Description of problem: Not sure. Booted at a coffeeshop, got on the network, dnssec-trigger prompted me for a hotspot login. I might just be a little sensitive to bash denials now :) Version-Release number of selected component (if applicable): dnssec-trigger-0.12-13.fc20.x86_64 unbound-1.4.22-5.fc20.x86_64 paul@thinkpad:~$ sudo sealert -l 4bf086b5-8b34-4d7f-bc82-296717a59804 SELinux is preventing /usr/bin/bash from read access on the file . ***** Plugin catchall (100. confidence) suggests ************************** If you believe that bash should be allowed read access on the file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sh /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:dnssec_trigger_t:s0 Target Context system_u:object_r:named_exec_t:s0 Target Objects [ file ] Source sh Source Path /usr/bin/bash Port <Unknown> Host thinkpad.nohats.ca Source RPM Packages bash-4.2.47-4.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-183.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name thinkpad.nohats.ca Platform Linux thinkpad.nohats.ca 3.15.9-200.fc20.x86_64 #1 SMP Sat Aug 9 09:02:55 UTC 2014 x86_64 x86_64 Alert Count 5 First Seen 2014-09-26 11:48:40 EDT Last Seen 2014-09-26 11:49:30 EDT Local ID 4bf086b5-8b34-4d7f-bc82-296717a59804 Raw Audit Messages type=AVC msg=audit(1411746570.823:505): avc: denied { read } for pid=3421 comm="sh" name="unbound-control" dev="dm-2" ino=1773164 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:named_exec_t:s0 tclass=file type=SYSCALL msg=audit(1411746570.823:505): arch=x86_64 syscall=access success=yes exit=0 a0=b3ebd0 a1=4 a2=7ffffda04490 a3=12 items=0 ppid=1804 pid=3421 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sh exe=/usr/bin/bash subj=system_u:system_r:dnssec_trigger_t:s0 key=(null) Hash: sh,dnssec_trigger_t,named_exec_t,file,read
Looks like the bash is called from dnssec-triggerd and wants to access unbound-control. That would happen when dnssec-trigger calls unbound-control in ubhook.c to configure unbound forward zones and other stuff. I think there's no relation to dnssec-trigger-script as that build of dnssec-trigger doesn't call it directly from the daemon but later builds are, so there's a risk that this issue will get broader. We'll need to watch for it, taking it for now because of the above. If you still has the logs, are there any details just after the selinux alert? The ubhook.c would normally report failures.
This looks like a duplicate to bug #1147705 except the Fedora branch. Not sure whether it's practical to merge them or keep them separate.
Hi folks, could you please tell me about the differneces from bug #1147705 and explain the empty or "." file name in this case? From the dnssec-triggerd side, we're just calling "system()" which in turn starts a shell with "unbound-control" plus some arguments as the command.
IMO, system() should be avoided. Can you call fork()+exec() on unbound-control instead and avoid the intermediate bash process completely?
(In reply to Charles R. Anderson from comment #4) > IMO, system() should be avoided. Can you call fork()+exec() on > unbound-control instead and avoid the intermediate bash process completely? I don't think we're going to fix this any soon as this is how upstream works and has worked for a while now. But we can consider it when we know why is bash a problem here. Anyway I'm curious why this hasn't been reported by others with later versions of the package. Is there a possibility that this has been already fixed?
(In reply to Pavel Šimerda (pavlix) from comment #3) > Hi folks, could you please tell me about the differneces from bug #1147705 > and explain the empty or "." file name in this case? From the > dnssec-triggerd side, we're just calling "system()" which in turn starts a > shell with "unbound-control" plus some arguments as the command. The only difference is old version of Fedora. In this case there is also old version of selinux-policy package. Paul, You need to update selinux-policy package, we allowed this rule.
lukas: ok, that's good enough for me.
