnail.   And the saying goes if the only tool you have
is a hammer then everything looks like a nail.

For creating a thumbnail ffmpeg and/or mplayer would seem better, but
maybe that is not default on the systems.  I might see if I can create
a script that would get used in gthumb as this tells me why I get no
thumbnails.

What I think you're saying, and my impression even apart from your post, 
is that we can't realistically solve this SELinux alert problem.  This 
problem really has had me baffled.  The SELinux alerts seem to be false 
alarms; caja does what I want to do, and I can do those things other 
ways also.  So I'm inclined to go with what Ed said Tuesday:

> But if you're not having any problems it would be something
> that I'd ignore.

For what it's worth:
* I saw no SELinux alerts when trying totem-video-thumbnailer in the 
command line.  I forgot to mention this in this morning's post.
* I found this morning that SELinux alerts can show up when doing file 
renaming after having run Files in the same login session.  So Files 
does not stop further caja SELinux alerts.

* I patched my workstation (dnf upgrade) yesterday.

On Fri, Apr 16, 2021 at 10:27 AM home user  wrote:

On 4/16/21 5:41 AM, Roger Heflin wrote:

It seems to be running /usr/bin/totem-video-thumbnailer" so would be
something attempting to create a thumbnail for the file if it is a
video.

It has an extension of .mkv so it thinks it is a video file or is it
something else?

It is a video file.

the command was:
/usr/bin/totem-video-thumbnailer -s 128 file:///home/bill/KhongWe"...,
"/tmp/.mate_desktop_thumbnail.19V"

It truncated the filenames, but you could test run the command and see
what it does from the command line.  The first filename is the input
file, the 2nd one is the output of the thumbnail.

bash.2[~]: totem-video-thumbnailer KhongWeeHo_20160327.mkv
KhongWeeHo_20160327.png
X Error of failed request:  BadValue (integer parameter out of range for
operation)
Major opcode of failed request:  151 (GLX)
Minor opcode of failed request:  3 (X_GLXCreateContext)
Value in failed request:  0x0
Serial number of failed request:  63
Current serial number in output stream:  64
bash.3[~]:

I also tried an mp4 video file that I have.  Same result.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert.

2021-04-16 Thread Roger Heflin

That matches what Ed had called out that it was a GL* command.

I guess that also tells you why you did not notice the failing..

given a video file and an png file to output it fails on my system
also (and that is with selinux as permissive and as root, so it seems
to have many issues and is simply broken in most if not all use
cases), and I don't know that I have seen a video thumbnail in a while
in gthumb and similar tools.

And that tool seems to be very complicated for just creating a
thumbnail as it connects to X and pulseaudio and GLX, I am guessing
someone took a gui app and made it work to generate one.  I sure
whoever decided to use this tool only knew about the this way to
generate a thumbnail.   And the saying goes if the only tool you have
is a hammer then everything looks like a nail.

For creating a thumbnail ffmpeg and/or mplayer would seem better, but
maybe that is not default on the systems.  I might see if I can create
a script that would get used in gthumb as this tells me why I get no
thumbnails.

On Fri, Apr 16, 2021 at 10:27 AM home user  wrote:
>
> On 4/16/21 5:41 AM, Roger Heflin wrote:
> > It seems to be running /usr/bin/totem-video-thumbnailer" so would be
> > something attempting to create a thumbnail for the file if it is a
> > video.
> >
> > It has an extension of .mkv so it thinks it is a video file or is it
> > something else?
>
> It is a video file.
>
> > the command was:
> > /usr/bin/totem-video-thumbnailer -s 128 file:///home/bill/KhongWe"...,
> > "/tmp/.mate_desktop_thumbnail.19V"
> >
> > It truncated the filenames, but you could test run the command and see
> > what it does from the command line.  The first filename is the input
> > file, the 2nd one is the output of the thumbnail.
>
> bash.2[~]: totem-video-thumbnailer KhongWeeHo_20160327.mkv
> KhongWeeHo_20160327.png
> X Error of failed request:  BadValue (integer parameter out of range for
> operation)
>Major opcode of failed request:  151 (GLX)
>Minor opcode of failed request:  3 (X_GLXCreateContext)
>Value in failed request:  0x0
>Serial number of failed request:  63
>Current serial number in output stream:  64
> bash.3[~]:
>
> I also tried an mp4 video file that I have.  Same result.
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert.

2021-04-16 Thread home user


On 4/16/21 5:41 AM, Roger Heflin wrote:

It seems to be running /usr/bin/totem-video-thumbnailer" so would be
something attempting to create a thumbnail for the file if it is a
video.

It has an extension of .mkv so it thinks it is a video file or is it
something else?


It is a video file.


the command was:
/usr/bin/totem-video-thumbnailer -s 128 file:///home/bill/KhongWe"...,
"/tmp/.mate_desktop_thumbnail.19V"

It truncated the filenames, but you could test run the command and see
what it does from the command line.  The first filename is the input
file, the 2nd one is the output of the thumbnail.


bash.2[~]: totem-video-thumbnailer KhongWeeHo_20160327.mkv 
KhongWeeHo_20160327.png
X Error of failed request:  BadValue (integer parameter out of range for 
operation)

  Major opcode of failed request:  151 (GLX)
  Minor opcode of failed request:  3 (X_GLXCreateContext)
  Value in failed request:  0x0
  Serial number of failed request:  63
  Current serial number in output stream:  64
bash.3[~]:

I also tried an mp4 video file that I have.  Same result.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert.

2021-04-16 Thread Roger Heflin

It seems to be running /usr/bin/totem-video-thumbnailer" so would be
something attempting to create a thumbnail for the file if it is a
video.

It has an extension of .mkv so it thinks it is a video file or is it
something else?

the command was:
/usr/bin/totem-video-thumbnailer -s 128 file:///home/bill/KhongWe"...,
"/tmp/.mate_desktop_thumbnail.19V"

It truncated the filenames, but you could test run the command and see
what it does from the command line.  The first filename is the input
file, the 2nd one is the output of the thumbnail.


On Thu, Apr 15, 2021 at 9:31 PM home user  wrote:
>
> On 4/15/21 8:27 PM, home user wrote:
>
> > The grep for the process ID "2636" found lines.
>
> Correction:
>
> The grep for the process ID "2636" found 34361 lines.
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert.

2021-04-15 Thread home user


On 4/15/21 8:27 PM, home user wrote:


The grep for the process ID "2636" found lines.


Correction:

The grep for the process ID "2636" found 34361 lines.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert.

