Bug 1261922 - SELinux is preventing chronyd from 'read' accesses on the file resolv.conf.
SELinux is preventing chronyd from 'read' accesses on the file resolv.conf.
Status: CLOSED DUPLICATE of bug 1229788
Product: Fedora
Classification: Fedora
Component: anaconda (Show other bugs)
22
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Anaconda Maintenance Team
Fedora Extras Quality Assurance
abrt_hash:ae0be0698c91f307400399060a4...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-10 08:47 EDT by Wilf
Modified: 2015-09-28 10:17 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-09-28 10:17:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Wilf 2015-09-10 08:47:31 EDT
Description of problem:
Just installed Fedora 22 (haven't done anything except changed which swap to use via modifying `/etc/fstab` from the Live instalL DVD, and set up networking), and it couldn't connect to the internet. Noticed that SELinux was kept throwing things, and it wasn't working due to read access on the DNS settings or something...

I did the following to fix it, but I don't think I should have needed to:

cd /etc
sudo semanage fcontext -a -t NetworkManager_tmp_t 'resolv.conf'
sudo restorecon -v 'resolv.conf'
SELinux is preventing chronyd from 'read' accesses on the file resolv.conf.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow chronyd to have read access on the resolv.conf file
Then you need to change the label on resolv.conf
Do
# semanage fcontext -a -t FILE_TYPE 'resolv.conf'
where FILE_TYPE is one of the following: NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_run_t, admin_crontab_tmp_t, afs_cache_t, alsa_tmp_t, amanda_tmp_t, antivirus_tmp_t, apcupsd_tmp_t, apmd_tmp_t, arpwatch_tmp_t, asterisk_tmp_t, auditadm_sudo_tmp_t, automount_tmp_t, awstats_tmp_t, bacula_tmp_t, bin_t, bitlbee_tmp_t, bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_tmp_t, boinc_project_tmp_t, boinc_tmp_t, boot_t, bootloader_tmp_t, bugzilla_tmp_t, cardmgr_dev_t, ccs_tmp_t, cdcc_tmp_t, cert_t, chrome_sandbox_tmp_t, chronyd_exec_t, chronyd_keys_t, chronyd_tmpfs_t, chronyd_var_lib_t, chronyd_var_run_t, cinder_api_tmp_t, cinder_backup_tmp_t, cinder_scheduler_tmp_t, cinder_volume_tmp_t, cloud_init_tmp_t, cluster_conf_t, cluster_tmp_t, cluster_var_lib_t, cluster_var_run_t, cobbler_tmp_t, cockpit_tmp_t, collectd_script_tmp_t, colord_tmp_t, comsat_tmp_t, condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, conman_tmp_t, couchdb_tmp_t, courier_exec_t, cpu_online_t, crack_tmp_t, crond_tmp_t, crontab_tmp_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_lpd_tmp_t, cupsd_tmp_t, cvs_tmp_t, cyphesis_tmp_t, cyrus_tmp_t, dbadm_sudo_tmp_t, dbskkd_tmp_t, dcc_client_tmp_t, dcc_dbclean_tmp_t, dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_tmp_t, deltacloudd_tmp_t, devicekit_tmp_t, dhcpc_tmp_t, dhcpd_tmp_t, dirsrv_tmp_t, dirsrvadmin_tmp_t, disk_munin_plugin_tmp_t, dkim_milter_tmp_t, docker_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t, dovecot_tmp_t, drbd_tmp_t, etc_runtime_t, etc_t, exim_exec_t, exim_tmp_t, fail2ban_tmp_t, fail2ban_var_lib_t, fenced_tmp_t, file_context_t, firewalld_tmp_t, firewallgui_tmp_t, fonts_cache_t, fonts_t, fsadm_tmp_t, fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_tmp_t, games_tmp_t, games_tmpfs_t, gconf_tmp_t, geoclue_tmp_t, getty_tmp_t, git_script_tmp_t, gkeyringd_tmp_t, glance_registry_tmp_t, glance_tmp_t, glusterd_tmp_t, gpg_agent_tmp_t, gpg_pinentry_tmp_t, gpg_pinentry_tmpfs_t, gpm_tmp_t, gpsd_tmpfs_t, gssd_tmp_t, hostname_etc_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_tmp_t, inetd_child_tmp_t, inetd_tmp_t, init_tmp_t, initrc_tmp_t, ipsec_tmp_t, iptables_tmp_t, iscsi_tmp_t, kadmind_tmp_t, kdumpctl_tmp_t, kdumpgui_tmp_t, keystone_tmp_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t, krb5_conf_t, krb5_host_rcache_t, krb5kdc_tmp_t, ktalkd_tmp_t, l2tpd_tmp_t, ld_so_cache_t, ld_so_t, ldconfig_tmp_t, lib_t, livecd_tmp_t, locale_t, logrotate_mail_tmp_t, logrotate_tmp_t, logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_tmp_t, lsassd_tmp_t, lsmd_plugin_tmp_t, lvm_tmp_t, machineid_t, mail_munin_plugin_tmp_t, mailman_cgi_tmp_t, mailman_mail_tmp_t, mailman_queue_tmp_t, man_cache_t, man_t, mandb_cache_t, mediawiki_tmp_t, mock_tmp_t, mojomojo_tmp_t, mongod_tmp_t, mount_tmp_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_tmp_t, mozilla_tmpfs_t, mpd_tmp_t, mplayer_tmpfs_t, mscan_tmp_t, munin_script_tmp_t, munin_tmp_t, mysqld_tmp_t, nagios_eventhandler_plugin_tmp_t, nagios_openshift_plugin_tmp_t, nagios_system_plugin_tmp_t, nagios_tmp_t, named_tmp_t, net_conf_t, netutils_tmp_t, neutron_tmp_t, nova_ajax_tmp_t, nova_api_tmp_t, nova_cert_tmp_t, nova_compute_tmp_t, nova_conductor_tmp_t, nova_console_tmp_t, nova_direct_tmp_t, nova_network_tmp_t, nova_objectstore_tmp_t, nova_scheduler_tmp_t, nova_vncproxy_tmp_t, nova_volume_tmp_t, ntop_tmp_t, ntpd_tmp_t, nut_upsd_tmp_t, nut_upsdrvctl_tmp_t, nut_upsmon_tmp_t, nx_server_tmp_t, openshift_cgroup_read_tmp_t, openshift_cron_tmp_t, openshift_initrc_tmp_t, openshift_tmp_t, openvpn_tmp_t, openvswitch_tmp_t, openwsman_tmp_t, pam_timestamp_tmp_t, passenger_tmp_t, passwd_file_t, pcp_tmp_t, pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, piranha_web_tmp_t, pkcs_slotd_tmp_t, pki_tomcat_tmp_t, podsleuth_tmp_t, podsleuth_tmpfs_t, policykit_tmp_t, portmap_tmp_t, postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_local_tmp_t, postfix_map_tmp_t, postfix_pickup_tmp_t, postfix_pipe_tmp_t, postfix_postdrop_t, postfix_qmgr_tmp_t, postfix_smtp_tmp_t, postfix_smtpd_tmp_t, postfix_virtual_tmp_t, postgresql_tmp_t, pppd_tmp_t, prelink_exec_t, prelink_tmp_t, prelude_lml_tmp_t, proc_t, procmail_tmp_t, psad_tmp_t, pulseaudio_tmpfs_t, puppet_tmp_t, puppetmaster_tmp_t, qpidd_tmp_t, racoon_tmp_t, realmd_tmp_t, rhev_agentd_tmp_t, rhsmcertd_tmp_t, ricci_tmp_t, rlogind_tmp_t, rolekit_tmp_t, rpm_script_tmp_t, rpm_tmp_t, rsync_tmp_t, rtas_errd_tmp_t, samba_etc_t, samba_net_tmp_t, samba_var_t, sblim_tmp_t, secadm_sudo_tmp_t, sectool_tmp_t, selinux_munin_plugin_tmp_t, semanage_tmp_t, sendmail_exec_t, sendmail_tmp_t, services_munin_plugin_tmp_t, session_dbusd_tmp_t, sge_tmp_t, shell_exec_t, shorewall_tmp_t, slapd_tmp_t, smbd_tmp_t, smoltclient_tmp_t, smsd_tmp_t, snort_tmp_t, sosreport_tmp_t, soundd_tmp_t, spamc_tmp_t, spamd_tmp_t, speech-dispatcher_tmp_t, squid_tmp_t, squirrelmail_spool_t, src_t, ssh_agent_tmp_t, ssh_keygen_tmp_t, ssh_tmpfs_t, sssd_public_t, sssd_var_lib_t, staff_sudo_tmp_t, stapserver_tmp_t, stunnel_tmp_t, svirt_tmp_t, svnserve_tmp_t, swat_tmp_t, swift_tmp_t, sysadm_passwd_tmp_t, sysadm_sudo_tmp_t, sysfs_t, syslogd_tmp_t, system_conf_t, system_cronjob_tmp_t, system_db_t, system_dbusd_tmp_t, system_mail_tmp_t, system_munin_plugin_tmp_t, tcpd_tmp_t, telepathy_gabble_tmp_t, telepathy_idle_tmp_t, telepathy_logger_tmp_t, telepathy_mission_control_tmp_t, telepathy_msn_tmp_t, telepathy_salut_tmp_t, telepathy_sofiasip_tmp_t, telepathy_stream_engine_tmp_t, telepathy_sunshine_tmp_t, telnetd_tmp_t, tetex_data_t, textrel_shlib_t, tgtd_tmp_t, thumb_tmp_t, timemaster_tmpfs_t, timemaster_var_run_t, tmp_t, tomcat_tmp_t, tuned_tmp_t, tvtime_tmp_t, tvtime_tmpfs_t, udev_tmp_t, uml_tmp_t, uml_tmpfs_t, unconfined_munin_plugin_tmp_t, update_modules_tmp_t, user_cron_spool_t, user_fonts_t, user_mail_tmp_t, user_tmp_t, usr_t, uucpd_tmp_t, var_spool_t, varnishd_tmp_t, virt_qemu_ga_tmp_t, virt_tmp_t, vmtools_tmp_t, vmware_host_tmp_t, vmware_tmp_t, vmware_tmpfs_t, vpnc_tmp_t, w3c_validator_tmp_t, webadm_tmp_t, webalizer_tmp_t, wireshark_tmp_t, wireshark_tmpfs_t, xauth_tmp_t, xend_tmp_t, xenstored_tmp_t, xserver_tmpfs_t, ypbind_tmp_t, ypserv_tmp_t, zabbix_tmp_t, zarafa_deliver_tmp_t, zarafa_indexer_tmp_t, zarafa_server_tmp_t, zarafa_var_lib_t, zebra_tmp_t. 
Then execute: 
restorecon -v 'resolv.conf'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that chronyd should be allowed read access on the resolv.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep chronyd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:chronyd_t:s0
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                resolv.conf [ file ]
Source                        chronyd
Source Path                   chronyd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-122.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.0.4-301.fc22.x86_64 #1 SMP Thu
                              May 21 13:10:33 UTC 2015 x86_64 x86_64
Alert Count                   15
First Seen                    2015-09-10 12:25:40 BST
Last Seen                     2015-09-10 12:37:17 BST
Local ID                      0c785bca-a5d7-4321-b697-fc1ed8fcd24b

