Dolphin crashes when trying to copy/cut within confined user accounts

[py0xc3]

I use Fedora 38 KDE Spin with confined user accounts: In my GUI user, I currently test with sysadm_u (obviously with the sysadm-GUI-boolean enabled).

The default file manager of KDE (dolphin) crashes when I try to copy (both with "CTRL + C" and with using the right-mouse-click-menu to click on "copy") or to cut (both with "CTRL + X" and with using the right-mouse-click-menu to click on "cut") in the below described circumstances. The crash occurs always at the very moment I click on "cut"/"copy" or when I push CTRL+C/X. The crash does not occur when the user is set to unconfined_u.

So far, it seems that the crash occurs (and thus can be reproduced) when dolphin is opened within a KDE session and ... -> the crash occurs IF I try to copy/cut a FILE (not folder!) AND IF this FILE is outside the user's home path (which means the file is neither in ~ nor in its sub-paths).

But ... -> the crash NEVER appeared WHEN I tried to copy/cut a FOLDER in any dir. -> the crash NEVER appeared WHEN I tried to copy/cut a FILE within /home/\<user>/* (including the sub-dirs of ~)

However, everything works fine if I start KDE's terminal "konsole" and use "mc" to do copy/move (so a "mc"-running terminal from within the KDE GUI): it seems only dolphin is affected by that. The issue is not new. I have experienced this issue already many months ago, but I don't use dolphin that much and thus I forgot about it when we created the SIG :)

Here are two examples (copy & cut) with all denial-related logs from the root logs (extracts from "journalctl -r"):

Example of "copy" where the very "action"+"crash"+"avc-denial" was on 14:16:00:

Oct 28 14:16:05 fedora.domain plasmashell[3021]: Could not find the Plasmoid for Plasma::FrameSvgItem(0x7f7354010a50) QQmlContext(0x55dc0e442010) QUrl("file:///usr/share/plasma/plasmoids/org.kde.plasma.notifications/contents/ui/global/Globals.qml")
Oct 28 14:16:05 fedora.domain plasmashell[3021]: Could not find the Plasmoid for Plasma::FrameSvgItem(0x7f7354010a50) QQmlContext(0x55dc0e442010) QUrl("file:///usr/share/plasma/plasmoids/org.kde.plasma.notifications/contents/ui/global/Globals.qml")
Oct 28 14:16:05 fedora.domain setroubleshoot[10377]: SELinux is preventing dbus-broker from read access on the file /non-home-dir/foldername/folder1/somespreadsheet.ods.