2021-04-15 Thread home user


On 4/15/21 3:57 PM, Roger Heflin wrote:
(also responding to Samuel)


Google drive probably.  The first few lines should tell you what
process it was starting.

I really usually only look at filesystem type calls as those are
usually the most valuable for something like this.  open, unlink
(remove), stat (get info like ls shows), and say rename or renameat.

A lot of stats always fail as it is used to see if various things
exist here or there.

Basic it loads an executable, lots of setup of that executable then
toward the end is the real work the program does.

On a mv strace I get 117 lines with the executable and options at the
top, a bunch of loading of libs and stuff for executable then 10 lines
from the bottom is the actual rename, and the exit of the program.


bash.32[~]: grep 2636 caja.out > grep2636.txt
bash.33[~]: grep open caja.out > grepopen.txt
bash.34[~]: grep stat caja.out > grepstat.txt
bash.35[~]:
bash.35[~]: grep exec caja.out
2619  execve("/usr/bin/caja", ["/usr/bin/caja"], 0x7fff14191888 /* 69 
vars */) = 0

2622  read(27, "2619  execve(\"/usr/bin/caja\", [\""..., 4096) = 4096
2636  execve("/usr/bin/totem-video-thumbnailer", 
["/usr/bin/totem-video-thumbnailer", "-s", "128", 
"file:///home/bill/KhongWe"..., "/tmp/.mate_desktop_thumbnail.19V"...], 
0x7ffdd556b338 /* 69 vars */ 

2636  <... execve resumed>) = 0
2652  openat(AT_FDCWD, "/sys/fs/selinux/booleans/allow_execmem", 
O_RDONLY) = -1 ENOENT (No such file or directory)
2652  openat(AT_FDCWD, "/sys/fs/selinux/booleans/allow_execmem", 
O_RDONLY) = -1 ENOENT (No such file or directory)
2652  openat(AT_FDCWD, "/sys/fs/selinux/booleans/deny_execmem", 
O_RDONLY) = 31

bash.36[~]:
bash.36[~]: grep unlink caja.out
2643  unlink("")= -1 ENOENT (No such file or 
directory)

2635  unlink("/tmp/.mate_desktop_thumbnail.19VW10") = 0
2635 
unlink("/home/bill/.cache/thumbnails/fail/mate-thumbnail-factory/c39b432d203676f5e93a91a2d0d076d4.png.NVLR10") 
= -1 ENOENT (No such file or directory)

bash.37[~]:
bash.37[~]: grep remove caja.out
2636  stat("/usr/lib64/gstreamer-1.0/libgstremovesilence.so", 
{st_mode=S_IFREG|0755, st_size=28392, ...}) = 0

bash.38[~]:
bash.38[~]: grep rename caja.out
2635  rename("/home/bill/KhongWeeHo.mkv", 
"/home/bill/KhongWeeHo_20160327.mkv" 

2635  <... rename resumed>) = 0
2635 
rename("/home/bill/.cache/thumbnails/fail/mate-thumbnail-factory/c39b432d203676f5e93a91a2d0d076d4.png.NVLR10", 
"/home/bill/.cache/thumbnails/fail/mate-thumbnail-factory/c39b432d203676f5e93a91a2d0d076d4.png") 
= 0

bash.39[~]:

The grep for the process ID "2636" found lines.
The grep for "open" found 4665 lines.
The grep for "stat" found 7449 lines.

The file caja.out is 148910 lines long.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert.

2021-04-15 Thread Samuel Sieb


On 4/15/21 9:48 AM, home user wrote:

Based on time stamps, I found that the process ID for Test B was 2636.
I did:
bash.17[~]: grep 2636 caja.out > grep2636.out
The resulting file is over 34000 lines long.  How can I pare this down? 
  What should I put on the google drive for y'all to view?


The first few lines should be a bit of setup and an "exec" call.  The 
"exec" should show what program was being called.  Any further steps 
will depend on what that shows.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert.

2021-04-15 Thread Roger Heflin

Google drive probably.  The first few lines should tell you what
process it was starting.

I really usually only look at filesystem type calls as those are
usually the most valuable for something like this.  open, unlink
(remove), stat (get info like ls shows), and say rename or renameat.

A lot of stats always fail as it is used to see if various things
exist here or there.

Basic it loads an executable, lots of setup of that executable then
toward the end is the real work the program does.

On a mv strace I get 117 lines with the executable and options at the
top, a bunch of loading of libs and stuff for executable then 10 lines
from the bottom is the actual rename, and the exit of the program.

On Thu, Apr 15, 2021 at 11:49 AM home user  wrote:
>
> (responding to multiple posts)
>
> As Ed requested, this morning I signed in to "GNOME on Xorg" first.  My
> tests were as follows.
>
> Test A.
> 1. Using the command line in a terminal, I downloaded a Chinese music
> video.  The resulting file has a name made of traditional (Taiwan)
> Chinese characters.
> 2. I launched caja.
> A SELinux alert pops up.
> 3. I used caja to rename the file to something with all ASCII characters.
> A Selinux alert pops up.
> Steps 2 and 3 were done a few times.  For step 2, the SELinux alert
> occurs the first time only.
> For step 3, the SELinux alert occurs every time.
>
> Then Test B.
> 1. I did "strace -o caja.out -f /usr/bin/caja".
> 2. I used caja to rename a file to something with all ASCII characters.
> A Selinux alert pops up.
> 3. I closed caja by clicking the little x in the upper right corner of
> the GUI.
>
> Then Test C.
> 1. I launched Files.
> 2. I used Files to rename a file to something with all ASCII characters.
> 3. I closed Files by clicking the little x in the upper right corner of
> the GUI.
> No SELinux alerts.
>
> Then Test D.
> 1. I launched caja.
> 2. I used caja to rename a file to something with all ASCII characters.
> 3. I closed caja by clicking the little x in the upper right corner of
> the GUI.
> No SELinux alerts.
>
> Files seems to do something that prevents any further SELinux alerts
> from caja for the rest of the day.
>
> I did:
> bash.2[~]: su -
> Password:
> -bash.1[~]: ausearch -c gstglcontext -ts today > ausearch_Thurs.txt
> -bash.2[~]: vi ausearch_Thurs.txt
> Based on time stamps, I found that the process ID for Test B was 2636.
> I did:
> bash.17[~]: grep 2636 caja.out > grep2636.out
> The resulting file is over 34000 lines long.  How can I pare this down?
>   What should I put on the google drive for y'all to view?
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert.

