Description of problem: SELinux is preventing nm-dispatcher from using the 'sigkill' accesses on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that nm-dispatcher should be allowed sigkill access on processes labeled dnssec_trigger_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep nm-dispatcher /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:NetworkManager_t:s0 Target Context system_u:system_r:dnssec_trigger_t:s0 Target Objects Unknown [ process ] Source nm-dispatcher Source Path nm-dispatcher Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-105.20.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.1.4-100.fc21.x86_64 #1 SMP Tue Aug 4 03:25:05 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-08-09 11:31:38 PDT Last Seen 2015-08-09 11:31:38 PDT Local ID 7d069801-82c1-47a9-8dad-7832f567edf9 Raw Audit Messages type=AVC msg=audit(1439145098.927:427): avc: denied { sigkill } for pid=1160 comm="nm-dispatcher" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:dnssec_trigger_t:s0 tclass=process permissive=0 Hash: nm-dispatcher,NetworkManager_t,dnssec_trigger_t,process,sigkill Version-Release number of selected component: selinux-policy-3.13.1-105.20.fc21.noarch Additional info: reporter: libreport-2.3.0 hashmarkername: setroubleshoot kernel: 4.1.4-100.fc21.x86_64 type: libreport Potential duplicate: bug 1228466
commit af4495dfa708290c4e0ea7c98e58f473430c0841 Author: Lukas Vrabec <lvrabec> Date: Sat Aug 22 22:33:17 2015 +0200 Allow NetworkManager send sigkill to dnssec-trigger. BZ(1251764) commit 3c679e64bb7d76c6397f0f8878e78a1fb9dd7f7a Author: Lukas Vrabec <lvrabec> Date: Sat Aug 22 22:28:32 2015 +0200 Add interface dnssec_trigger_sigkill
selinux-policy-3.13.1-105.21.fc21 has been submitted as an update to Fedora 21. https://bugzilla.redhat.com/show_bug.cgi?id=1251764
selinux-policy-3.13.1-105.21.fc21 has been pushed to the Fedora 21 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-14070
selinux-policy-3.13.1-105.21.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.