I think I got this bug in FC22. Please reopen if you feel appropriate. I wasn't working with the iso file, so I don't know how what caused this alert. The elinux details are below: "SELinux is preventing pool from read access on the file antiX-15-V_x64-base.iso. ***** Plugin mozplugger (93.0 confidence) suggests ************************ If you want to use the plugin package Then you must turn off SELinux controls on the Firefox plugins. Do # setsebool -P unconfined_mozilla_plugin_transition 0 ***** Plugin catchall_labels (6.67 confidence) suggests ******************* If you want to allow pool to have read access on the antiX-15-V_x64-base.iso file Then you need to change the label on antiX-15-V_x64-base.iso Do # semanage fcontext -a -t FILE_TYPE 'antiX-15-V_x64-base.iso' where FILE_TYPE is one of the following: NetworkManager_etc_rw_t, NetworkManager_etc_t, NetworkManager_exec_t, NetworkManager_initrc_exec_t, NetworkManager_tmp_t, abrt_dump_oops_exec_t, abrt_etc_t, abrt_exec_t, abrt_handle_event_exec_t, abrt_helper_exec_t, abrt_initrc_exec_t, abrt_retrace_coredump_exec_t, abrt_retrace_worker_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_run_t, accountsd_exec_t, acct_exec_t, acct_initrc_exec_t, admin_crontab_tmp_t, admin_passwd_exec_t, afs_cache_t, afs_initrc_exec_t, aiccu_etc_t, aiccu_initrc_exec_t, aide_exec_t, ajaxterm_initrc_exec_t, alsa_etc_rw_t, alsa_exec_t, alsa_home_t, alsa_tmp_t, amanda_exec_t, amanda_recover_exec_t, amanda_tmp_t, amtu_exec_t, amtu_initrc_exec_t, anacron_exec_t, antivirus_conf_t, antivirus_home_t, antivirus_initrc_exec_t, antivirus_tmp_t, apcupsd_initrc_exec_t, apcupsd_tmp_t, apm_exec_t, apmd_initrc_exec_t, apmd_tmp_t, arpwatch_initrc_exec_t, arpwatch_tmp_t, asterisk_etc_t, asterisk_initrc_exec_t, asterisk_tmp_t, audio_home_t, audisp_exec_t, auditadm_sudo_tmp_t, auditctl_exec_t, auditd_initrc_exec_t, auth_home_t, authconfig_exec_t, autofs_t, automount_initrc_exec_t, automount_tmp_t, avahi_exec_t, avahi_initrc_exec_t, awstats_tmp_t, bacula_admin_exec_t, bacula_initrc_exec_t, bacula_tmp_t, bacula_unconfined_script_exec_t, bcfg2_initrc_exec_t, bin_t, bitlbee_conf_t, bitlbee_initrc_exec_t, bitlbee_tmp_t, blueman_exec_t, bluetooth_conf_t, bluetooth_helper_exec_t, bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_initrc_exec_t, bluetooth_tmp_t, boinc_initrc_exec_t, boinc_project_tmp_t, boinc_tmp_t, boot_t, bootloader_etc_t, bootloader_exec_t, bootloader_tmp_t, brctl_exec_t, bugzilla_tmp_t, cache_home_t, calamaris_exec_t, callweaver_initrc_exec_t, canna_initrc_exec_t, cardctl_exec_t, cardmgr_dev_t, ccs_initrc_exec_t, ccs_tmp_t, cdcc_exec_t, cdcc_tmp_t, cdrecord_exec_t, cert_t, certmaster_initrc_exec_t, certmonger_initrc_exec_t, certmonger_unconfined_exec_t, certwatch_exec_t, cfengine_initrc_exec_t, cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t, cgrules_etc_t, checkpc_exec_t, checkpolicy_exec_t, chfn_exec_t, chkpwd_exec_t, chrome_sandbox_exec_t, chrome_sandbox_home_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