2021-04-15 Thread home user


(responding to multiple posts)

As Ed requested, this morning I signed in to "GNOME on Xorg" first.  My 
tests were as follows.


Test A.
1. Using the command line in a terminal, I downloaded a Chinese music 
video.  The resulting file has a name made of traditional (Taiwan) 
Chinese characters.

2. I launched caja.
A SELinux alert pops up.
3. I used caja to rename the file to something with all ASCII characters.
A Selinux alert pops up.
Steps 2 and 3 were done a few times.  For step 2, the SELinux alert 
occurs the first time only.

For step 3, the SELinux alert occurs every time.

Then Test B.
1. I did "strace -o caja.out -f /usr/bin/caja".
2. I used caja to rename a file to something with all ASCII characters.
A Selinux alert pops up.
3. I closed caja by clicking the little x in the upper right corner of 
the GUI.


Then Test C.
1. I launched Files.
2. I used Files to rename a file to something with all ASCII characters.
3. I closed Files by clicking the little x in the upper right corner of 
the GUI.

No SELinux alerts.

Then Test D.
1. I launched caja.
2. I used caja to rename a file to something with all ASCII characters.
3. I closed caja by clicking the little x in the upper right corner of 
the GUI.

No SELinux alerts.

Files seems to do something that prevents any further SELinux alerts 
from caja for the rest of the day.


I did:
bash.2[~]: su -
Password:
-bash.1[~]: ausearch -c gstglcontext -ts today > ausearch_Thurs.txt
-bash.2[~]: vi ausearch_Thurs.txt
Based on time stamps, I found that the process ID for Test B was 2636.
I did:
bash.17[~]: grep 2636 caja.out > grep2636.out
The resulting file is over 34000 lines long.  How can I pare this down? 
 What should I put on the google drive for y'all to view?

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert.

2021-04-15 Thread home user


On 4/14/21 4:43 PM, Ed Greshko wrote:

On 15/04/2021 05:57, home user wrote:



The desktop menu at login has 4 GNOME entries:
GNOME
GNOME
GNOME Classic
GNOME on Xorg
I usually use the first GNOME.
Side question: What's the difference between the first two entries?


So, tomorrow, start by using "GNOME on Xorg"

As far as determining if you're in a wayland or Xorg environment.

Wayland
[egreshko@f33g ~]$ env | grep -i wayland
XDG_SESSION_TYPE=wayland
XAUTHORITY=/run/user/1000/.mutter-Xwaylandauth.3OTU10
WAYLAND_DISPLAY=wayland-0
[egreshko@f33g ~]$

Xorg
[egreshko@f33g ~]$ env | grep -i wayland
[egreshko@f33g ~]$


Done as requested.

Regardless of whether I log in using the first, third, or fourth GNOME 
choice, I get:

bash.1[~]: env | grep -i wayland
bash.2[~]:
I did not try GNOME Classic.


Also

Wayland
earlyoom 572   1  0 06:41 ?    00:00:00 /usr/bin/earlyoom -r 
0 -m 4 -M 409600 --prefer ^Web Content$ --avoid 
^(dnf|packagekitd|gnome-shell|gnome-session-c|gnome-session-b|lightdm|sddm|sddm-helper|gdm|gdm-wayland-ses|gdm-session-wor|gdm-x-session|Xorg|Xwayland|systemd|systemd-logind|dbus-daemon|dbus-broker|cinnamon|cinnamon-sessio|kwin_x11|kwin_wayland|plasmashell|ksmserver|plasma_session|startplasma-way|xfce4-session|mate-session|marco|lxqt-session|openbox)$ 

egreshko    1299    1253  0 06:42 tty2 00:00:00 
/usr/libexec/gdm-wayland-session /usr/bin/gnome-session
egreshko    1432    1375  0 06:42 ?    00:00:00 /usr/bin/Xwayland :0 
-rootless -noreset -accessx -core -auth 
/run/user/1000/.mutter-Xwaylandauth.X2CY10 -listen 4 -listen 5 
-displayfd 6 -listen 7


Xorg
Ony the line for earlyoom.


What command did you use for the above?  It looks like "ps" output, but 
when I try, I get these:

bash.8[~]: ps -ef | grep -i earlyoom
weilian+28232705  0 09:53 pts/000:00:00 grep --color=auto -i 
earlyoom

bash.9[~]: ps -aux | grep -i earlyoom
weilian+2829  0.0  0.0 221564   840 pts/0S+   09:53   0:00 grep 
--color=auto -i earlyoom

bash.10[~]: ps -al | grep -i earlyoom
bash.11[~]:

I did also try logging in to plasma with wayland.  After entering my 
credentials, the screens went black.  After 2 minutes, I hit the hard 
reset and rebooted.


Through 8 years of weekly patches and semi-annual upgrades, I've never 
done anything to block or disable wayland.  Shouldn't it have been 
automatically installed somewhere in those 8 years?  What did I do wrong 
or not do?


I'll report caja testing in my next message.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert.

2021-04-14 Thread Ed Greshko


On 15/04/2021 05:57, home user wrote:



Is your desktop "GNOME" or "GNOME on Xorg"?


The desktop menu at login has 4 GNOME entries:
GNOME
GNOME
GNOME Classic
GNOME on Xorg
I usually use the first GNOME.
Side question: What's the difference between the first two entries?


I don't know why you'd have 2.  Both are probably Wayland.

So, tomorrow, start by using "GNOME on Xorg"

As far as determining if you're in a wayland or Xorg environment.

Wayland
[egreshko@f33g ~]$ env | grep -i wayland
XDG_SESSION_TYPE=wayland
XAUTHORITY=/run/user/1000/.mutter-Xwaylandauth.3OTU10
WAYLAND_DISPLAY=wayland-0
[egreshko@f33g ~]$

Xorg
[egreshko@f33g ~]$ env | grep -i wayland
[egreshko@f33g ~]$

Also

Wayland
earlyoom 572   1  0 06:41 ?    00:00:00 /usr/bin/earlyoom -r 0 -m 4 
-M 409600 --prefer ^Web Content$ --avoid 
^(dnf|packagekitd|gnome-shell|gnome-session-c|gnome-session-b|lightdm|sddm|sddm-helper|gdm|gdm-wayland-ses|gdm-session-wor|gdm-x-session|Xorg|Xwayland|systemd|systemd-logind|dbus-daemon|dbus-broker|cinnamon|cinnamon-sessio|kwin_x11|kwin_wayland|plasmashell|ksmserver|plasma_session|startplasma-way|xfce4-session|mate-session|marco|lxqt-session|openbox)$
egreshko    1299    1253  0 06:42 tty2 00:00:00 
/usr/libexec/gdm-wayland-session /usr/bin/gnome-session
egreshko    1432    1375  0 06:42 ?    00:00:00 /usr/bin/Xwayland :0 
-rootless -noreset -accessx -core -auth 
/run/user/1000/.mutter-Xwaylandauth.X2CY10 -listen 4 -listen 5 -displayfd 6 
-listen 7

Xorg
Ony the line for earlyoom.