                                                        *****  Plugin catchall_labels (83.8 confidence) suggests   *******************

                                                        If you want to allow dbus-broker to have read access on the somespreadsheet.ods file
                                                        Then you need to change the label on /non-home-dir/foldername/folder1/somespreadsheet.ods
                                                        Do
                                                        # semanage fcontext -a -t FILE_TYPE '/non-home-dir/foldername/folder1/somespreadsheet.ods'
                                                        where FILE_TYPE is one of the following: NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_run_t, admin_crontab_tmp_t, afs_cache_t, alsa_tmp_t, amanda_tmp_t, antivirus_tmp_t, apcupsd_tmp_t, apmd_tmp_t, arpwatch_tmp_t, asterisk_tmp_t, auditadm_sudo_tmp_t, auditd_tmp_t, automount_tmp_t, awstats_tmp_t, bacula_tmp_t, bin_t, bitlbee_tmp_t, blueman_tmp_t, bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_tmp_t, boinc_project_tmp_t, boinc_tmp_t, boot_t, bootloader_tmp_t, bugzilla_tmp_t, cache_home_t, cardmgr_dev_t, ccs_tmp_t, cdcc_tmp_t, cert_t, certmonger_tmp_t, cgroup_t, chrome_sandbox_tmp_t, chronyd_tmp_t, cinder_api_tmp_t, cinder_backup_tmp_t, cinder_scheduler_tmp_t, cinder_volume_tmp_t, cloud_init_tmp_t, cluster_tmp_t, cobbler_tmp_t, cockpit_tmp_t, cockpit_tmpfs_t, collectd_script_tmp_t, colord_tmp_t, comsat_tmp_t, condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, config_home_t, config_usr_t, conman_tmp_t, container_runtime_tmp_t, couchdb_tmp_t, cpu_online_t, crack_tmp_t, crond_tmp_t, crontab_tmp_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_lpd_tmp_t, cupsd_tmp_t, cvs_tmp_t, cyphesis_tmp_t, cyrus_tmp_t, data_home_t, dbadm_sudo_tmp_t, dbskkd_tmp_t, dbus_home_t, dbusd_etc_t, dbusd_exec_t, dcc_client_tmp_t, dcc_dbclean_tmp_t, dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_tmp_t, default_context_t, deltacloudd_tmp_t, devicekit_tmp_t, dhcpc_tmp_t, dhcpd_tmp_t, dirsrv_tmp_t, dirsrvadmin_tmp_t, disk_munin_plugin_tmp_t, dkim_milter_tmp_t, dnsmasq_tmp_t, dnssec_trigger_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t, dovecot_tmp_t, drbd_tmp_t, etc_runtime_t, etc_t, exim_tmp_t, fail2ban_tmp_t, fdo_tmp_t, fenced_tmp_t, file_context_t, firewalld_tmp_t, firewallgui_tmp_t, fonts_cache_t, fonts_t, fprintd_tmp_t, fsadm_tmp_t, fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_tmp_t, games_tmp_t, games_tmpfs_t, gconf_home_t, gconf_tmp_t, geoclue_tmp_t, getty_tmp_t, git_script_tmp_t, gkeyringd_exec_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t, glance_registry_tmp_t, glance_tmp_t, glusterd_tmp_t, gnome_home_t, gpg_agent_tmp_t, gpg_agent_tmpfs_t, gpg_pinentry_tmp_t, gpg_pinentry_tmpfs_t, gpm_tmp_t, gpsd_tmp_t, gssd_tmp_t, gstreamer_home_t, hostname_etc_t, hsqldb_tmp_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_tmp_t, icc_data_home_t, inetd_child_tmp_t, inetd_tmp_t, init_tmp_t, initrc_tmp_t, insights_client_tmp_t, ipsec_tmp_t, iptables_tmp_t, iscsi_tmp_t, jetty_tmp_t, kadmind_tmp_t, kdumpctl_tmp_t, kdumpgui_tmp_t, keepalived_tmp_t, keystone_tmp_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t, kmod_tmp_t, krb5_conf_t, krb5_host_rcache_t, krb5kdc_tmp_t, ktalkd_tmp_t, l2tpd_tmp_t, ld_so_cache_t, ld_so_t, ldconfig_tmp_t, lib_t, livecd_tmp_t, locale_t, logrotate_mail_tmp_t, logrotate_tmp_t, logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_tmp_t, lsassd_tmp_t, lsmd_plugin_tmp_t, lvm_tmp_t, machineid_t, mail_munin_plugin_tmp_t, mailman_cgi_tmp_t, mailman_mail_tmp_t, mailman_queue_tmp_t, man_cache_t, man_t, mandb_cache_t, mdadm_tmp_t, mediawiki_tmp_t, mock_tmp_t, mojomojo_tmp_t, mongod_tmp_t, mount_tmp_t, mozilla_exec_