_tmp_t, chronyd_initrc_exec_t, cifs_t, cinder_api_tmp_t, cinder_backup_tmp_t, cinder_scheduler_tmp_t, cinder_volume_tmp_t, ciped_initrc_exec_t, cloud_init_tmp_t, cluster_conf_t, cluster_initrc_exec_t, cluster_tmp_t, clvmd_initrc_exec_t, cmirrord_initrc_exec_t, cobbler_etc_t, cobbler_tmp_t, cobblerd_initrc_exec_t, cockpit_tmp_t, collectd_initrc_exec_t, collectd_script_tmp_t, colord_exec_t, colord_tmp_t, comsat_tmp_t, condor_conf_t, condor_initrc_exec_t, condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, config_home_t, config_usr_t, conman_tmp_t, consolehelper_exec_t, consolekit_exec_t, couchdb_conf_t, couchdb_initrc_exec_t, couchdb_tmp_t, courier_etc_t, courier_exec_t, cpu_online_t, cpucontrol_conf_t, cpucontrol_exec_t, cpufreqselector_exec_t, cpuplug_initrc_exec_t, cpuspeed_exec_t, crack_exec_t, crack_tmp_t, crond_initrc_exec_t, crond_tmp_t, crontab_exec_t, crontab_tmp_t, ctdbd_initrc_exec_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_config_exec_t, cupsd_etc_t, cupsd_initrc_exec_t, cupsd_lpd_tmp_t, cupsd_rw_etc_t, cupsd_tmp_t, cvs_exec_t, cvs_home_t, cvs_initrc_exec_t, cvs_tmp_t, cyphesis_exec_t, cyphesis_initrc_exec_t, cyphesis_tmp_t, cyrus_initrc_exec_t, cyrus_tmp_t, data_home_t, dbadm_sudo_tmp_t, dbskkd_tmp_t, dbus_home_t, dbusd_etc_t, dbusd_exec_t, dcc_client_exec_t, dcc_client_tmp_t, dcc_dbclean_exec_t, dcc_dbclean_tmp_t, dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_etc_t, ddclient_initrc_exec_t, ddclient_tmp_t, debuginfo_exec_t, deltacloudd_tmp_t, denyhosts_initrc_exec_t, depmod_exec_t, devicekit_disk_exec_t, devicekit_exec_t, devicekit_power_exec_t, devicekit_tmp_t, dhcp_etc_t, dhcpc_exec_t, dhcpc_helper_exec_t, dhcpc_tmp_t, dhcpd_initrc_exec_t, dhcpd_tmp_t, dictd_etc_t, dictd_initrc_exec_t, dirsrv_tmp_t, dirsrvadmin_tmp_t, disk_munin_plugin_exec_t, disk_munin_plugin_tmp_t, dkim_milter_tmp_t, dlm_controld_initrc_exec_t, dmesg_exec_t, dmidecode_exec_t, dnsmasq_etc_t, dnsmasq_initrc_exec_t, dnssec_trigger_tmp_t, docker_config_t, docker_home_t, docker_tmp_t, dosfs_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t, dovecot_etc_t, dovecot_initrc_exec_t, dovecot_tmp_t, drbd_initrc_exec_t, drbd_tmp_t, dspam_initrc_exec_t, ecryptfs_t, efivarfs_t, entropyd_initrc_exec_t, etc_mail_t, etc_runtime_t, etc_t, exim_exec_t, exim_initrc_exec_t, exim_tmp_t, exports_t, fail2ban_client_exec_t, fail2ban_initrc_exec_t, fail2ban_tmp_t, fcoemon_initrc_exec_t, fenced_tmp_t, fetchmail_etc_t, fetchmail_exec_t, fetchmail_home_t, fetchmail_initrc_exec_t, file_context_t, fingerd_etc_t, firewalld_etc_rw_t, firewalld_exec_t, firewalld_initrc_exec_t, firewalld_tmp_t, firewallgui_exec_t, firewallgui_tmp_t, firstboot_etc_t, firstboot_exec_t, foghorn_initrc_exec_t, fonts_cache_t, fonts_t, fprintd_exec_t, freqset_exec_t, fsadm_exec_t, fsadm_tmp_t, fsdaemon_initrc_exec_t, fsdaemon_tmp_t, ftpd_etc_t, ftpd_initrc_exec_t, ftpd_tmp_t, ftpdctl_exec_t, ftpdctl_tmp_t, fusefs_t, games_exec_t, games_tmp_t, games_tmpfs_t, gconf_etc_t, gconf_