--
Remind me to ignore comments which aren't germane to the thread.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert.

2021-04-14 Thread home user


On 4/14/21 3:46 PM, Roger Heflin wrote:

really just start caja from the terminal with strace -o caja.out -f
`which caja`

do what you normally do and exit.

then grep pid caja.out and that will should tell you what executable
that pid was and some of what it did.

That will produce an .out file that contains all of the pid's and what
those pids were and some of what they did.


I'll try this tomorrow morning.  See my reply to Ed for the explanation.


On Wed, Apr 14, 2021 at 4:09 PM home user  wrote:


On 4/14/21 1:50 PM, Roger Heflin wrote:

He might want to run a strace -o appname.out -f


And then do the ausearch and we should be able to see what what the
pid was doing and/or what executable it was.


What options would you find most helpful?

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert.

2021-04-14 Thread home user


On 4/14/21 3:18 PM, Ed Greshko wrote:


Is your desktop "GNOME" or "GNOME on Xorg"?


The desktop menu at login has 4 GNOME entries:
GNOME
GNOME
GNOME Classic
GNOME on Xorg
I usually use the first GNOME.
Side question: What's the difference between the first two entries?

Which ever one it is, could you try switching to the other one to see if 
the issue continues

to exist?


Unable to determine!

I logged out, and then logged back in without changing the desktop.
I launched Files.  No alert.
I launched caja.  No alert.

I shut down and the booted up and logged in with GNOME.
I launched Files.  No alert.
I launched caja.  No alert.

I shut down and booted up and logged in with GNOME.
I launched caja.  No alert.

I shut down and booted up and logged in with GNOME on Xorg.
I launched caja.  No alert.

Yesterday evening, I suspected that the problem can be reproduced only 
once per day.  That's why I said last night that I would test this morning.


The above test sequence strengthens my suspicion, but does not prove, 
that this problem can be reproduced only once per day (not once per 
login session, not once per boot session).  I can't (yet) rule out that 
the open terminal, Thunderbird, or "youtube-dl" somehow play into this.


I'm also still trying to determine whether this problem is unique to 
caja, or if Files has the same problem.


I'll try your suggested test again tomorrow morning.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert.

2021-04-14 Thread Roger Heflin

really just start caja from the terminal with strace -o caja.out -f
`which caja`

do what you normally do and exit.

then grep pid caja.out and that will should tell you what executable
that pid was and some of what it did.

That will produce an .out file that contains all of the pid's and what
those pids were and some of what they did.

On Wed, Apr 14, 2021 at 4:09 PM home user  wrote:
>
> On 4/14/21 1:50 PM, Roger Heflin wrote:
> > He might want to run a strace -o appname.out -f
> > 
> >
> > And then do the ausearch and we should be able to see what what the
> > pid was doing and/or what executable it was.
>
> What options would you find most helpful?
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert.

2021-04-14 Thread Ed Greshko


On 15/04/2021 05:06, home user wrote:

On 4/14/21 12:52 PM, Ed Greshko wrote:

On 15/04/2021 00:33, home user wrote:

I tried that using "ps -ef | grep [pid]".  The only hit was the ps command 
itself.


It is not clear to me that you did this immediately after getting the alert.


1. I launched caja from the gnome activities dash.  The caja GUI displays.
2. The SELinux alert shows up.
3. I trackball over to the alert and click the Details button.
4. The Details window comes up, I trackball over to it, I make it bigger.
5. I scroll down and look for the pid.
6. I trackball over to the terminal and enter the ps command.
Steps 2 thru 6 do take several seconds, maybe up to a minute. That's as 
"immediate" as I can do.



Is your desktop "GNOME" or "GNOME on Xorg"?

Which ever one it is, could you try switching to the other one to see if the 
issue continues
to exist?

--
Remind me to ignore comments which aren't germane to the thread.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert.

2021-04-14 Thread home user


On 4/14/21 1:50 PM, Roger Heflin wrote:

He might want to run a strace -o appname.out -f


And then do the ausearch and we should be able to see what what the
pid was doing and/or what executable it was.


What options would you find most helpful?
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert.

2021-04-14 Thread home user


On 4/14/21 12:52 PM, Ed Greshko wrote:

On 15/04/2021 00:33, home user wrote:
I tried that using "ps -ef | grep [pid]".  The only hit was the ps 
command itself.


It is not clear to me that you did this immediately after getting the 
alert.


1. I launched caja from the gnome activities dash.  The caja GUI displays.
2. The SELinux alert shows up.
3. I trackball over to the alert and click the Details button.
4. The Details window comes up, I trackball over to it, I make it bigger.
5. I scroll down and look for the pid.
6. I trackball over to the terminal and enter the ps command.
Steps 2 thru 6 do take several seconds, maybe up to a minute.  That's as 
"immediate" as I can do.


According to the ausearch_out the PID is different at each instance of 
an alert.  So, it is possible that
whatever process produced the alert has exited or died after the series 
of alerts.


I agree.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert.

2021-04-14 Thread Roger Heflin

He might want to run a strace -o appname.out -f


And then do the ausearch and we should be able to see what what the
pid was doing and/or what executable it was.

On Wed, Apr 14, 2021 at 1:52 PM Ed Greshko  wrote:
>
> On 15/04/2021 00:33, home user wrote:
> > I tried that using "ps -ef | grep [pid]".  The only hit was the ps command 
> > itself.
>
> It is not clear to me that you did this immediately after getting the alert.
>
> According to the ausearch_out the PID is different at each instance of an 
> alert.  So, it is possible that
> whatever process produced the alert has exited or died after the series of 
> alerts.
>
> --
> Remind me to ignore comments which aren't germane to the thread.
>
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert.

2021-04-14 Thread Ed Greshko


On 15/04/2021 00:33, home user wrote:

I tried that using "ps -ef | grep [pid]".  The only hit was the ps command 
itself.


It is not clear to me that you did this immediately after getting the alert.