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_tmp_t, mozilla_tmpfs_t, mpd_tmp_t, mplayer_tmpfs_t, mrtg_tmp_t, mscan_tmp_t, munin_script_tmp_t, munin_tmp_t, mysqld_tmp_t, nagios_eventhandler_plugin_tmp_t, nagios_openshift_plugin_tmp_t, nagios_system_plugin_tmp_t, nagios_tmp_t, named_tmp_t, net_conf_t, netutils_tmp_t, neutron_tmp_t, nfsd_tmp_t, nova_tmp_t, nsd_tmp_t, ntop_tmp_t, ntpd_tmp_t, nut_upsd_tmp_t, nut_upsdrvctl_tmp_t, nut_upsmon_tmp_t, nx_server_tmp_t, opendnssec_tmp_t, openshift_app_tmp_t, openshift_cgroup_read_tmp_t, openshift_cron_tmp_t, openshift_initrc_tmp_t, openshift_tmp_t, openvpn_tmp_t, openvswitch_tmp_t, openwsman_tmp_t, oracleasm_tmp_t, pam_timestamp_tmp_t, pam_var_console_t, passenger_tmp_t, passwd_file_t, pcp_tmp_t, pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, pesign_tmp_t, piranha_web_tmp_t, pkcs11_modules_conf_t, pkcs_slotd_tmp_t, pki_tomcat_tmp_t, podsleuth_tmp_t, podsleuth_tmpfs_t, policykit_tmp_t, portmap_tmp_t, postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_local_tmp_t, postfix_map_tmp_t, postfix_pickup_tmp_t, postfix_pipe_tmp_t, postfix_qmgr_tmp_t, postfix_smtp_tmp_t, postfix_smtpd_tmp_t, postfix_virtual_tmp_t, postgresql_tmp_t, pppd_tmp_t, prelink_exec_t, prelink_tmp_t, prelude_lml_tmp_t, proc_t, procmail_tmp_t, prosody_tmp_t, psad_tmp_t, pulseaudio_tmpfs_t, puppet_tmp_t, puppetmaster_tmp_t, qpidd_tmp_t, rabbitmq_tmp_t, racoon_tmp_t, realmd_tmp_t, redis_tmp_t, rhcd_tmp_t, rhev_agentd_tmp_t, rhsmcertd_tmp_t, ricci_tmp_t, rlogind_tmp_t, rolekit_tmp_t, rpcbind_tmp_t, rpm_script_tmp_t, rpm_tmp_t, rpmdb_tmp_t, rrdcached_tmp_t, rsync_tmp_t, rtas_errd_tmp_t, samba_etc_t, samba_net_tmp_t, samba_var_t, sbd_tmpfs_t, sblim_tmp_t, secadm_sudo_tmp_t, sectool_tmp_t, security_t, selinux_config_t, selinux_munin_plugin_tmp_t, semanage_tmp_t, sendmail_tmp_t, services_munin_plugin_tmp_t, session_dbusd_tmp_t, setroubleshoot_fixit_tmp_t, setroubleshoot_tmp_t, sge_tmp_t, shell_exec_t, shorewall_tmp_t, slapd_tmp_t, smbd_tmp_t, smoltclient_tmp_t, smsd_tmp_t, snort_tmp_t, sosreport_tmp_t, soundd_tmp_t, spamc_tmp_t, spamd_tmp_t, speech_dispatcher_tmp_t, squid_tmp_t, squirrelmail_spool_t, src_t, ssh_agent_tmp_t, ssh_keygen_tmp_t, ssh_tmpfs_t, sssd_public_t, sssd_var_lib_t, staff_sudo_tmp_t, stapserver_tmp_t, stapserver_tmpfs_t, stunnel_tmp_t, svirt_tmp_t, svnserve_tmp_t, swat_tmp_t, swift_tmp_t, sysadm_passwd_tmp_t, sysadm_sudo_tmp_t, syslogd_tmp_t, system_conf_t, system_cronjob_tmp_t, system_db_t, system_dbusd_tmp_t, system_dbusd_var_lib_t, system_mail_tmp_t, system_munin_plugin_tmp_t, systemd_importd_tmp_t, systemd_logind_var_run_t, targetclid_tmp_t, targetd_tmp_t, tcpd_tmp_t, telepathy_gabble_tmp_t, telepathy_idle_tmp_t, telepathy_logger_tmp_t, telepathy_mission_control_tmp_t, telepathy_msn_tmp_t, telepathy_salut_tmp_t, telepathy_sofiasip_tmp_t, telepathy_stream_engine_tmp_t, telepathy_sunshine_tmp_t, telnetd_tmp_t, tetex_data_t, textrel_shlib_t, tgtd_tmp_t, thumb_exec_t, thumb_tmp_t, tmp_t, tomcat_tmp_t, tuned_tmp_t, tvtime_tmp_t, tvtime_tmpfs_t, udev_tmp_t, uml_tmp_t, uml_tmpfs_t, unconfined_munin_plugin_tmp_t, user_cron_spool_t, user_fonts_t, user_home_t, user_mail_tmp_t, user_tmp_t, usr_t, uucpd_tmp_t, var_spool_t, varnishd_tmp_t, virt_qemu_ga_tmp_t, virt_tmp_t, virt_var_lib_t, vmtools_tmp_t, vmware_host_tmp_t, vmware_tmp_t, vmware_tmpfs_t, vpnc_tmp_t, w3c_validator_tmp_t, webadm_tmp_t, webalizer_tmp_t, winbind_rpcd_tmp_t, wireshark_tmp_t, wireshark_tmpfs_t, xauth_tmp_t, xend_tmp_t, xenstored_tmp_t, xserver_tmpfs_t, ypbind_tmp_t, ypserv_tmp_t, zabbix_tmp_t, zarafa_deliver_tmp_t, zarafa_indexer_tmp_t, zarafa_server_tmp_t, zarafa_var_lib_t, zebra_tmp_t.
                                                        Then execute:
                                                        restorecon -v '/non-home-dir/foldername/folder1/somespreadsheet.ods'

