SELinux + ffmpegthumbnailer = how to make it work?

I have Fedora 35 Cinnamon Spin installed.

I’d like to see embedded cover arts as thumbnails for mkv files. This is possible using ffmegtumbnailer with the flag -m.

So I installed the thumbnailer and modified it’s config. However it doesn’t work, Nemo doesn’t show any thumbnail after installing it, not even without the flag -m.

When running the thumbnailer from a terminal, it gives an error:

tonyrulez@fedora:~/Video$ ffmpegthumbnailer -i sample.mkv  -o test1.png
Error: Failed to open output file: test1.png

At the same time, SELinux alert pops up. It tells me to add a rule for it to work, so I do as it tells me:

ausearch -c 'ffmpegthumbnail' --raw | audit2allow -M my-ffmpegthumbnail
semodule-i my-ffmpegthumbnail.pp

The thumbnail still doesn’t work, not even after a complete restart of the system. What am I doing wrong?

I am not a selinux expert, but I think it would help if you could show the output of ausearch -c 'ffmpegthumbnail'. Then maybe some real expert can have a look at the message and see if it make sense.

And while you are at it: run ls -Z ~/Videos and post the output, restricted to the files in question. Normally it should look something like
-rw-rw-r--. 1 laolux laolux unconfined_u:object_r:user_home_t:s0 136M 9 1 2020 sample.mkv

tonyrulez@fedora:~/Videos$ sudo ausearch -c 'ffmpegthumbnail'
----
time->Sat Apr 23 07:05:46 2022
type=AVC msg=audit(1650690346.065:363): avc:  denied  { add_name } for  pid=6379 comm="ffmpegthumbnail" name="test1.png" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=0
----
time->Sat Apr 23 07:07:29 2022
type=AVC msg=audit(1650690449.606:402): avc:  denied  { add_name } for  pid=7179 comm="ffmpegthumbnail" name="test1.png" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=0
----
time->Sat Apr 23 07:10:35 2022
type=AVC msg=audit(1650690635.627:417): avc:  denied  { add_name } for  pid=7836 comm="ffmpegthumbnail" name="test1.png" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=0
----
time->Sat Apr 23 07:10:48 2022
type=AVC msg=audit(1650690648.451:430): avc:  denied  { dac_override } for  pid=7860 comm="ffmpegthumbnail" capability=1  scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tclass=capability permissive=0
----
time->Sat Apr 23 07:13:27 2022
type=AVC msg=audit(1650690807.295:457): avc:  denied  { add_name } for  pid=8100 comm="ffmpegthumbnail" name="test1.png" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=0
----
time->Sat Apr 23 07:14:03 2022
type=AVC msg=audit(1650690843.940:494): avc:  denied  { add_name } for  pid=8887 comm="ffmpegthumbnail" name="test1.png" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=0
----
time->Sat Apr 23 07:17:18 2022
type=AVC msg=audit(1650691038.535:516): avc:  denied  { add_name } for  pid=9547 comm="ffmpegthumbnail" name="test1.png" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=0
----
time->Sat Apr 23 07:18:05 2022
type=AVC msg=audit(1650691085.899:533): avc:  denied  { create } for  pid=9583 comm="ffmpegthumbnail" name="test1.png" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
----
time->Sat Apr 23 07:18:15 2022
type=AVC msg=audit(1650691095.791:537): avc:  denied  { create } for  pid=9598 comm="ffmpegthumbnail" name="test1.png" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
----
time->Sat Apr 23 07:29:04 2022
type=AVC msg=audit(1650691744.885:542): avc:  denied  { create } for  pid=9762 comm="ffmpegthumbnail" name="test1.png" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
----
time->Sat Apr 23 07:36:41 2022
type=AVC msg=audit(1650692201.486:225): avc:  denied  { create } for  pid=1876 comm="ffmpegthumbnail" name="test1.png" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
----
time->Sat Apr 23 08:41:06 2022
type=AVC msg=audit(1650696066.585:229): avc:  denied  { create } for  pid=1902 comm="ffmpegthumbnail" name="test1.png" scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
tonyrulez@fedora:~/Videos$ ls -Z ~/Videos
unconfined_u:object_r:user_home_t:s0 sample.mkv

Hi @tonyrulez welcome to ask :fedora: please have a look at New users! Start here! - Ask Fedora when you have a moment.

You can try outputting to ~/.cache/thumbnails/ or ~/.cache/thumbnails/normal vice videos. I’m not sure where Cinnamon/nemo normally puts them.

Sometimes, it can take multiple attempts to get SELINUX local policy modules working, for this one on my machine (F36/Gnome) it took three before the rule worked. I’d make the rule, try the command receive and additional SEALERT and update the rule again.

Hi @grumpey you are correct! Had no idea I have to run multiple times the selinux commands. After 3 tries it finally generated the thumbnail without an error, and in Nemo the thumbnails also started showing up.

… Appologies just figured this out:
put selinux in permissive mode
sudo setenforce 0
command that’s causing you problems
and then generate the local policy module with all of the denials vice repeating it over and over again.

and then put selinux back in enforcing
sudo setenforce 1