According to the ausearch_out the PID is different at each instance of an 
alert.  So, it is possible that
whatever process produced the alert has exited or died after the series of 
alerts.

--
Remind me to ignore comments which aren't germane to the thread.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert.

2021-04-14 Thread home user


On 4/14/21 1:26 AM, Ed Greshko wrote:

On 14/04/2021 11:41, home user wrote:


Last night, in ".bash_profile", I commented out the block of code that 
launches xeyes, and shut down for the night.


This morning, I booted up and logged in,  No xeyes.  I downloaded a 
Chinese music video.  I then launched caja.  Before I tried doing 
anything in it, a SELinux alert appeared,


So it seems that xeyes has nothing to do with this problem.

I tried launching "files".  I did not see any SELinux alerts.


Your AVC you posted was

type=AVC msg=audit(1618332726.288:964): avc:  denied  { write } for  
pid=129605 co
mm="gstglcontext" 
path=2F6D656D66643A2F2E6E76696469615F6472762E5858585858582028646
56C6574656429 dev="tmpfs" ino=1025 
scontext=unconfined_u:unconfined_r:thumb_t:s0-s
0:c0.c1023 tcontext=system_u:object_r:xserver_tmpfs_t:s0 tclass=file 
permissive=0


Are all of your alerts of this kind?  You may want to use "ausearch" 
with -c gstglcontext.
You can narrow the window by using -ts in the ausearch command. Looking 
a the man page

to find the options for that parameter.


After doing the above described test, I ran the command to get 
everything from the start of yesterday.  I posted the results in a 
simple text file on the google drive.  Here's the link:

"https://drive.google.com/file/d/1-BSwKWu_Mi3CozfLRi2dQmzPndi3HHqj/view?usp=sharing";

That being said, gstglcontext is related to OpenGL which "is a 
cross-language, cross-platform application programming interface (API) 
for rendering 2D and 3D vector graphics".  The "scontext" has as part of 
it xserver_tmpfs_t which furthers this.


So, the next time you get this alert check out the AVC and find the 
process associated with pid=.


I tried that using "ps -ef | grep [pid]".  The only hit was the ps 
command itself.


I still have the SELinux alert details for the past several days.  I can 
post anything that you want to see, if that would help.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert.

2021-04-14 Thread Ed Greshko


On 14/04/2021 11:41, home user wrote:

Tomorrow morning, I will try the no-xeyes test that you suggest.

Ignoring the problem is tempting, but I don't want to give up too easily. 


Well, pardon me for saying I find that last observation somewhat narrow in 
scope.  :-) :-)

That being said

Your AVC you posted was

type=AVC msg=audit(1618332726.288:964): avc:  denied  { write } for  pid=129605 
co
mm="gstglcontext" 
path=2F6D656D66643A2F2E6E76696469615F6472762E5858585858582028646
56C6574656429 dev="tmpfs" ino=1025 
scontext=unconfined_u:unconfined_r:thumb_t:s0-s
0:c0.c1023 tcontext=system_u:object_r:xserver_tmpfs_t:s0 tclass=file 
permissive=0

Are all of your alerts of this kind?  You may want to use "ausearch" with -c 
gstglcontext.
You can narrow the window by using -ts in the ausearch command. Looking a the 
man page
to find the options for that parameter.

That being said, gstglcontext is related to OpenGL which "is a cross-language, cross-platform 
application programming interface (API) for rendering 2D and 3D vector graphics".  The 
"scontext" has as part of it xserver_tmpfs_t which furthers this.

So, the next time you get this alert check out the AVC and find the process 
associated with pid=.

--
Remind me to ignore comments which aren't germane to the thread.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert.

2021-04-13 Thread home user


On 4/13/21 5:20 PM, Ed Greshko wrote:

Long zoom meeting done; now I'm back to this.

memfd refers to "Memory File Descriptor".  The file in question exists 
only in RAM and is a temporary file at that.

Command such as "restorecon" are useless for this.


ok.

I'm guessing it may be caused not by caja by xeyes.  But if you're not 
having any problems it would be
something that I'd ignore.  I don't know if this would apply, but when 
the Alert pops up there should be
a button for "ignore" beside the button for "troubleshoot".  If I recall 
correctly.


You remember correctly.

If I were having these alerts and wanted to do a little debugging I'd 
first run my sessions without xeyes.


I don't know how you installed your nVidia drivers.  But, I would check 
to make sure what I had were the

latest.  FWIW, I use the nVidia stuff packaged by rpmfusion.


I started out with the proprietary driver 8 years ago.  1 or 2 years 
later, as advised by this list, I switched to the kmod? package(s?) from 
rpmfusion.  The rpmfusion stuff was installed the way members of this 
list instructed.  I see the rpmfusion stuff patched during over half of 
my weekly patches.


I don't know if any of this helps, but here goes:
* The problem started after upgrading to f33.
* I have not noticed any problems with xeyes.
* The sequence of steps leading to the alerts is:
1. Using the command line in a terminal, download a Chinese music video. 
 The resulting file has a name made of traditional (Taiwan) Chinese 
characters.

2. Launch caja.
3. Use caja to rename the file to something with all ASCII characters.
4. Use caja to launch the file for viewing.  I think it's launching VLC 
for that.

5. View the file and, using vim in a terminal, make study notes.
6. In caja, delete the file.
In caja, for each file, there is a small icon, the name of the file, and 
meta-data for the file.  In the case of video files, that icon is an 
image, a frame from the video.  The factors that have been occurring to 
me are the traditional Chinese characters and the image icons.  But why 
only the first time in a login session?  That's what most puzzles me.


Tomorrow morning, I will try the no-xeyes test that you suggest.

Ignoring the problem is tempting, but I don't want to give up too 
easily.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert.

2021-04-13 Thread home user


On 4/13/21 5:06 PM, Roger Heflin wrote:

sestatus will show the current status.

if enforcing then something may not be functioning as designed.

if permissive then it will report it is blocking when it is not, and
if you set it enforcing then something would probably break.

if you set it permissive at one time then it will stay set permissive.


