search

freedomofpress / dangerzone

Take potentially dangerous PDFs, office documents, or images and convert them to safe PDFs
https://dangerzone.rocks/
GNU Affero General Public License v3.0
3.72k stars 172 forks source link

Unable to convert pdf #127

Closed sareporter closed 2 weeks ago

sareporter commented 3 years ago

I'm using Fedora 34. Attempting to convert a pdf results in a "Converting document to pixels" message, then after a few seconds, Dangerzone stops working with a "Failed :(" message. I also see a "Return Code 1" if that's relevant.

Thanks for any help you can offer ...

iruukaa commented 3 years ago

I encountered the same issue and it looks like the culprit is a standard selinux policy in fedora. Heres the AVC denial

SELinux is preventing python3 from read access on the file HS#47_Digital.pdf.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that python3 should be allowed read access on the HS#47_Digital.pdf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'python3' --raw | audit2allow -M my-python3
# semodule -X 300 -i my-python3.pp

Additional Information:
Source Context                system_u:system_r:container_t:s0:c201,c616
Target Context                unconfined_u:object_r:data_home_t:s0
Target Objects                HS#47_Digital.pdf [ file ]
Source                        python3
Source Path                   python3
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-34.21-1.fc34.noarch
Local Policy RPM              selinux-policy-targeted-34.21-1.fc34.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux laptop 5.14.9-200.fc34.x86_64 #1 SMP x86_64 x86_64
Alert Count                   1
First Seen                    (removed)
Last Seen                     (removed)
Local ID                      305734d5-3f39-4b8b-884c-2c59477fb71b

Raw Audit Messages
type=AVC msg=audit(1634596624.535:708): avc:  denied  { read } for  pid=26871 comm="python3" name="HS#47_Digital.pdf" dev="dm-0" ino=35365 scontext=system_u:system_r:container_t:s0:c201,c616 tcontext=unconfined_u:object_r:data_home_t:s0 tclass=file permissive=0

Hash: python3,container_t,data_home_t,file,read

The policy generated by ausearch -c 'python3' --raw | audit2allow -M my-python3 did not work for me. After loading it, dangerzone threw an error that the file is not supported.

When SELinux is put in to permissive mode it works, but that's no proper solution. And i currently do not understand SELinux enough, to find one.

Maybe @micahflee can take a look at it.

apyrgio commented 2 weeks ago

I believe we won't encounter this issue in the upcoming 0.8.0 release, since we no longer mount files to the Podman container, which was the underlying issue of our SELinux woes. See also https://github.com/freedomofpress/dangerzone/issues/880 for our work on making sure that Dangerzone works on systems with SELinux in enforcing mode.

If the upcoming 0.8.0 release does not fix this problem, feel free to reopen this issue.