home_t, gconf_tmp_t, gconfd_exec_t, gconfdefaultsm_exec_t, gdomap_conf_t, gdomap_initrc_exec_t, geoclue_exec_t, geoclue_tmp_t, getty_etc_t, getty_exec_t, getty_tmp_t, git_script_tmp_t, git_user_content_t, gitd_exec_t, gitosis_exec_t, gkeyringd_exec_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t, glance_api_initrc_exec_t, glance_registry_initrc_exec_t, glance_registry_tmp_t, glance_scrubber_initrc_exec_t, glance_tmp_t, glusterd_initrc_exec_t, glusterd_tmp_t, gnome_home_t, gnomesystemmm_exec_t, gpg_agent_exec_t, gpg_agent_tmp_t, gpg_exec_t, gpg_helper_exec_t, gpg_pinentry_tmp_t, gpg_pinentry_tmpfs_t, gpg_secret_t, gpm_conf_t, gpm_initrc_exec_t, gpm_tmp_t, gpsd_exec_t, gpsd_initrc_exec_t, groupadd_exec_t, gssd_tmp_t, gstreamer_home_t, hddtemp_etc_t, hddtemp_initrc_exec_t, home_bin_t, home_cert_t, hostname_etc_t, hostname_exec_t, httpd_config_t, httpd_initrc_exec_t, httpd_passwd_exec_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_tmp_t, httpd_user_content_t, httpd_user_htaccess_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t, hugetlbfs_t, hwclock_exec_t, hypervkvp_initrc_exec_t, icc_data_home_t, iceauth_exec_t, iceauth_home_t, icecast_exec_t, icecast_initrc_exec_t, ifconfig_exec_t, inetd_child_tmp_t, inetd_tmp_t, init_tmp_t, initrc_exec_t, initrc_tmp_t, innd_etc_t, innd_initrc_exec_t, insmod_exec_t, install_exec_t, iodined_initrc_exec_t, iotop_exec_t, ipa_helper_exec_t, ipsec_initrc_exec_t, ipsec_mgmt_exec_t, ipsec_tmp_t, iptables_exec_t, iptables_initrc_exec_t, iptables_tmp_t, irc_conf_t, irc_exec_t, irc_home_t, irc_tmp_t, irqbalance_initrc_exec_t, irssi_etc_t, irssi_exec_t, irssi_home_t, iscsi_tmp_t, isnsd_initrc_exec_t, iso9660_t, iwhd_initrc_exec_t, jabberd_initrc_exec_t, jockey_exec_t, journalctl_exec_t, kadmind_tmp_t, kdump_etc_t, kdump_exec_t, kdump_initrc_exec_t, kdumpctl_tmp_t, kdumpgui_exec_t, kdumpgui_tmp_t, keepalived_unconfined_script_exec_t, kerberos_initrc_exec_t, keystone_initrc_exec_t, keystone_tmp_t, kismet_exec_t, kismet_home_t, kismet_initrc_exec_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t, kmscon_conf_t, krb5_conf_t, krb5_home_t, krb5_host_rcache_t, krb5kdc_conf_t, krb5kdc_tmp_t, ksmtuned_initrc_exec_t, ktalkd_tmp_t, l2tp_conf_t, l2tpd_initrc_exec_t, l2tpd_tmp_t, ld_so_cache_t, ld_so_t, ldconfig_exec_t, ldconfig_tmp_t, lib_t, likewise_etc_t, likewise_initrc_exec_t, lircd_etc_t, lircd_initrc_exec_t, livecd_exec_t, livecd_tmp_t, lldpad_initrc_exec_t, load_policy_exec_t, loadkeys_exec_t, local_login_home_t, locale_t, locate_exec_t, lockdev_exec_t, login_exec_t, logrotate_mail_tmp_t, logrotate_tmp_t, logwatch_exec_t, logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_exec_t, lpr_tmp_t, lsassd_tmp_t, lsmd_plugin_exec_t, lsmd_plugin_tmp_t, lvm_etc_t, lvm_exec_t, lvm_tmp_t, machineid_t, mail_home_rw_t, mail_home_t, mail_munin_plugin_exec_t, mail_munin_plugin_tmp_t, mailman_cgi_tmp_t, mailman_mail_tmp_t, mailman_queue_tmp_t, man_cache_t, man_t, mandb_cache_t, mandb_home_t, mcelog_etc_t, mcelog_exec