It is "enforcing":

bash.1[~]: su -
Password:
-bash.1[~]: sestatus -v
SELinux status: enabled
SELinuxfs mount:/sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode:   enforcing
Mode from config file:  enforcing
Policy MLS status:  enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version:  33

Process contexts:
Current context: 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Init context:   system_u:system_r:init_t:s0

File contexts:
Controlling terminal:   unconfined_u:object_r:user_devpts_t:s0
/etc/passwd system_u:object_r:passwd_file_t:s0
/etc/shadow system_u:object_r:shadow_t:s0
/bin/bash   system_u:object_r:shell_exec_t:s0
/bin/login  system_u:object_r:login_exec_t:s0
/bin/sh system_u:object_r:bin_t:s0 -> 
system_u:object_r:shell_exec_t:s0

/sbin/agettysystem_u:object_r:getty_exec_t:s0
/sbin/init  system_u:object_r:bin_t:s0 -> 
system_u:object_r:init_exec_t:s0

/usr/sbin/sshd  system_u:object_r:sshd_exec_t:s0
/lib/libc.so.6  system_u:object_r:lib_t:s0 -> 
system_u:object_r:lib_t:s0
/lib/ld-linux.so.2  system_u:object_r:lib_t:s0 -> 
system_u:object_r:ld_so_t:s0

-bash.2[~]:


On Tue, Apr 13, 2021 at 4:56 PM home user  wrote:


On 4/13/21 2:24 PM, Roger Heflin wrote:

Are you running permissive or enforcing? >
if permissive then it does not block anything, but says it is blocking

if enforcing it is blocking something, though it may be a
pointless/useless interface feature of some sort that does not matter,
and does not really affect functionality.

And it might be some sort of sub process that is failing to do
something that may or may not matter.


When I first installed this system 8 years ago, SELinux was there by
default.  My knowledge of it is very high level and superficial.  I
don't recall ever setting anything either of those 2 ways; I'm running
whatever the default is.  I don't know the answer to your question, nor
do I know how to find out.

I do need to find a better way to reproduce the problem and test fixes
(like the restorecon command you suggested).  Currently, it seems I get
the problem only the first 1 or 2 times per login, per boot, or per day
(I haven't yet figured out which).  I also want to figure out if the
problem is limited to caja, or if "files" also has the problem.


___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert.

2021-04-13 Thread Ed Greshko


On 14/04/2021 01:40, home user wrote:

At least 3 times in the past few days I've seen the same SELinux alert.  I put the text of the 
details in the attached file "alerts.txt".  All 3 occurrences were while using caja to 
rename or delete a file, though it does not happen every time I rename or delete a file in caja.  
These alerts confuse me.  There is no directory "/memdf:"...

-bash.1[~]: cd /
-bash.2[/]: ls -a
.bootetc   lib64   mnt   root  srv system-upgrade   usr
..   .cache  home  lost+found  opt   run   sys system-upgrade-root  var
bin  dev lib   media   proc  sbin  sysroot  tmp
-bash.3[/]: ls -a /memfd*
ls: cannot access '/memfd*': No such file or directory
-bash.4[/]:

Also, the directory name (ending with a colon?) looks fishy. Further, the filename 
".nvidia_drv.XX" looks fishy (but "legal").

The instruction does not work:

-bash.4[/]: /sbin/restorecon -v /memfd:/.nvidia_drv.XX (deleted)
-bash: syntax error near unexpected token `('
-bash.4[/]:

-bash.5[/]: /sbin/restorecon -v /memfd:/.nvidia_drv.XX
/sbin/restorecon: SELinux: Could not get canonical path for 
/memfd:/.nvidia_drv.XX restorecon: No such file or directory.
-bash.6[/]:

I gather that a directory and or file (whatever its name really is) are missing? 


memfd refers to "Memory File Descriptor".  The file in question exists only in 
RAM and is a temporary file at that.
Command such as "restorecon" are useless for this.

I'm guessing it may be caused not by caja by xeyes.  But if you're not having 
any problems it would be
something that I'd ignore.  I don't know if this would apply, but when the 
Alert pops up there should be
a button for "ignore" beside the button for "troubleshoot".  If I recall 
correctly.

If I were having these alerts and wanted to do a little debugging I'd first run 
my sessions without xeyes.

I don't know how you installed your nVidia drivers.  But, I would check to make 
sure what I had were the
latest.  FWIW, I use the nVidia stuff packaged by rpmfusion.


--
Remind me to ignore comments which aren't germane to the thread.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert.

2021-04-13 Thread Roger Heflin

sestatus will show the current status.

if enforcing then something may not be functioning as designed.

if permissive then it will report it is blocking when it is not, and
if you set it enforcing then something would probably break.

if you set it permissive at one time then it will stay set permissive.

On Tue, Apr 13, 2021 at 4:56 PM home user  wrote:
>
> On 4/13/21 2:24 PM, Roger Heflin wrote:
> > Are you running permissive or enforcing? >
> > if permissive then it does not block anything, but says it is blocking
> >
> > if enforcing it is blocking something, though it may be a
> > pointless/useless interface feature of some sort that does not matter,
> > and does not really affect functionality.
> >
> > And it might be some sort of sub process that is failing to do
> > something that may or may not matter.
>
> When I first installed this system 8 years ago, SELinux was there by
> default.  My knowledge of it is very high level and superficial.  I
> don't recall ever setting anything either of those 2 ways; I'm running
> whatever the default is.  I don't know the answer to your question, nor
> do I know how to find out.
>
> I do need to find a better way to reproduce the problem and test fixes
> (like the restorecon command you suggested).  Currently, it seems I get
> the problem only the first 1 or 2 times per login, per boot, or per day
> (I haven't yet figured out which).  I also want to figure out if the
> problem is limited to caja, or if "files" also has the problem.
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert.

2021-04-13 Thread home user


On 4/13/21 2:24 PM, Roger Heflin wrote:

Are you running permissive or enforcing? >
if permissive then it does not block anything, but says it is blocking

if enforcing it is blocking something, though it may be a
pointless/useless interface feature of some sort that does not matter,
and does not really affect functionality.

And it might be some sort of sub process that is failing to do
something that may or may not matter.


When I first installed this system 8 years ago, SELinux was there by 
default.  My knowledge of it is very high level and superficial.  I 
don't recall ever setting anything either of those 2 ways; I'm running 
whatever the default is.  I don't know the answer to your question, nor 
do I know how to find out.


I do need to find a better way to reproduce the problem and test fixes 
(like the restorecon command you suggested).  Currently, it seems I get 
the problem only the first 1 or 2 times per login, per boot, or per day 
(I haven't yet figured out which).  I also want to figure out if the 
problem is limited to caja, or if "files" also has the problem.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert.

2021-04-13 Thread Roger Heflin

Are you running permissive or enforcing?

if permissive then it does not block anything, but says it is blocking

if enforcing it is blocking something, though it may be a
pointless/useless interface feature of some sort that does not matter,
and does not really affect functionality.