                                                        *****  Plugin catchall (17.1 confidence) suggests   **************************

                                                        If you believe that dbus-broker should be allowed read access on the somespreadsheet.ods file by default.
                                                        Then you should report this as a bug.
                                                        You can generate a local policy module to allow this access.
                                                        Do
                                                        allow this access for now by executing:
                                                        # ausearch -c 'dbus-broker' --raw | audit2allow -M my-dbusbroker
                                                        # semodule -X 300 -i my-dbusbroker.pp

Oct 28 14:16:05 fedora.domain setroubleshoot[10377]: SELinux is preventing dbus-broker from read access on the file /non-home-dir/foldername/folder1/somespreadsheet.ods. For complete SELinux messages run: sealert -l bc5e1697-6221-4bcb-a455-b971a855c0d3
Oct 28 14:16:03 fedora.domain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@10 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 28 14:16:03 fedora.domain systemd[1]: Started dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@10.service.
Oct 28 14:16:02 fedora.domain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=setroubleshootd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Oct 28 14:16:02 fedora.domain systemd[1]: Started setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs.
Oct 28 14:16:02 fedora.domain systemd[1]: Starting setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs...
Oct 28 14:16:02 fedora.domain plasmashell[3021]: QString::arg: 2 argument(s) missing in org.kde.dolphin
Oct 28 14:16:02 fedora.domain plasmashell[3021]: kf.service.services: KApplicationTrader: mimeType "x-scheme-handler/file" not found
Oct 28 14:16:00 fedora.domain plasmashell[3021]: Could not find the Plasmoid for Plasma::FrameSvgItem(0x55dc1020ffe0) QQmlContext(0x55dc0e442010) QUrl("file:///usr/share/plasma/plasmoids/org.kde.plasma.notifications/contents/ui/global/Globals.qml")
Oct 28 14:16:00 fedora.domain plasmashell[3021]: Could not find the Plasmoid for Plasma::FrameSvgItem(0x55dc1020ffe0) QQmlContext(0x55dc0e442010) QUrl("file:///usr/share/plasma/plasmoids/org.kde.plasma.notifications/contents/ui/global/Globals.qml")
Oct 28 14:16:00 fedora.domain drkonqi[10340]: kf5idletime_wayland: This plugin does not support polling idle time
Oct 28 14:16:00 fedora.domain plasmashell[9833]: KCrash: Attempting to start /usr/libexec/drkonqi
Oct 28 14:16:00 fedora.domain plasmashell[9833]: KCrash: Application 'dolphin' crashing...
Oct 28 14:16:00 fedora.domain plasmashell[9833]:   D-Bus not built with -rdynamic so unable to print a backtrace
Oct 28 14:16:00 fedora.domain plasmashell[9833]: This is normally a bug in some application using the D-Bus library.
Oct 28 14:16:00 fedora.domain plasmashell[9833]: dbus[9833]: arguments to dbus_pending_call_block() were incorrect, assertion "pending != NULL" failed in file ../../dbus/dbus-pending-call.c line 766.
Oct 28 14:16:00 fedora.domain xdg-folder1ument-portal[2840]: removing transfer 276305134239242784 for dead peer :1.132
Oct 28 14:16:00 fedora.domain dolphin[9833]: kf.coreaddons: Some files could not be exported.  QDBusError("org.freedesktop.DBus.Error.Disconnected", "Not connected to D-Bus server")
Oct 28 14:16:00 fedora.domain audit[2731]: AVC avc:  denied  { read } for  pid=2731 comm="dbus-broker" path="/non-home-dir/foldername/folder1/somespreadsheet.ods" dev="dm-1" ino=193619199 scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0 tcontext=sysadm_u:object_r:default_t:s0 tclass=file permissive=0

Example of "cut" where the very "action"+"crash"+"avc-denial" was on 14:16:10:

Oct 28 14:16:14 fedora.domain plasmashell[3021]: Could not find the Plasmoid for Plasma::FrameSvgItem(0x55dc0fe68430) QQmlContext(0x55dc0e442010) QUrl("file:///usr/share/plasma/plasmoids/org.kde.plasma.notifications/contents/ui/global/Globals.qml")
Oct 28 14:16:14 fedora.domain plasmashell[3021]: Could not find the Plasmoid for Plasma::FrameSvgItem(0x55dc0fe68430) QQmlContext(0x55dc0e442010) QUrl("file:///usr/share/plasma/plasmoids/org.kde.plasma.notifications/contents/ui/global/Globals.qml")
Oct 28 14:16:14 fedora.domain setroubleshoot[10377]: SELinux is preventing dbus-broker from read access on the file /non-home-dir/foldername/folder1/somestuff/importantcontent/notes.ods.

