Description of problem: dnssec-trigger causes selinux fail on /run/dnssec-trigger/lock on connect. It all works, but the warning is annoying.  Version-Release number of selected component (if applicable): dnssec-trigger-0.12-15.fc21.x86_64 selinux-policy-3.13.1-103.fc21.noarch selinux-policy-targeted-3.13.1-103.fc21.noarch How reproducible: every time Steps to Reproduce: 1. enable dnssec-trigger 2. connect to network 3. observe the selinux alert in your message tray 4. be somewhat relieved that dns is still actually working Actual results: selinux alert with no obvious resolution (without rolling my own policy file) Expected results: silence Additional info: output of sealert -l SELinux is preventing /usr/sbin/unbound-control from write access on the file /run/dnssec-trigger/lock. ***** Plugin leaks (86.2 confidence) suggests ***************************** If you want to ignore unbound-control trying to write access the lock file, because you believe it should not need this access. Then you should report this as a bug. You can generate a local policy module to dontaudit this access. Do # grep /usr/sbin/unbound-control /var/log/audit/audit.log | audit2allow -D -M mypol # semodule -i mypol.pp ***** Plugin catchall (14.7 confidence) suggests ************************** If you believe that unbound-control should be allowed write access on the lock file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep unbound-control /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:named_t:s0 Target Context system_u:object_r:dnssec_trigger_var_run_t:s0 Target Objects /run/dnssec-trigger/lock [ file ] Source unbound-control Source Path /usr/sbin/unbound-control Port <Unknown> Host (my host omitted) Source RPM Packages unbound-1.5.1-2.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-103.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (my host) Platform Linux (my host) 3.17.7-300.fc21.x86_64 #1 SMP Wed Dec 17 03:08:44 UTC 2014 x86_64 x86_64 Alert Count 137 First Seen 2015-01-15 21:55:38 PST Last Seen 2015-01-16 13:13:11 PST Local ID (omitted) Raw Audit Messages type=AVC msg=audit(1421442791.666:39108): avc: denied { write } for pid=15625 comm="unbound-control" path="/run/dnssec-trigger/lock" dev="tmpfs" ino=24587 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:dnssec_trigger_var_run_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1421442791.666:39108): arch=x86_64 syscall=execve success=yes exit=0 a0=1e821e0 a1=1e803e0 a2=7fff817770e8 a3=30 items=0 ppid=15613 pid=15625 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=unbound-control exe=/usr/sbin/unbound-control subj=system_u:system_r:named_t:s0 key=(null) Hash: unbound-control,named_t,dnssec_trigger_var_run_t,file,write
*** This bug has been marked as a duplicate of bug 1147705 ***
dnssec-trigger-0.12-18.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/FEDORA-2015-1279/dnssec-trigger-0.12-18.fc21
This issue should be fixed in the current dnssec-trigger package. Please test and reopen if the package does not fix the issue for you.
will do.
It's hard to prove a negative, but the problem seems fixed. (I haven't seen the messages since dnssec-trigger-0.12-16.fc21.) THanks!