And it might be some sort of sub process that is failing to do
something that may or may not matter.

On Tue, Apr 13, 2021 at 2:59 PM home user  wrote:
>
> On 4/13/21 12:48 PM, Roger Heflin wrote:
> > I see a lot of /memfd: in lsof it appears to be anonymous files (ie
> > temp files).   I am going to guess memfd is memory file descriptor, ie
> > a temp file created in memory.
> >
> > Usually they are going to not actually exist anywhere in a fs.  And
> > generally the app that opens/creates them is the app that is going to
> > immediately use it.
> >
> > if selinux is blocking it I would think it should cause some sort of
> > issues with the owner/application using the file.
> >
> >   lsof | grep "/memfd:/.nvidia"  will show you the owner of the
> > specific file.   For the nvidia_drv one it looks like Xorg (on my
> > system, may Wayland if you are using that) opens it.
>
> I've attached the output of "lsof | grep "/memfd:/.nvidia"".  When I ran
> that, caja, a terminal, and xeyes were running.
>
> > On mine in lsof I have hundreds using the .nvidia_drv.XX one and
> > all have the same node in lsof so all are the same object, probably
> > created by the display owner.
> >
> > It may be that caja itself is not granted the proper selinux
> > permissions to use that resource and is hence getting the error.  Ie
> > the error may not be that the file is missing options but that the
> > application is not allowed access to the file.
>
> When I ran the renames and deletes in caja, they all worked properly
> even though I received the SELinux alerts in some cases.  Would that
> have been so if caja was lacking SELinux permissions?
>
> > you might try the restorecon against the caja executable itself
> >
> > On Tue, Apr 13, 2021 at 12:41 PM home user  wrote:
> >>
> >> [... snip ...]
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Re: puzzling SELinux alert.

2021-04-13 Thread home user


On 4/13/21 12:48 PM, Roger Heflin wrote:

I see a lot of /memfd: in lsof it appears to be anonymous files (ie
temp files).   I am going to guess memfd is memory file descriptor, ie
a temp file created in memory.

Usually they are going to not actually exist anywhere in a fs.  And
generally the app that opens/creates them is the app that is going to
immediately use it.

if selinux is blocking it I would think it should cause some sort of
issues with the owner/application using the file.

  lsof | grep "/memfd:/.nvidia"  will show you the owner of the
specific file.   For the nvidia_drv one it looks like Xorg (on my
system, may Wayland if you are using that) opens it.


I've attached the output of "lsof | grep "/memfd:/.nvidia"".  When I ran 
that, caja, a terminal, and xeyes were running.



On mine in lsof I have hundreds using the .nvidia_drv.XX one and
all have the same node in lsof so all are the same object, probably
created by the display owner.

It may be that caja itself is not granted the proper selinux
permissions to use that resource and is hence getting the error.  Ie
the error may not be that the file is missing options but that the
application is not allowed access to the file.


When I ran the renames and deletes in caja, they all worked properly 
even though I received the SELinux alerts in some cases.  Would that 
have been so if caja was lacking SELinux permissions?



you might try the restorecon against the caja executable itself

On Tue, Apr 13, 2021 at 12:41 PM home user  wrote:


[... snip ...]

-bash.7[~]: lsof | grep "/memfd:/.nvidia"
lsof: WARNING: can't stat() fuse.gvfsd-fuse file system /run/user/1001/gvfs
  Output information may be incomplete.
Xorg1005 root  DEL   REG
0,1 1025 /memfd:/.nvidia_drv.XX
Xorg1005 root   26u  REG
0,1   1724416   1025 /memfd:/.nvidia_drv.XX (deleted)
Xorg1005   1033 InputThreroot  DEL   REG
0,1 1025 /memfd:/.nvidia_drv.XX
Xorg1005   1033 InputThreroot   26u  REG
0,1   1724416   1025 /memfd:/.nvidia_drv.XX (deleted)
gnome-she   1340 bill  DEL   REG
0,1 1025 /memfd:/.nvidia_drv.XX
gnome-she   1340   1346 gmainbill  DEL   REG
0,1 1025 /memfd:/.nvidia_drv.XX
gnome-she   1340   1357 gdbusbill  DEL   REG
0,1 1025 /memfd:/.nvidia_drv.XX
gnome-she   1340   1359 dconf\x20bill  DEL   REG
0,1 1025 /memfd:/.nvidia_drv.XX
gnome-she   1340   1364 JS\x20Helbill  DEL   REG
0,1 1025 /memfd:/.nvidia_drv.XX
gnome-she   1340   1365 JS\x20Helbill  DEL   REG
0,1 1025 /memfd:/.nvidia_drv.XX
gnome-she   1340   1366 JS\x20Helbill  DEL   REG
0,1 1025 /memfd:/.nvidia_drv.XX
gnome-she   1340   1367 JS\x20Helbill  DEL   REG
0,1 1025 /memfd:/.nvidia_drv.XX
gnome-she   1340   1368 JS\x20Helbill  DEL   REG
0,1 1025 /memfd:/.nvidia_drv.XX
gnome-she   1340   1369 JS\x20Helbill  DEL   REG
0,1 1025 /memfd:/.nvidia_drv.XX
gnome-she   1340   1370 JS\x20Helbill  DEL   REG
0,1 1025 /memfd:/.nvidia_drv.XX
gnome-she   1340   1371 JS\x20Helbill  DEL   REG
0,1 1025 /memfd:/.nvidia_drv.XX
gnome-she   1340   3968 threaded-bill  DEL   REG
0,1 1025 /memfd:/.nvidia_drv.XX
gnome-she   1340 130318 pool-gnombill  DEL   REG
0,1 1025 /memfd:/.nvidia_drv.XX
gnome-she   1340 130319 pool-gnombill  DEL   REG
0,1 1025 /memfd:/.nvidia_drv.XX
gnome-she   1340 130320 pool-gnombill  DEL   REG
0,1 1025 /memfd:/.nvidia_drv.XX
gnome-she   1340 130321 pool-gnombill  DEL   REG
0,1 1025 /memfd:/.nvidia_drv.XX
gnome-she   1340 130322 pool-gnombill  DEL   REG
0,1 1025 /memfd:/.nvidia_drv.XX
gnome-she   1340 130323 pool-gnombill  DEL   REG
0,1 1025 /memfd:/.nvidia_drv.XX
gnome-she   1340 130324 pool-gnombill  DEL   REG
0,1 1025 /memfd:/.nvidia_drv.XX
gnome-she   1340 130325 pool-gnombill  DEL   REG

Re: puzzling SELinux alert.

