Bug 1177040 - [abrt] dnssec-trigger: subprocess.py:540:check_call:CalledProcessError: Command '['unbound-control', 'flush_zone', '.']' returned non-zero exit status 1
Summary: [abrt] dnssec-trigger: subprocess.py:540:check_call:CalledProcessError: Comma...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 21
Hardware: x86_64
OS: Unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL: https://retrace.fedoraproject.org/faf...
Whiteboard: abrt_hash:ff6e9e9ad2bc0eac558c944a4bc...
Depends On:
TreeView+ depends on / blocked
Reported: 2014-12-23 22:28 UTC by Luke Macken
Modified: 2016-09-20 02:46 UTC (History)
12 users (show)

Fixed In Version: selinux-policy-3.13.1-105.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-01-30 23:55:09 UTC
Type: ---

Attachments (Terms of Use)
File: backtrace (976 bytes, text/plain)
2014-12-23 22:28 UTC, Luke Macken
no flags Details
File: environ (200 bytes, text/plain)
2014-12-23 22:28 UTC, Luke Macken
no flags Details

Description Luke Macken 2014-12-23 22:28:10 UTC
Description of problem:
This looks to be an SELinux policy issue.

#============= named_t ==============
allow named_t dnssec_trigger_var_run_t:file write;

type=AVC msg=audit(1419349428.210:456): avc:  denied  { write } for  pid=1777 comm="unbound-control" path="/run/dnssec-trigger/lock" dev="tmpfs" ino=19158 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:dnssec_trigger_var_run_t:s0 tclass=file permissive=0

Version-Release number of selected component:

Additional info:
reporter:       libreport-2.3.0
cmdline:        /usr/bin/python /usr/libexec/dnssec-trigger-script --update
dso_list:       python-libs-2.7.8-7.fc21.x86_64
executable:     /usr/libexec/dnssec-trigger-script
kernel:         3.17.3-300.fc21.x86_64
runlevel:       N 5
type:           Python
uid:            0

Truncated backtrace:
subprocess.py:540:check_call:CalledProcessError: Command '['unbound-control', 'flush_zone', '.']' returned non-zero exit status 1

Traceback (most recent call last):
  File "/usr/libexec/dnssec-trigger-script", line 480, in <module>
  File "/usr/libexec/dnssec-trigger-script", line 379, in run
  File "/usr/libexec/dnssec-trigger-script", line 427, in run_update
  File "/usr/libexec/dnssec-trigger-script", line 439, in run_update_global_forwarders
    subprocess.check_call(["unbound-control", "flush_zone", "."])
  File "/usr/lib64/python2.7/subprocess.py", line 540, in check_call
    raise CalledProcessError(retcode, cmd)
CalledProcessError: Command '['unbound-control', 'flush_zone', '.']' returned non-zero exit status 1

Local variables in innermost frame:
cmd: ['unbound-control', 'flush_zone', '.']
retcode: 1
popenargs: (['unbound-control', 'flush_zone', '.'],)
kwargs: {}

Comment 1 Luke Macken 2014-12-23 22:28:13 UTC
Created attachment 972535 [details]
File: backtrace

Comment 2 Luke Macken 2014-12-23 22:28:14 UTC
Created attachment 972536 [details]
File: environ

Comment 3 Luke Macken 2014-12-23 22:29:52 UTC
Running selinux-policy-3.13.1-103.fc21

Comment 4 Daniel Walsh 2015-01-02 12:36:46 UTC
c3a68da7f1ca09c95747480655044857ac46f452 allows this in git.

Comment 5 Fedora Update System 2015-01-27 16:49:46 UTC
selinux-policy-3.13.1-105.fc21 has been submitted as an update for Fedora 21.

Comment 6 Fedora Update System 2015-01-30 04:32:41 UTC
Package selinux-policy-3.13.1-105.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-105.fc21'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2015-01-30 23:55:09 UTC
selinux-policy-3.13.1-105.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.