                                                        *****  Plugin catchall_labels (83.8 confidence) suggests   *******************

                                                        If you want to allow dbus-broker to have read access on the notes.ods file
                                                        Then you need to change the label on /non-home-dir/foldername/folder1/somestuff/importantcontent/notes.ods
                                                        Do
                                                        # semanage fcontext -a -t FILE_TYPE '/non-home-dir/foldername/folder1/somestuff/importantcontent/notes.ods'
                                                        where FILE_TYPE is one of the following: NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_run_t, admin_crontab_tmp_t, afs_cache_t, alsa_tmp_t, amanda_tmp_t, antivirus_tmp_t, apcupsd_tmp_t, apmd_tmp_t, arpwatch_tmp_t, asterisk_tmp_t, auditadm_sudo_tmp_t, auditd_tmp_t, automount_tmp_t, awstats_tmp_t, bacula_tmp_t, bin_t, bitlbee_tmp_t, blueman_tmp_t, bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_tmp_t, boinc_project_tmp_t, boinc_tmp_t, boot_t, bootloader_tmp_t, bugzilla_tmp_t, cache_home_t, cardmgr_dev_t, ccs_tmp_t, cdcc_tmp_t, cert_t, certmonger_tmp_t, cgroup_t, chrome_sandbox_tmp_t, chronyd_tmp_t, cinder_api_tmp_t, cinder_backup_tmp_t, cinder_scheduler_tmp_t, cinder_volume_tmp_t, cloud_init_tmp_t, cluster_tmp_t, cobbler_tmp_t, cockpit_tmp_t, cockpit_tmpfs_t, collectd_script_tmp_t, colord_tmp_t, comsat_tmp_t, condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, config_home_t, config_usr_t, conman_tmp_t, container_runtime_tmp_t, couchdb_tmp_t, cpu_online_t, crack_tmp_t, crond_tmp_t, crontab_tmp_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_lpd_tmp_t, cupsd_tmp_t, cvs_tmp_t, cyphesis_tmp_t, cyrus_tmp_t, data_home_t, dbadm_sudo_tmp_t, dbskkd_tmp_t, dbus_home_t, dbusd_etc_t, dbusd_exec_t, dcc_client_tmp_t, dcc_dbclean_tmp_t, dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_tmp_t, default_context_t, deltacloudd_tmp_t, devicekit_tmp_t, dhcpc_tmp_t, dhcpd_tmp_t, dirsrv_tmp_t, dirsrvadmin_tmp_t, disk_munin_plugin_tmp_t, dkim_milter_tmp_t, dnsmasq_tmp_t, dnssec_trigger_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t, dovecot_tmp_t, drbd_tmp_t, etc_runtime_t, etc_t, exim_tmp_t, fail2ban_tmp_t, fdo_tmp_t, fenced_tmp_t, file_context_t, firewalld_tmp_t, firewallgui_tmp_t, fonts_cache_t, fonts_t, fprintd_tmp_t, fsadm_tmp_t, fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_tmp_t, games_tmp_t, games_tmpfs_t, gconf_home_t, gconf_tmp_t, geoclue_tmp_t, getty_tmp_t, git_script_tmp_t, gkeyringd_exec_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t, glance_registry_tmp_t, glance_tmp_t, glusterd_tmp_t, gnome_home_t, gpg_agent_tmp_t, gpg_agent_tmpfs_t, gpg_pinentry_tmp_t, gpg_pinentry_tmpfs_t, gpm_tmp_t, gpsd_tmp_t, gssd_tmp_t, gstreamer_home_t, hostname_etc_t, hsqldb_tmp_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_tmp_t, icc_data_home_t, inetd_child_tmp_t, inetd_tmp_t, init_tmp_t, initrc_tmp_t, insights_client_tmp_t, ipsec_tmp_t, iptables_tmp_t, iscsi_tmp_t, jetty_tmp_t, kadmind_tmp_t, kdumpctl_tmp_t, kdumpgui_tmp_t, keepalived_tmp_t, keystone_tmp_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t, kmod_tmp_t, krb5_conf_t, krb5_host_rcache_t, krb5kdc_tmp_t, ktalkd_tmp_t, l2tpd_tmp_t, ld_so_cache_t, ld_so_t, ldconfig_tmp_t, lib_t, livecd_tmp_t, locale_t, logrotate_mail_tmp_t, logrotate_tmp_t, logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_tmp_t, lsassd_tmp_t, lsmd_plugin_tmp_t, lvm_tmp_t, machineid_t, mail_munin_plugin_tmp_t, mailman_cgi_tmp_t, mailman_mail_tmp_t, mailman_queue_tmp_t, man_cache_t, man_t, mandb_cache_t, mdadm_tmp_t, mediawiki_tmp_t, mock_tmp_t, mojomojo_tmp_t, mongod_tmp_t, mount_tmp_t, mozilla_exec_