_t, mcelog_initrc_exec_t, mdadm_conf_t, mdadm_initrc_exec_t, mediawiki_tmp_t, memcached_initrc_exec_t, mencoder_exec_t, minidlna_conf_t, minidlna_initrc_exec_t, minissdpd_conf_t, minissdpd_initrc_exec_t, mock_build_exec_t, mock_etc_t, mock_exec_t, mock_tmp_t, modemmanager_exec_t, modules_conf_t, mojomojo_tmp_t, mon_statd_initrc_exec_t, mongod_initrc_exec_t, mongod_tmp_t, mount_ecryptfs_exec_t, mount_exec_t, mount_tmp_t, mozilla_conf_t, mozilla_exec_t, mozilla_home_t, mozilla_plugin_config_exec_t, mozilla_plugin_exec_t, mozilla_plugin_rw_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_tmp_t, mozilla_tmpfs_t, mpd_etc_t, mpd_exec_t, mpd_home_t, mpd_initrc_exec_t, mpd_tmp_t, mpd_user_data_t, mplayer_etc_t, mplayer_exec_t, mplayer_home_t, mplayer_tmpfs_t, mrtg_etc_t, mrtg_exec_t, mrtg_initrc_exec_t, mscan_etc_t, mscan_initrc_exec_t, mscan_tmp_t, munin_etc_t, munin_initrc_exec_t, munin_script_tmp_t, munin_tmp_t, mysqld_etc_t, mysqld_home_t, mysqld_initrc_exec_t, mysqld_tmp_t, mysqlmanagerd_initrc_exec_t, naemon_initrc_exec_t, nagios_admin_plugin_exec_t, nagios_checkdisk_plugin_exec_t, nagios_etc_t, nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_tmp_t, nagios_initrc_exec_t, nagios_mail_plugin_exec_t, nagios_openshift_plugin_exec_t, nagios_openshift_plugin_tmp_t, nagios_services_plugin_exec_t, nagios_system_plugin_exec_t, nagios_system_plugin_tmp_t, nagios_tmp_t, nagios_unconfined_plugin_exec_t, named_checkconf_exec_t, named_conf_t, named_exec_t, named_initrc_exec_t, named_tmp_t, namespace_init_exec_t, ncftool_exec_t, ndc_exec_t, net_conf_t, netlabel_mgmt_exec_t, netutils_exec_t, netutils_tmp_t, neutron_initrc_exec_t, neutron_tmp_t, newrole_exec_t, nfs_t, nfsd_initrc_exec_t, nis_initrc_exec_t, nova_tmp_t, nrpe_etc_t, nscd_initrc_exec_t, nslcd_conf_t, nslcd_initrc_exec_t, ntop_etc_t, ntop_initrc_exec_t, ntop_tmp_t, ntp_conf_t, ntpd_initrc_exec_t, ntpd_tmp_t, ntpdate_exec_t, nut_conf_t, nut_upsd_tmp_t, nut_upsdrvctl_tmp_t, nut_upsmon_tmp_t, nx_server_tmp_t, obex_exec_t, oddjob_mkhomedir_exec_t, openct_initrc_exec_t, openhpid_initrc_exec_t, openshift_cgroup_read_exec_t, openshift_cgroup_read_tmp_t, openshift_cron_tmp_t, openshift_initrc_tmp_t, openshift_net_read_exec_t, openshift_tmp_t, openshift_var_lib_t, openvpn_etc_rw_t, openvpn_etc_t, openvpn_initrc_exec_t, openvpn_tmp_t, openvswitch_rw_t, openvswitch_tmp_t, openwsman_tmp_t, oracleasm_initrc_exec_t, osad_initrc_exec_t, pads_config_t, pads_exec_t, pads_initrc_exec_t, pam_console_exec_t, pam_timestamp_tmp_t, passenger_tmp_t, passwd_exec_t, passwd_file_t, pcp_pmcd_initrc_exec_t, pcp_pmie_initrc_exec_t, pcp_pmlogger_initrc_exec_t, pcp_pmmgr_initrc_exec_t, pcp_pmproxy_initrc_exec_t, pcp_pmwebd_initrc_exec_t, pcp_tmp_t, pcscd_initrc_exec_t, pegasus_conf_t, pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, pinentry_exec_t, ping_exec_t, pingd_etc_t, pingd_initrc_exec_t, piranha_etc_rw_t, piranha_pulse_initrc_exec_t, piranha_web_conf_t, piranha_web_tmp_t, pkcs_slotd_initrc_exec_t, pkcs_slotd_tmp_t, pki_ra_script_exec_t, pki_tomcat_tmp_t, pki_tps_script_exec_t, plymouth_exec_t, podsleuth_exec_t, podsleuth_tmp_t, podsleuth_tmpfs_t, policykit_auth_exec_t, policykit_exec_t, policykit_grant_exec_t, policykit_resolve_exec_t, policykit_tmp_t, polipo_cache_home_t, polipo_config_home_t, polipo_etc_t, polipo_exec_t, polipo_initrc_exec_t, portmap_helper_exec_t, portmap_initrc_exec_t, portmap_tmp_t, portreserve_etc_t, portreserve_initrc_exec_t, postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_etc_t, postfix_exec_t, postfix_initrc_exec_t, postfix_local_tmp_t, postfix_map_exec_t, postfix_map_tmp_t, postfix_pickup_tmp_t, postfix_pipe_tmp_t, postfix_postdrop_exec_t, postfix_postdrop_t, postfix_postqueue_exec_t, postfix_qmgr_tmp_t, postfix_showq_exec_t, postfix_smtp_tmp_t, postfix_smtpd_tmp_t, postfix_virtual_tmp_t, postgresql_etc_t, postgresql_initrc_exec_t, postgresql_tmp_t, postgrey_etc_t, postgrey_initrc_exec_t, pppd_etc_t, pppd_exec_t, pppd_initrc_exec_t, pppd_tmp_t, prelink_exec_t, prelink_tmp_t, prelude_correlator_config_t, prelude_initrc_exec_t, prelude_lml_tmp_t, preupgrade_exec_t, printconf_t, privoxy_initrc_exec_t, proc_t, procmail_exec_t, procmail_home_t, procmail_tmp_t, prosody_tmp_t, psad_etc_t, psad_initrc_exec_t, psad_tmp_t, ptal_etc_t, ptchown_exec_t, pulseaudio_exec_t, pulseaudio_home_t, pulseaudio_tmpfs_t, puppet_etc_t, puppet_tmp_t, puppetagent_initrc_exec_t, puppetca_exec_t, puppetmaster_initrc_exec_t, puppetmaster_tmp_t, pwauth_exec_t, qemu_exec_t, qmail_etc_t, qmail_tcp_env_exec_t, qpidd_initrc_exec_t, qpidd_tmp_t, quota_exec_t, rabbitmq_initrc_exec_t, racoon_tmp_t, radiusd_etc_t, radiusd_initrc_exec_t, radvd_etc_t, radvd_initrc_exec_t, readahead_exec_t, realmd_exec_t, realmd_tmp_t, redis_initrc_exec_t, removable_t, rhev_agentd_tmp_t, rhnsd_conf_t, rhnsd_initrc_exec_t, rhsmcertd_exec_t, rhsmcertd_initrc_exec_t, rhsmcertd_tmp_t, ricci_initrc_exec_t, ricci_tmp_t, rlogind_home_t, rlogind_tmp_t, rngd_initrc_exec_t, rolekit_tmp_t, roundup_initrc_exec_t, rpcbind_initrc_exec_t, rpcbind_tmp_t, rpcd_initrc_exec_t, rpm_exec_t, rpm_script_tmp_t, rpm_tmp_t, rssh_chroot_helper_exec_t, rssh_exec_t, rssh_ro_t, rssh_rw_t, rsync_etc_t, rsync_exec_t, rsync_tmp_t, rtas_errd_tmp_t, rtkit_daemon_exec_t, rtkit_daemon_initrc_exec_t, run_init_exec_t, rwho_initrc_exec_t, samba_etc_t, samba_initrc_exec_t, samba_net_exec_t, samba_net_tmp_t, samba_var_t, sambagui_exec_t, sandbox_file_t, sanlock_initrc_exec_t, saslauthd_initrc_exec_t, sblim_initrc_exec_t, sblim_tmp_t, screen_exec_t, screen_home_t, secadm_sudo_tmp_t, sectool_tmp_t, sectoolm_exec_t, selinux_munin_plugin_exec_t, selinux_munin_plugin_tmp_t, semanage_exec_t, semanage_tmp_t, sendmail_exec_t, sendmail_initrc_exec_t, sendmail_tmp_t, sensord_initrc_exec_t, services_munin_plugin_exec_t, services_munin_plugin_tmp_t, session_dbusd_tmp_t, setfiles_exec_t, setkey_exec_t, setrans_initrc_exec_t, setroubleshoot_fixit_exec_t, setroubleshootd_exec_t, setsebool_exec_t, seunshare_exec_t, sge_job_exec_t, sge_shepherd_exec_t, sge_tmp_t, shell_exec_t, shorewall_etc_t, shorewall_initrc_exec_t, shorewall_tmp_t, showmount_exec_t, slapd_etc_t, slapd_initrc_exec_t, slapd_tmp_t, slpd_initrc_exec_t, smbcontrol_exec_t, smbd_tmp_t, smokeping_initrc_exec_t, smoltclient_exec_t, smoltclient_tmp_t, smsd_initrc_exec_t, smsd_tmp_t, snapperd_conf_t, snapperd_exec_t, snmpd_initrc_exec_t, snort_etc_t, snort_initrc_exec_t, snort_tmp_t, sosreport_exec_t, sosreport_tmp_t, soundd_etc_t, soundd_initrc_exec_t, soundd_tmp_t, spamc_exec_t, spamc_home_t, spamc_tmp_t, spamd_etc_t, spamd_initrc_exec_t, spamd_tmp_t, spamd_update_exec_t, speech-dispatcher_exec_t, speech-dispatcher_home_t, speech-dispatcher_tmp_t, squid_conf_t, squid_cron_exec_t, squid_initrc_exec_t, squid_tmp_t, squirrelmail_spool_t, src_t, ssh_agent_exec_t, ssh_agent_tmp_t, ssh_exec_t, ssh_home_t, ssh_keygen_exec_t, ssh_keygen_tmp_t, ssh_keysign_exec_t, ssh_tmpfs_t, sshd_initrc_exec_t, sssd_conf_t, sssd_initrc_exec_t, sssd_public_t, sssd_selinux_manager_exec_t, sssd_var_lib_t, staff_sudo_tmp_t, stapserver_tmp_t, stunnel_etc_t, stunnel_tmp_t, su_exec_t, sudo_exec_t, sulogin_exec_t, svc_conf_t, svc_multilog_exec_t, svc_run_exec_t, svc_start_exec_t, svirt_home_t, svirt_sandbox_file_t, svirt_tmp_t, svnserve_initrc_exec_t, svnserve_tmp_t, swat_tmp_t, swift_tmp_t, sysadm_passwd_tmp_t, sysadm_sudo_tmp_t, sysctl_fs_t, sysctl_t, sysfs_t, syslog_conf_t, syslogd_initrc_exec_t, syslogd_tmp_t, sysstat_exec_t, sysstat_initrc_exec_t, system_conf_t, system_cronjob_tmp_t, system_db_t, system_dbusd_tmp_t, system_dbusd_var_lib_t, system_mail_tmp_t, system_munin_plugin_exec_t, system_munin_plugin_tmp_t, systemd_home_t, systemd_logind_sessions_t, sysv_t, tcpd_tmp_t, tcsd_initrc_exec_t, telepathy_cache_home_t, telepathy_data_home_t, telepathy_gabble_cache_home_t, telepathy_gabble_exec_t, telepathy_gabble_tmp_t, telepathy_idle_exec_t, telepathy_idle_tmp_t, telepathy_logger_cache_home_t, telepathy_logger_data_home_t, telepathy_logger_exec_t, telepathy_logger_tmp_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_data_home_t, telepathy_mission_control_exec_t, telepathy_mission_control_home_t, telepathy_mission_control_tmp_t, telepathy_msn_exec_t, telepathy_msn_tmp_t, telepathy_salut_exec_t, telepathy_salut_tmp_t, telepathy_sofiasip_exec_t, telepathy_sofiasip_tmp_t, telepathy_stream_engine_exec_t, telepathy_stream_engine_tmp_t, telepathy_sunshine_exec_t, telepathy_sunshine_home_t, telepathy_sunshine_tmp_t, telnetd_tmp_t, tetex_data_t, texlive_home_t, textrel_shlib_t, tftpd_etc_t, tgtd_initrc_exec_t, tgtd_tmp_t, thumb_exec_t, thumb_home_t, thumb_tmp_t, tmp_t, tmpfs_t, tmpreaper_exec_t, tomcat_tmp_t, tor_etc_t, tor_initrc_exec_t, traceroute_exec_t, tuned_etc_t, tuned_initrc_exec_t, tuned_rw_etc_t, tuned_tmp_t, tvtime_exec_t, tvtime_home_t, tvtime_tmp_t, tvtime_tmpfs_t, udev_etc_t, udev_tmp_t, udev_var_run_t, ulogd_etc_t, ulogd_initrc_exec_t, uml_exec_t, uml_ro_t, uml_rw_t, uml_tmp_t, uml_tmpfs_t, unconfined_exec_t, unconfined_