Bubblewrap tries to create a new temp area to securely create a thumbnail for the PDF file you just downloaded. What you are seeing here is the creation of a new file-system in /tmp, the mount of it, the creation of the thumbnail and the tear-down of that new mini file-system
As you’re running in permissive mode it’s allowed to do this, but you get these warnings.
The thumb_t context needs to be amended to permit bubblewrap to faff about with miniature file-systems to securely whip up a thumbnail of the pdf. I imagine someone will get around to this eventually, or you can use audit2allow to build it yourself.
Actually I am running on “enforcing” and not permissive… So that is what is strange. When i get these alerts they are only notifications and not actual denials because the process actually works and the thumbnail appears…
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 35
Also I am aware that I could build a module but since this is just a nuisance more than anything I am just letting it be for now. And hopefully it will be addressed at some time. If you look at the Bugzilla page and do the search for “bwrap SELinux” then you will see someone else who reported a bug where all of there thumbnails in Thunar disappeared after a recent update. Same thing, he was having an issue with mounton. However, the only way that he could get the thumbnails to show up was to go to permissive. So his bug report is still active. At least I am only getting a “notify” so things still work. Just wanting to drill down and have someone figure out what the actual issue is because this is a bit over my head frankly.
I noticed that. Don’t know why that is the case. My son did apply a patch when volumeicon was not showing up in the panel. I have no idea if the two are related. As you can see from the sestatus that I ran the system is in enforcing overall…
I am 100% aware of the fact that a module can be built. But since this is such a rare thing and functionality is not impacted, I have decided to just let it go for now and maybe someone will get around to fixing the SELinux policy in the future. One crazy thing is how much bubblewrap has been affecting things along with SELinux. When I first updated to 43 there was the issue with volumeicon not showing up in the tray. My son tracked that down to an issue with bubblewrap and it getting stuck in a loop because of a child process (or something like that). This was discussed here…
After that I saw that thumbnails were not being generated so when I did some research it was noticed that installing glycin-thumbnailer would fix that issue, which it did. But then I was getting SELinux alerts every time I took a screenshot. That issue was related to systemd-homed and disabling that service fixed that problem. Now I am on to the last issue and this is it. Thanks to everyone for helping. Will see if it does in fact get fixed in the future.
Yeah, the whole preloading of libgdk_pixbuf was not the solution, even though that is showing up in the preview to that thread. Also I do not have the libgdk_pixbuf-thumbnailer installed. I am using the glycin-thumbnailer.
Finally, one month after upgrading to Fedora 43 I can say that I was able to download a PDF file without getting an SELinux Alert. Also I was able to copy and paste a PDF file with the same result. The reason I tested it tonight is because I saw that there was a SELinux policy update coming through. So after doing the updates I decided to test things and can happily say that the issue has now gone away.