Raw Audit Messages
type=AVC msg=audit(1441885037.807:730): avc:  denied  { read } for  pid=4400 comm="chronyd" name="resolv.conf" dev="sda9" ino=1051176 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0


Hash: chronyd,chronyd_t,unlabeled_t,file,read

Version-Release number of selected component:
selinux-policy-3.13.1-122.fc22.noarch

Additional info:
reporter:       libreport-2.5.1
hashmarkername: setroubleshoot
kernel:         4.0.4-301.fc22.x86_64
type:           libreport
Comment 1 Daniel Walsh 2015-09-10 09:37:08 EDT
Looks like you somehow got a mislabeled resolv.conf

Should have just run restorecon /etc/resolv.conf

Not need for the semanage line, I would remove it and rerun restorecon.

Seems to be a problem with the installation medium.  Weird.
Comment 2 Miroslav Grepl 2015-09-11 09:21:42 EDT
Yes, please run

cd /etc
sudo semanage fcontext -d -t NetworkManager_tmp_t 'resolv.conf'
sudo restorecon -v 'resolv.conf'

Also are you getting more unlabeled_t issues? 

Also the plugin does not do a good job here.
Comment 3 Wilf 2015-09-28 07:18:07 EDT
I don't think I have add any more issues from SELinux that have impacted the use of my computer (one occured due to mucking about with thumbnailers but that was it)

I ran your commands is their any difference between the `-a` and `-d` options? As far as I remember I just ran those commands that were suggested by the SELinux troubleshooter - it also listed other problems relating to /etc/resolv.conf before the chronyd one (all on this fresh install of F22):

 

