Description of problem: Following https://fedoraproject.org/wiki/Changes/Default_Local_DNS_Resolver#How_To_Test When I got to $ sudo systemctl enable dnssec-triggerd.service I received this AVC SELinux is preventing dnssec-trigger- from 'search' accesses on the directory /etc/NetworkManager. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that dnssec-trigger- should be allowed search access on the NetworkManager directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep dnssec-trigger- /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:dnssec_trigger_t:s0 Target Context system_u:object_r:NetworkManager_etc_t:s0 Target Objects /etc/NetworkManager [ dir ] Source dnssec-trigger- Source Path dnssec-trigger- Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages dhcp-client-4.3.2-2.fc22.x86_64 initscripts-9.62-1.fc22.x86_64 NetworkManager-1.0.2-1.fc22.x86_64 NetworkManager- config-connectivity-fedora-1.0.2-1.fc22.x86_64 Policy RPM selinux-policy-3.13.1-128.1.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.0.4-303.fc22.x86_64 #1 SMP Thu May 28 12:37:06 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-06-15 08:19:02 EDT Last Seen 2015-06-15 08:19:02 EDT Local ID 16acf11e-b1c0-4c13-8352-30240f9febaf Raw Audit Messages type=AVC msg=audit(1434370742.848:728): avc: denied { search } for pid=9756 comm="dnssec-trigger-" name="NetworkManager" dev="dm-1" ino=786451 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:NetworkManager_etc_t:s0 tclass=dir permissive=0 Hash: dnssec-trigger-,dnssec_trigger_t,NetworkManager_etc_t,dir,search Version-Release number of selected component: selinux-policy-3.13.1-128.1.fc22.noarch Additional info: reporter: libreport-2.5.1 hashmarkername: setroubleshoot kernel: 4.0.4-303.fc22.x86_64 type: libreport
Description of problem: dnssec-trigger-script checks NetworkManager configuration, which is located in /etc/NetworkManager/ to determine, if NM is handling the /etc/resolv.conf. Thus dnssec-trigger should be able to do that. Version-Release number of selected component: selinux-policy-3.13.1-128.1.fc22.noarch Additional info: reporter: libreport-2.6.0 hashmarkername: setroubleshoot kernel: 4.0.5-300.fc22.x86_64 type: libreport
*** Bug 1235289 has been marked as a duplicate of this bug. ***
*** Bug 1235290 has been marked as a duplicate of this bug. ***
commit 3ab83c12ec8513ef0df2fb88c25b69685a5f15b6 Author: Lukas Vrabec <lvrabec> Date: Fri Jun 26 11:13:52 2015 +0200 Allow dnssec_trigger_t read networkmanager conf files. BZ(1231798) commit 40ff8d408a822ccd1a4c2597c24c06a156cfc793 Author: Lukas Vrabec <lvrabec> Date: Fri Jun 26 11:10:49 2015 +0200 Allow in networkmanager_read_conf() also read NetworkManager_etc_rw_t files. BZ(1231798)
selinux-policy-3.13.1-128.4.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-128.4.fc22
Package selinux-policy-3.13.1-128.4.fc22: * should fix your issue, * was pushed to the Fedora 22 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.13.1-128.4.fc22' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-10974/selinux-policy-3.13.1-128.4.fc22 then log in and leave karma (feedback).
Description of problem: upgrade to F22 workstation from F20 (with fedup) dnf install dnssec-trigger systemctl start dnssec-triggerd Version-Release number of selected component: selinux-policy-3.13.1-128.2.fc22.noarch Additional info: reporter: libreport-2.6.0 hashmarkername: setroubleshoot kernel: 4.0.6-300.fc22.x86_64 type: libreport
1. Update selinux-policy package. 2. Use: # restorecon -R -v / to fix labels.
selinux-policy-3.13.1-128.4.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.