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_tmp_t, mozilla_tmpfs_t, mpd_tmp_t, mplayer_tmpfs_t, mrtg_tmp_t, mscan_tmp_t, munin_script_tmp_t, munin_tmp_t, mysqld_tmp_t, nagios_eventhandler_plugin_tmp_t, nagios_openshift_plugin_tmp_t, nagios_system_plugin_tmp_t, nagios_tmp_t, named_tmp_t, net_conf_t, netutils_tmp_t, neutron_tmp_t, nfsd_tmp_t, nova_tmp_t, nsd_tmp_t, ntop_tmp_t, ntpd_tmp_t, nut_upsd_tmp_t, nut_upsdrvctl_tmp_t, nut_upsmon_tmp_t, nx_server_tmp_t, opendnssec_tmp_t, openshift_app_tmp_t, openshift_cgroup_read_tmp_t, openshift_cron_tmp_t, openshift_initrc_tmp_t, openshift_tmp_t, openvpn_tmp_t, openvswitch_tmp_t, openwsman_tmp_t, oracleasm_tmp_t, pam_timestamp_tmp_t, pam_var_console_t, passenger_tmp_t, passwd_file_t, pcp_tmp_t, pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, pesign_tmp_t, piranha_web_tmp_t, pkcs11_modules_conf_t, pkcs_slotd_tmp_t, pki_tomcat_tmp_t, podsleuth_tmp_t, podsleuth_tmpfs_t, policykit_tmp_t, portmap_tmp_t, postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_local_tmp_t, postfix_map_tmp_t, postfix_pickup_tmp_t, postfix_pipe_tmp_t, postfix_qmgr_tmp_t, postfix_smtp_tmp_t, postfix_smtpd_tmp_t, postfix_virtual_tmp_t, postgresql_tmp_t, pppd_tmp_t, prelink_exec_t, prelink_tmp_t, prelude_lml_tmp_t, proc_t, procmail_tmp_t, prosody_tmp_t, psad_tmp_t, pulseaudio_tmpfs_t, puppet_tmp_t, puppetmaster_tmp_t, qpidd_tmp_t, rabbitmq_tmp_t, racoon_tmp_t, realmd_tmp_t, redis_tmp_t, rhcd_tmp_t, rhev_agentd_tmp_t, rhsmcertd_tmp_t, ricci_tmp_t, rlogind_tmp_t, rolekit_tmp_t, rpcbind_tmp_t, rpm_script_tmp_t, rpm_tmp_t, rpmdb_tmp_t, rrdcached_tmp_t, rsync_tmp_t, rtas_errd_tmp_t, samba_etc_t, samba_net_tmp_t, samba_var_t, sbd_tmpfs_t, sblim_tmp_t, secadm_sudo_tmp_t, sectool_tmp_t, security_t, selinux_config_t, selinux_munin_plugin_tmp_t, semanage_tmp_t, sendmail_tmp_t, services_munin_plugin_tmp_t, session_dbusd_tmp_t, setroubleshoot_fixit_tmp_t, setroubleshoot_tmp_t, sge_tmp_t, shell_exec_t, shorewall_tmp_t, slapd_tmp_t, smbd_tmp_t, smoltclient_tmp_t, smsd_tmp_t, snort_tmp_t, sosreport_tmp_t, soundd_tmp_t, spamc_tmp_t, spamd_tmp_t, speech_dispatcher_tmp_t, squid_tmp_t, squirrelmail_spool_t, src_t, ssh_agent_tmp_t, ssh_keygen_tmp_t, ssh_tmpfs_t, sssd_public_t, sssd_var_lib_t, staff_sudo_tmp_t, stapserver_tmp_t, stapserver_tmpfs_t, stunnel_tmp_t, svirt_tmp_t, svnserve_tmp_t, swat_tmp_t, swift_tmp_t, sysadm_passwd_tmp_t, sysadm_sudo_tmp_t, syslogd_tmp_t, system_conf_t, system_cronjob_tmp_t, system_db_t, system_dbusd_tmp_t, system_dbusd_var_lib_t, system_mail_tmp_t, system_munin_plugin_tmp_t, systemd_importd_tmp_t, systemd_logind_var_run_t, targetclid_tmp_t, targetd_tmp_t, tcpd_tmp_t, telepathy_gabble_tmp_t, telepathy_idle_tmp_t, telepathy_logger_tmp_t, telepathy_mission_control_tmp_t, telepathy_msn_tmp_t, telepathy_salut_tmp_t, telepathy_sofiasip_tmp_t, telepathy_stream_engine_tmp_t, telepathy_sunshine_tmp_t, telnetd_tmp_t, tetex_data_t, textrel_shlib_t, tgtd_tmp_t, thumb_exec_t, thumb_tmp_t, tmp_t, tomcat_tmp_t, tuned_tmp_t, tvtime_tmp_t, tvtime_tmpfs_t, udev_tmp_t, uml_tmp_t, uml_tmpfs_t, unconfined_munin_plugin_tmp_t, user_cron_spool_t, user_fonts_t, user_home_t, user_mail_tmp_t, user_tmp_t, usr_t, uucpd_tmp_t, var_spool_t, varnishd_tmp_t, virt_qemu_ga_tmp_t, virt_tmp_t, virt_var_lib_t, vmtools_tmp_t, vmware_host_tmp_t, vmware_tmp_t, vmware_tmpfs_t, vpnc_tmp_t, w3c_validator_tmp_t, webadm_tmp_t, webalizer_tmp_t, winbind_rpcd_tmp_t, wireshark_tmp_t, wireshark_tmpfs_t, xauth_tmp_t, xend_tmp_t, xenstored_tmp_t, xserver_tmpfs_t, ypbind_tmp_t, ypserv_tmp_t, zabbix_tmp_t, zarafa_deliver_tmp_t, zarafa_indexer_tmp_t, zarafa_server_tmp_t, zarafa_var_lib_t, zebra_tmp_t.
                                                        Then execute:
                                                        restorecon -v '/non-home-dir/foldername/folder1/somestuff/importantcontent/notes.ods'

