Created attachment 1027410 [details] Output of sealert -a /var/log/audit/audit.log > audit.txt Description of problem: When I start or stop dnssec-triggerd, I get a lot of SELinux alerts. They are triggered by dnssec-trigger- (notice the trailing dash), systemctl and gmain. Version-Release number of selected component (if applicable): dnssec-trigger 0.12-20.fc22 selinux-policy 3.13.1-126.fc22 How reproducible: Always. Steps to Reproduce: 1. systemctl start dnssec-triggerd 2. systemctl stop dnssec-triggerd 3. sealert -a /var/log/audit/audit.log > audit.txt Actual results: See attached audit.txt Expected results: No SELinux warnings. Additional info:
dnssec-trigger-0.13-0.1.20150714svn.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/dnssec-trigger-0.13-0.1.20150714svn.fc22
With dnssec-trigger-0.13-0.1.20150714svn.fc22, things have improved in that systemctl start dnssec-triggerd doesn't trigger any SELinux alerts anymore. However, systemctl stop still does. I'll upload a new audit log in a few seconds to show the remaining entries.
Created attachment 1052375 [details] Output of sealert with version 0.13-0.1.20150714svn.fc22 installed
There is one unresolved issue in selinux policy Bug #1242578. I reworked the shutting down so that dnssec-trigger-script now sends SIGHUP to NM instead of calling systemctl. however from the attached file it seems that dnssec-trigger still calls systemctl. What version of NetworkManager and NetworkManager-glib you have installed? It should be higher than 1.0.3. Can you possibly update it from updates testing if it is older? Thanks!
You are right, I had NM 1.0.2. After upgrading to 1:1.0.4-0.4.git20150713.38bf2cb0.fc22, when trying to stop dnssec-trigger, I get a lot more alerts than before (198 vs. 9), but they are the same as in Bug #1242578 (a lot of pidof warnings, and one for a signal to NM). Thanks!
Package dnssec-trigger-0.13-0.1.20150714svn.fc22: * should fix your issue, * was pushed to the Fedora 22 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing dnssec-trigger-0.13-0.1.20150714svn.fc22' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-11754/dnssec-trigger-0.13-0.1.20150714svn.fc22 then log in and leave karma (feedback).
dnssec-trigger-0.13-0.1.20150714svn.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.