2021-04-13 Thread Roger Heflin

I see a lot of /memfd: in lsof it appears to be anonymous files (ie
temp files).   I am going to guess memfd is memory file descriptor, ie
a temp file created in memory.

Usually they are going to not actually exist anywhere in a fs.  And
generally the app that opens/creates them is the app that is going to
immediately use it.

if selinux is blocking it I would think it should cause some sort of
issues with the owner/application using the file.

 lsof | grep "/memfd:/.nvidia"  will show you the owner of the
specific file.   For the nvidia_drv one it looks like Xorg (on my
system, may Wayland if you are using that) opens it.

On mine in lsof I have hundreds using the .nvidia_drv.XX one and
all have the same node in lsof so all are the same object, probably
created by the display owner.

It may be that caja itself is not granted the proper selinux
permissions to use that resource and is hence getting the error.  Ie
the error may not be that the file is missing options but that the
application is not allowed access to the file.

you might try the restorecon against the caja executable itself

On Tue, Apr 13, 2021 at 12:41 PM home user  wrote:
>
> At least 3 times in the past few days I've seen the same SELinux alert.
> I put the text of the details in the attached file "alerts.txt".  All 3
> occurrences were while using caja to rename or delete a file, though it
> does not happen every time I rename or delete a file in caja.  These
> alerts confuse me.  There is no directory "/memdf:"...
>
> -bash.1[~]: cd /
> -bash.2[/]: ls -a
> .bootetc   lib64   mnt   root  srv system-upgrade   usr
> ..   .cache  home  lost+found  opt   run   sys system-upgrade-root  var
> bin  dev lib   media   proc  sbin  sysroot  tmp
> -bash.3[/]: ls -a /memfd*
> ls: cannot access '/memfd*': No such file or directory
> -bash.4[/]:
>
> Also, the directory name (ending with a colon?) looks fishy. Further,
> the filename ".nvidia_drv.XX" looks fishy (but "legal").
>
> The instruction does not work:
>
> -bash.4[/]: /sbin/restorecon -v /memfd:/.nvidia_drv.XX (deleted)
> -bash: syntax error near unexpected token `('
> -bash.4[/]:
>
> -bash.5[/]: /sbin/restorecon -v /memfd:/.nvidia_drv.XX
> /sbin/restorecon: SELinux: Could not get canonical path for
> /memfd:/.nvidia_drv.XX restorecon: No such file or directory.
> -bash.6[/]:
>
> I gather that a directory and or file (whatever its name really is) are
> missing?
>
> How do I fix this?
> ___
> users mailing list -- users@lists.fedoraproject.org
> To unsubscribe send an email to users-le...@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
> Do not reply to spam on the list, report it: 
> https://pagure.io/fedora-infrastructure
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

puzzling SELinux alert.

2021-04-13 Thread home user

At least 3 times in the past few days I've seen the same SELinux alert.  
I put the text of the details in the attached file "alerts.txt".  All 3 
occurrences were while using caja to rename or delete a file, though it 
does not happen every time I rename or delete a file in caja.  These 
alerts confuse me.  There is no directory "/memdf:"...


-bash.1[~]: cd /
-bash.2[/]: ls -a
.    boot    etc   lib64   mnt   root  srv system-upgrade   usr
..   .cache  home  lost+found  opt   run   sys system-upgrade-root  var
bin  dev lib   media   proc  sbin  sysroot  tmp
-bash.3[/]: ls -a /memfd*
ls: cannot access '/memfd*': No such file or directory
-bash.4[/]:

Also, the directory name (ending with a colon?) looks fishy. Further, 
the filename ".nvidia_drv.XX" looks fishy (but "legal").


The instruction does not work:

-bash.4[/]: /sbin/restorecon -v /memfd:/.nvidia_drv.XX (deleted)
-bash: syntax error near unexpected token `('
-bash.4[/]:

-bash.5[/]: /sbin/restorecon -v /memfd:/.nvidia_drv.XX
/sbin/restorecon: SELinux: Could not get canonical path for 
/memfd:/.nvidia_drv.XX restorecon: No such file or directory.

-bash.6[/]:

I gather that a directory and or file (whatever its name really is) are 
missing?


How do I fix this?

SELinux is preventing gstglcontext from write access on the file 
/memfd:/.nvidia_drv.XX (deleted).

*  Plugin restorecon (99.5 confidence) suggests   

If you want to fix the label. 
/memfd:/.nvidia_drv.XX (deleted) default label should be default_t.
Then you can run restorecon. The access attempt may have been stopped due to 
insufficient permissions to access a parent directory in which case try to 
change the following command accordingly.
Do
# /sbin/restorecon -v /memfd:/.nvidia_drv.XX (deleted)

*  Plugin catchall (1.49 confidence) suggests   **

If you believe that gstglcontext should be allowed write access on the 
.nvidia_drv.XX (deleted) file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'gstglcontext' --raw | audit2allow -M my-gstglcontext
# semodule -X 300 -i my-gstglcontext.pp

Additional Information:
Source Contextunconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Contextsystem_u:object_r:xserver_tmpfs_t:s0
Target Objects/memfd:/.nvidia_drv.XX (deleted) [ file ]
Sourcegstglcontext
Source Path   gstglcontext
Port  
Host  coyote
Source RPM Packages   
Target RPM Packages   
SELinux Policy RPMselinux-policy-targeted-3.14.6-36.fc33.noarch
Local Policy RPM  selinux-policy-targeted-3.14.6-36.fc33.noarch
Selinux Enabled   True
Policy Type   targeted
Enforcing ModeEnforcing
Host Name coyote
Platform  Linux coyote 5.11.11-200.fc33.x86_64 #1 SMP Tue
  Mar 30 16:53:32 UTC 2021 x86_64 x86_64
Alert Count   14
First Seen2021-04-10 20:54:09 MDT
Last Seen 2021-04-13 10:52:06 MDT
Local ID  97b55286-0131-46f4-86ad-481e32b4563f

Raw Audit Messages
type=AVC msg=audit(1618332726.288:964): avc:  denied  { write } for  pid=129605 
comm="gstglcontext" 
path=2F6D656D66643A2F2E6E76696469615F6472762E585858585858202864656C6574656429 
dev="tmpfs" ino=1025 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:xserver_tmpfs_t:s0 tclass=file permissive=0


Hash: gstglcontext,thumb_t,xserver_tmpfs_t,file,write
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

37 matches

Mail list logo