                                                        *****  Plugin catchall (17.1 confidence) suggests   **************************

                                                        If you believe that dbus-broker should be allowed read access on the notes.ods file by default.
                                                        Then you should report this as a bug.
                                                        You can generate a local policy module to allow this access.
                                                        Do
                                                        allow this access for now by executing:
                                                        # ausearch -c 'dbus-broker' --raw | audit2allow -M my-dbusbroker
                                                        # semodule -X 300 -i my-dbusbroker.pp

Oct 28 14:16:14 fedora.domain setroubleshoot[10377]: SELinux is preventing dbus-broker from read access on the file /non-home-dir/foldername/folder1/somestuff/importantcontent/notes.ods. For complete SELinux messages run: sealert -l bc5e1697-6221-4bcb-a455-b971a855c0d3
Oct 28 14:16:12 fedora.domain plasmashell[3021]: kpipewire_logging: Window not available PipeWireSourceItem_QML_1008(0x55dc0ff9ebe0, parent=0x55dc12401e90, geometry=0,0 92x38)
Oct 28 14:16:12 fedora.domain kwin_wayland[2814]: kwin_screencast: Dropping a screencast frame because the compositor is slow
Oct 28 14:16:12 fedora.domain plasmashell[3021]: kpipewire_logging: Window not available PipeWireSourceItem_QML_1008(0x55dc0ff9ebe0, parent=0x55dc12401e90, geometry=0,0 92x38)
Oct 28 14:16:12 fedora.domain plasmashell[3021]: kpipewire_logging: Window not available PipeWireSourceItem_QML_1008(0x55dc0ff9ebe0, parent=0x55dc12401e90, geometry=0,0 92x38)
Oct 28 14:16:11 fedora.domain plasmashell[3021]: Could not find the Plasmoid for Plasma::FrameSvgItem(0x55dc11fc04a0) QQmlContext(0x55dc0e442010) QUrl("file:///usr/share/plasma/plasmoids/org.kde.plasma.notifications/contents/ui/global/Globals.qml")
Oct 28 14:16:11 fedora.domain plasmashell[3021]: Could not find the Plasmoid for Plasma::FrameSvgItem(0x55dc11fc04a0) QQmlContext(0x55dc0e442010) QUrl("file:///usr/share/plasma/plasmoids/org.kde.plasma.notifications/contents/ui/global/Globals.qml")
Oct 28 14:16:11 fedora.domain drkonqi[10474]: kf5idletime_wayland: This plugin does not support polling idle time
Oct 28 14:16:10 fedora.domain plasmashell[10376]: KCrash: Attempting to start /usr/libexec/drkonqi
Oct 28 14:16:10 fedora.domain plasmashell[10376]: KCrash: Application 'dolphin' crashing...
Oct 28 14:16:10 fedora.domain plasmashell[10376]:   D-Bus not built with -rdynamic so unable to print a backtrace
Oct 28 14:16:10 fedora.domain plasmashell[10376]: This is normally a bug in some application using the D-Bus library.
Oct 28 14:16:10 fedora.domain plasmashell[10376]: dbus[10376]: arguments to dbus_pending_call_block() were incorrect, assertion "pending != NULL" failed in file ../../dbus/dbus-pending-call.c line 766.
Oct 28 14:16:10 fedora.domain xdg-folder1ument-portal[2840]: removing transfer 8749724436848051817 for dead peer :1.148
Oct 28 14:16:10 fedora.domain dolphin[10376]: kf.coreaddons: Some files could not be exported.  QDBusError("org.freedesktop.DBus.Error.Disconnected", "Not connected to D-Bus server")
Oct 28 14:16:10 fedora.domain audit[2731]: AVC avc:  denied  { read } for  pid=2731 comm="dbus-broker" path="/non-home-dir/foldername/folder1/somestuff/importantcontent/notes.ods" dev="dm-1" ino=183077447 scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0 tcontext=sysadm_u:object_r:default_t:s0 tclass=file permissive=0