SELinux is preventing avahi-daemon from 'read' accesses on the file resolv.conf.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow avahi-daemon to have read access on the resolv.conf file
Then you need to change the label on resolv.conf
Do
# semanage fcontext -a -t FILE_TYPE 'resolv.conf'
where FILE_TYPE is one of the following: NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_run_t, admin_crontab_tmp_t, afs_cache_t, alsa_tmp_t, amanda_tmp_t, anon_inodefs_t, antivirus_tmp_t, apcupsd_tmp_t, apmd_tmp_t, arpwatch_tmp_t, asterisk_tmp_t, auditadm_sudo_tmp_t, automount_tmp_t, avahi_exec_t, avahi_var_lib_t, avahi_var_run_t, awstats_tmp_t, bacula_tmp_t, bin_t, bitlbee_tmp_t, bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_tmp_t, boinc_project_tmp_t, boinc_tmp_t, boot_t, bootloader_tmp_t, bugzilla_tmp_t, cardmgr_dev_t, ccs_tmp_t, cdcc_tmp_t, cert_t, chrome_sandbox_tmp_t, cinder_api_tmp_t, cinder_backup_tmp_t, cinder_scheduler_tmp_t, cinder_volume_tmp_t, cloud_init_tmp_t, cluster_conf_t, cluster_tmp_t, cluster_var_lib_t, cluster_var_run_t, cobbler_tmp_t, cockpit_tmp_t, collectd_script_tmp_t, colord_tmp_t, comsat_tmp_t, condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, conman_tmp_t, couchdb_tmp_t, cpu_online_t, crack_tmp_t, crond_tmp_t, crontab_tmp_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_lpd_tmp_t, cupsd_tmp_t, cvs_tmp_t, cyphesis_tmp_t, cyrus_tmp_t, dbadm_sudo_tmp_t, dbskkd_tmp_t, dbusd_etc_t, dcc_client_tmp_t, dcc_dbclean_tmp_t, dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_tmp_t, deltacloudd_tmp_t, devicekit_tmp_t, dhcpc_tmp_t, dhcpd_tmp_t, dirsrv_tmp_t, dirsrvadmin_tmp_t, disk_munin_plugin_tmp_t, dkim_milter_tmp_t, docker_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t, dovecot_tmp_t, drbd_tmp_t, etc_runtime_t, etc_t, exim_tmp_t, fail2ban_tmp_t, fail2ban_var_lib_t, fenced_tmp_t, file_context_t, firewalld_tmp_t, firewallgui_tmp_t, fonts_cache_t, fonts_t, fsadm_tmp_t, fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_tmp_t, games_tmp_t, games_tmpfs_t, gconf_tmp_t, geoclue_tmp_t, getty_tmp_t, git_script_tmp_t, gkeyringd_tmp_t, glance_registry_tmp_t, glance_tmp_t, glusterd_tmp_t, gpg_agent_tmp_t, gpg_pinentry_tmp_t, gpg_pinentry_tmpfs_t, gpm_tmp_t, gssd_tmp_t, hostname_etc_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_tmp_t, ifconfig_exec_t, inetd_child_tmp_t, inetd_tmp_t, init_tmp_t, initrc_tmp_t, ipsec_tmp_t, iptables_tmp_t, iscsi_tmp_t, kadmind_tmp_t, kdumpctl_tmp_t, kdumpgui_tmp_t, keystone_tmp_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t, krb5_conf_t, krb5_host_rcache_t, krb5kdc_tmp_t, ktalkd_tmp_t, l2tpd_tmp_t, ld_so_cache_t, ld_so_t, ldconfig_tmp_t, lib_t, livecd_tmp_t, locale_t, logrotate_mail_tmp_t, logrotate_tmp_t, logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_tmp_t, lsassd_tmp_t, lsmd_plugin_tmp_t, lvm_tmp_t, machineid_t, mail_munin_plugin_tmp_t, mailman_cgi_tmp_t, mailman_mail_tmp_t, mailman_queue_tmp_t, man_cache_t, man_t, mandb_cache_t, mediawiki_tmp_t, mock_tmp_t, mojomojo_tmp_t, mongod_tmp_t, mount_tmp_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_tmp_t, mozilla_tmpfs_t, mpd_tmp_t, mplayer_tmpfs_t, mscan_tmp_t, munin_script_tmp_t, munin_tmp_t, mysqld_tmp_t, nagios_eventhandler_plugin_tmp_t, nagios_openshift_plugin_tmp_t, nagios_system_plugin_tmp_t, nagios_tmp_t, named_tmp_t, net_conf_t, netutils_tmp_t, neutron_tmp_t, nova_ajax_tmp_t, nova_api_tmp_t, nova_cert_tmp_t, nova_compute_tmp_t, nova_conductor_tmp_t, nova_console_tmp_t, nova_direct_tmp_t, nova_network_tmp_t, nova_objectstore_tmp_t, nova_scheduler_tmp_t, nova_vncproxy_tmp_t, nova_volume_tmp_t, ntop_tmp_t, ntpd_tmp_t, nut_upsd_tmp_t, nut_upsdrvctl_tmp_t, nut_upsmon_tmp_t, nx_server_tmp_t, openshift_cgroup_read_tmp_t, openshift_cron_tmp_t, openshift_initrc_tmp_t, openshift_tmp_t, openvpn_tmp_t, openvswitch_tmp_t, openwsman_tmp_t, pam_timestamp_tmp_t, passenger_tmp_t, passwd_file_t, pcp_tmp_t, pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, piranha_web_tmp_t, pkcs_slotd_tmp_t, pki_tomcat_tmp_t, podsleuth_tmp_t, podsleuth_tmpfs_t, policykit_tmp_t, portmap_tmp_t, postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_local_tmp_t, postfix_map_tmp_t, postfix_pickup_tmp_t, postfix_pipe_tmp_t, postfix_qmgr_tmp_t, postfix_smtp_tmp_t, postfix_smtpd_tmp_t, postfix_virtual_tmp_t, postgresql_tmp_t, pppd_tmp_t, prelink_exec_t, prelink_tmp_t, prelude_lml_tmp_t, proc_t, procmail_tmp_t, psad_tmp_t, pulseaudio_tmpfs_t, puppet_tmp_t, puppetmaster_tmp_t, qpidd_tmp_t, racoon_tmp_t, realmd_tmp_t, rhev_agentd_tmp_t, rhsmcertd_tmp_t, ricci_tmp_t, rlogind_tmp_t, rolekit_tmp_t, rpm_script_tmp_t, rpm_tmp_t, rsync_tmp_t, rtas_errd_tmp_t, samba_etc_t, samba_net_tmp_t, samba_var_t, sblim_tmp_t, secadm_sudo_tmp_t, sectool_tmp_t, selinux_munin_plugin_tmp_t, semanage_tmp_t, sendmail_tmp_t, services_munin_plugin_tmp_t, session_dbusd_tmp_t, sge_tmp_t, shell_exec_t, shorewall_tmp_t, slapd_tmp_t, smbd_tmp_t, smoltclient_tmp_t, smsd_tmp_t, snort_tmp_t, sosreport_tmp_t, soundd_tmp_t, spamc_tmp_t, spamd_tmp_t, speech-dispatcher_tmp_t, squid_tmp_t, squirrelmail_spool_t, src_t, ssh_agent_tmp_t, ssh_keygen_tmp_t, ssh_tmpfs_t, sssd_public_t, sssd_var_lib_t, staff_sudo_tmp_t, stapserver_tmp_t, stunnel_tmp_t, svirt_tmp_t, svnserve_tmp_t, swat_tmp_t, swift_tmp_t, sysadm_passwd_tmp_t, sysadm_sudo_tmp_t, sysfs_t, syslogd_tmp_t, system_conf_t, system_cronjob_tmp_t, system_db_t, system_dbusd_tmp_t, system_dbusd_var_lib_t, system_mail_tmp_t, system_munin_plugin_tmp_t, tcpd_tmp_t, telepathy_gabble_tmp_t, telepathy_idle_tmp_t, telepathy_logger_tmp_t, telepathy_mission_control_tmp_t, telepathy_msn_tmp_t, telepathy_salut_tmp_t, telepathy_sofiasip_tmp_t, telepathy_stream_engine_tmp_t, telepathy_sunshine_tmp_t, telnetd_tmp_t, tetex_data_t, textrel_shlib_t, tgtd_tmp_t, thumb_tmp_t, tmp_t, tomcat_tmp_t, tuned_tmp_t, tvtime_tmp_t, tvtime_tmpfs_t, udev_tmp_t, udev_var_run_t, uml_tmp_t, uml_tmpfs_t, unconfined_munin_plugin_tmp_t, update_modules_tmp_t, user_cron_spool_t, user_fonts_t, user_mail_tmp_t, user_tmp_t, usr_t, uucpd_tmp_t, var_spool_t, varnishd_tmp_t, virt_qemu_ga_tmp_t, virt_tmp_t, vmtools_tmp_t, vmware_host_tmp_t, vmware_tmp_t, vmware_tmpfs_t, vpnc_tmp_t, w3c_validator_tmp_t, webadm_tmp_t, webalizer_tmp_t, wireshark_tmp_t, wireshark_tmpfs_t, xauth_tmp_t, xend_tmp_t, xenstored_tmp_t, xserver_tmpfs_t, ypbind_tmp_t, ypserv_tmp_t, zabbix_tmp_t, zarafa_deliver_tmp_t, zarafa_indexer_tmp_t, zarafa_server_tmp_t, zarafa_var_lib_t, zebra_tmp_t. 
Then execute: 
restorecon -v 'resolv.conf'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that avahi-daemon should be allowed read access on the resolv.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep avahi-daemon /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:avahi_t:s0
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                resolv.conf [ file ]
Source                        avahi-daemon
Source Path                   avahi-daemon
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-122.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.0.4-301.fc22.x86_64 #1 SMP Thu
                              May 21 13:10:33 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-09-10 12:25:41 BST
Last Seen                     2015-09-10 12:25:41 BST
Local ID                      32a05885-1ab6-44e3-b36a-1e050ad8183d