munin_plugin_exec_t, unconfined_munin_plugin_tmp_t, update_modules_exec_t, update_modules_tmp_t, updfstab_exec_t, usbfs_t, usbmodules_exec_t, usbmuxd_exec_t, user_cron_spool_t, user_fonts_cache_t, user_fonts_config_t, user_fonts_t, user_home_t, user_mail_tmp_t, user_tmp_t, useradd_exec_t, userhelper_conf_t, userhelper_exec_t, usernetctl_exec_t, usr_t, utempter_exec_t, uucpd_initrc_exec_t, uucpd_tmp_t, uuidd_initrc_exec_t, uux_exec_t, var_spool_t, varnishd_etc_t, varnishd_initrc_exec_t, varnishd_tmp_t, varnishlog_initrc_exec_t, vdagentd_initrc_exec_t, vhostmd_initrc_exec_t, virsh_exec_t, virt_content_t, virt_etc_t, virt_home_t, virt_qemu_ga_tmp_t, virt_qemu_ga_unconfined_exec_t, virt_tmp_t, virtd_initrc_exec_t, virtd_lxc_exec_t, vlock_exec_t, vmblock_t, vmtools_helper_exec_t, vmtools_tmp_t, vmware_conf_t, vmware_exec_t, vmware_file_t, vmware_host_tmp_t, vmware_sys_conf_t, vmware_tmp_t, vmware_tmpfs_t, vnstat_exec_t, vnstatd_initrc_exec_t, vpnc_exec_t, vpnc_tmp_t, vxfs_t, w3c_validator_tmp_t, watchdog_initrc_exec_t, watchdog_unconfined_exec_t, wdmd_initrc_exec_t, webadm_tmp_t, webalizer_etc_t, webalizer_exec_t, webalizer_tmp_t, wine_exec_t, wine_home_t, wireshark_exec_t, wireshark_home_t, wireshark_tmp_t, wireshark_tmpfs_t, wpa_cli_exec_t, xauth_exec_t, xauth_home_t, xauth_tmp_t, xdm_etc_t, xdm_exec_t, xdm_home_t, xdm_rw_etc_t, xdm_unconfined_exec_t, xdm_var_run_t, xend_tmp_t, xenfs_t, xenstored_tmp_t, xserver_etc_t, xserver_exec_t, xserver_tmpfs_t, ypbind_initrc_exec_t, ypbind_tmp_t, ypserv_conf_t, ypserv_tmp_t, zabbix_agent_initrc_exec_t, zabbix_initrc_exec_t, zabbix_script_exec_t, zabbix_tmp_t, zarafa_deliver_tmp_t, zarafa_etc_t, zarafa_indexer_tmp_t, zarafa_server_tmp_t, zarafa_var_lib_t, zebra_conf_t, zebra_initrc_exec_t, zebra_tmp_t, zoneminder_initrc_exec_t, zos_remote_exec_t. Then execute: restorecon -v 'antiX-15-V_x64-base.iso' ***** Plugin catchall (1.73 confidence) suggests ************************** If you believe that pool should be allowed read access on the antiX-15-V_x64-base.iso file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep pool /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Context unconfined_u:object_r:unlabeled_t:s0 Target Objects antiX-15-V_x64-base.iso [ file ] Source pool Source Path pool Port <Unknown> Host localhost.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-128.8.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 4.1.4-200.fc22.x86_64 #1 SMP Tue Aug 4 03:22:33 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-08-12 08:45:57 EDT Last Seen 2015-08-12 08:45:57 EDT Local ID 1c1bc8b5-57ca-4221-89fe-b1274111b1c8 Raw Audit Messages type=AVC msg=audit(1439383557.542:600): avc: denied { read } for pid=3545 comm="pool" name="antiX-15-V_x64-base.iso" dev="dm-2" ino=262253 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file permissive=0 Hash: pool,mozilla_plugin_t,unlabeled_t,file,read "
Where is this iso? You should just need to run restorecon on it. What firefox plugin is reading an ISO?