[zpytela]

The default_t type is assigned to filesystem objects that do not match any pattern in file-context configuration. Please assign correct label to the target objects.

Additional question: would using staff_u for a login shell with role transition to sysadm_r (or other ones) on sudo execution would work for you?

[py0xc3]

The labels are all default. It seems if non-root files are created outside ~, they are not assigned a proper label (which means, not assigned a label corresponding to the creator). However, I am wondering why everything works fine if I use midnight commander ("mc") [1] in a kde-konsole [2] within the same KDE-GUI: its privileges/profiles are the same. I have seen that the labels are different in the non-~ directories, but I didn't link it to the issue because copy/cut & paste always worked with "mc".

I just tested with "mc" and evaluated the root logs: The very first time when I used "mc" to move a file (a file that makes dolphin crash) in this KDE session, it logged a comparable dbus-broker denial as dolphin, but the denial did not cause an issue: "mc" did not crash and moving the file works fine as well. In all later tries to move files that make dolphin crash with "mc", no avc denials are logged, and as before, everything worked fine. Interesting behavior.

Concerning the question: Unfortunately, no. I would prefer staff_u, if not user_u, as well. I have considered sysadm_r already, but I have to work much in a few folders outside ~, and many applications need the same access as well. This would be thus no longer practical. There are some other limitations, too (e.g., staff_u cannot > /dev/* in a terminal).

[1] https://en.wikipedia.org/wiki/Midnight_Commander [2] https://konsole.kde.org/

[py0xc3]

I have been playing with potential mitigations for the two related issues: one one hand, the fact that SELinux seems to not create appropriate labels automatically for files/folders that are created by non-root user accounts outside their own home dir (even if they own the superordinated dirs). On the other hand, the issue that I still need to use permanently sysadm_u for productive working because of permanent work with folder/files outside my home.

I cannot just put the folders/files into my ~ for several reasons (ironically primarily security reasons). However, I was trying to mount the folders into my ~ with mount --bind /outside-home-path/ ~/within-home-path. However, when creating new files, now seemingly within ~, SELinux did still assign the labels as if I had created the files outside ~. It remains impressive how hard it is to distract SELinux. Yet, do you maybe have another idea that could work to achieve that?

I assume it would also mitigate the issue of the ticket, and might present a solution for people who have to work outside their ~ directories while working in confined user accounts. Just in case it proves not realistic to make SELinux create appropriate labels automatically in the mentioned circumstances.

Another question: I am not fully aware of the difference between "user_home_dir_t" and "user_home_t". Is it worth to try to change the superordinated folder outside ~ to "user_home_dir_t" in order to make SELinux label everything below this path the way it labels user files in ~ for the very user?

[py0xc3]

I found the origin of the inappropriate automatic labeling and thus the unintended SELinux denials: the superordinated directory outside ~ that does belong to the user just like ~ needs to be user_home_dir_t (with "dir" in the middle; just like ~) instead of user_home_t. This will ensure that auto-labeling is done properly in subordinated paths so that everything works and remains aligned.

The issue that dolphin breaks in operations (which are still possible even with the improper auto-labeling when user_home_dir_t is not set - as it is proven by, e.g., mc) seems to occur just because dolphin does not consider the output it gets in this situation and thus the dolphin issue is not related to this topic as long as dolphin is not intended to officially support confined user accounts.

Another advantage achieved that way is that I can now also downgrade my user privileges to staff_u and user_u.

However, there is nearly no documentation available of the dynamics/differences of user_home_dir_t and user_home_t, and nearly nothing about user_home_dir_t at all. I am not sure if that would be something to forward upstream?

However, this labeling solves the topic for me. I assume it does not need a general adjustment for Fedora because this use case/situation does not appear on default Fedora installations. It would be just good to have some documentation about it at some time (I am sure that I am not the only one who works sometimes outside ~ from within a normal user account).