Raw Audit Messages
type=AVC msg=audit(1441884341.160:96): avc:  denied  { read } for  pid=619 comm="avahi-daemon" name="resolv.conf" dev="sda9" ino=1051176 scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0


Hash: avahi-daemon,avahi_t,unlabeled_t,file,read







SELinux is preventing dhclient from 'read' accesses on the file resolv.conf.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow dhclient to have read access on the resolv.conf file
Then you need to change the label on resolv.conf
Do
# semanage fcontext -a -t FILE_TYPE 'resolv.conf'
where FILE_TYPE is one of the following: NetworkManager_exec_t, NetworkManager_tmp_t, NetworkManager_var_lib_t, NetworkManager_var_run_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_run_t, admin_crontab_tmp_t, afs_cache_t, alsa_tmp_t, amanda_tmp_t, antivirus_tmp_t, apcupsd_tmp_t, apmd_tmp_t, arpwatch_tmp_t, asterisk_tmp_t, auditadm_sudo_tmp_t, automount_tmp_t, awstats_tmp_t, bacula_tmp_t, bin_t, bitlbee_tmp_t, bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_tmp_t, boinc_project_tmp_t, boinc_tmp_t, boot_t, bootloader_tmp_t, bugzilla_tmp_t, cardmgr_dev_t, ccs_tmp_t, cdcc_tmp_t, cert_t, cgroup_t, chrome_sandbox_tmp_t, chronyd_initrc_exec_t, chronyd_keys_t, chronyd_unit_file_t, cinder_api_tmp_t, cinder_backup_tmp_t, cinder_scheduler_tmp_t, cinder_volume_tmp_t, cloud_init_tmp_t, cluster_conf_t, cluster_tmp_t, cluster_var_lib_t, cluster_var_run_t, cobbler_tmp_t, cockpit_tmp_t, collectd_script_tmp_t, colord_tmp_t, comsat_tmp_t, condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, conman_tmp_t, couchdb_tmp_t, cpu_online_t, crack_tmp_t, crond_tmp_t, crontab_tmp_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_lpd_tmp_t, cupsd_tmp_t, cvs_tmp_t, cyphesis_tmp_t, cyrus_tmp_t, dbadm_sudo_tmp_t, dbskkd_tmp_t, dbusd_etc_t, dcc_client_tmp_t, dcc_dbclean_tmp_t, dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_tmp_t, deltacloudd_tmp_t, devicekit_tmp_t, dhcp_etc_t, dhcp_state_t, dhcpc_exec_t, dhcpc_state_t, dhcpc_tmp_t, dhcpc_var_run_t, dhcpd_tmp_t, dirsrv_tmp_t, dirsrvadmin_tmp_t, disk_munin_plugin_tmp_t, dkim_milter_tmp_t, docker_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t, dovecot_tmp_t, drbd_tmp_t, etc_runtime_t, etc_t, exim_tmp_t, fail2ban_tmp_t, fail2ban_var_lib_t, fenced_tmp_t, file_context_t, firewalld_tmp_t, firewallgui_tmp_t, fonts_cache_t, fonts_t, fsadm_tmp_t, fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_tmp_t, games_tmp_t, games_tmpfs_t, gconf_tmp_t, geoclue_tmp_t, getty_tmp_t, git_script_tmp_t, gkeyringd_tmp_t, glance_registry_tmp_t, glance_tmp_t, glusterd_tmp_t, gpg_agent_tmp_t, gpg_pinentry_tmp_t, gpg_pinentry_tmpfs_t, gpm_tmp_t, gssd_tmp_t, hostname_etc_t, hostname_exec_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_tmp_t, ifconfig_exec_t, inetd_child_tmp_t, inetd_tmp_t, init_tmp_t, initrc_tmp_t, initrc_var_run_t, insmod_exec_t, ipsec_tmp_t, iptables_tmp_t, iscsi_tmp_t, kadmind_tmp_t, kdumpctl_tmp_t, kdumpgui_tmp_t, keystone_tmp_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t, krb5_conf_t, krb5_host_rcache_t, krb5kdc_tmp_t, ktalkd_tmp_t, l2tpd_tmp_t, ld_so_cache_t, ld_so_t, ldconfig_tmp_t, lib_t, livecd_tmp_t, locale_t, logrotate_mail_tmp_t, logrotate_tmp_t, logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_tmp_t, lsassd_tmp_t, lsmd_plugin_tmp_t, lvm_tmp_t, machineid_t, mail_munin_plugin_tmp_t, mailman_cgi_tmp_t, mailman_mail_tmp_t, mailman_queue_tmp_t, man_cache_t, man_t, mandb_cache_t, mediawiki_tmp_t, mock_tmp_t, mojomojo_tmp_t, mongod_tmp_t, mount_tmp_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_tmp_t, mozilla_tmpfs_t, mpd_tmp_t, mplayer_tmpfs_t, mscan_tmp_t, munin_script_tmp_t, munin_tmp_t, mysqld_tmp_t, nagios_eventhandler_plugin_tmp_t, nagios_openshift_plugin_tmp_t, nagios_system_plugin_tmp_t, nagios_tmp_t, named_tmp_t, net_conf_t, netutils_exec_t, netutils_tmp_t, neutron_tmp_t, nova_ajax_tmp_t, nova_api_tmp_t, nova_cert_tmp_t, nova_compute_tmp_t, nova_conductor_tmp_t, nova_console_tmp_t, nova_direct_tmp_t, nova_network_tmp_t, nova_objectstore_tmp_t, nova_scheduler_tmp_t, nova_vncproxy_tmp_t, nova_volume_tmp_t, nscd_exec_t, nscd_initrc_exec_t, nscd_unit_file_t, nscd_var_run_t, ntop_tmp_t, ntpd_exec_t, ntpd_initrc_exec_t, ntpd_tmp_t, ntpd_unit_file_t, nut_upsd_tmp_t, nut_upsdrvctl_tmp_t, nut_upsmon_tmp_t, nx_server_tmp_t, openshift_cgroup_read_tmp_t, openshift_cron_tmp_t, openshift_initrc_tmp_t, openshift_tmp_t, openvpn_tmp_t, openvswitch_tmp_t, openwsman_tmp_t, pam_timestamp_tmp_t, passenger_tmp_t, passwd_file_t, pcp_tmp_t, pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, ping_exec_t, piranha_web_tmp_t, pkcs_slotd_tmp_t, pki_tomcat_tmp_t, podsleuth_tmp_t, podsleuth_tmpfs_t, policykit_tmp_t, portmap_tmp_t, postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_local_tmp_t, postfix_map_tmp_t, postfix_pickup_tmp_t, postfix_pipe_tmp_t, postfix_qmgr_tmp_t, postfix_smtp_tmp_t, postfix_smtpd_tmp_t, postfix_virtual_tmp_t, postgresql_tmp_t, pppd_tmp_t, prelink_exec_t, prelink_tmp_t, prelude_lml_tmp_t, proc_t, proc_xen_t, procmail_tmp_t, psad_tmp_t, pulseaudio_tmpfs_t, puppet_tmp_t, puppetmaster_tmp_t, qpidd_tmp_t, racoon_tmp_t, realmd_tmp_t, rhev_agentd_tmp_t, rhsmcertd_tmp_t, ricci_tmp_t, rlogind_tmp_t, rolekit_tmp_t, rpm_script_tmp_t, rpm_tmp_t, rsync_tmp_t, rtas_errd_tmp_t, samba_etc_t, samba_net_tmp_t, samba_var_t, sblim_tmp_t, secadm_sudo_tmp_t, sectool_tmp_t, selinux_munin_plugin_tmp_t, semanage_tmp_t, sendmail_tmp_t, services_munin_plugin_tmp_t, session_dbusd_tmp_t, setfiles_exec_t, sge_tmp_t, shell_exec_t, shorewall_tmp_t, slapd_tmp_t, smbd_tmp_t, smoltclient_tmp_t, smsd_tmp_t, snort_tmp_t, sosreport_tmp_t, soundd_tmp_t, spamc_tmp_t, spamd_tmp_t, speech-dispatcher_tmp_t, squid_tmp_t, squirrelmail_spool_t, src_t, ssh_agent_tmp_t, ssh_keygen_tmp_t, ssh_tmpfs_t, sssd_public_t, sssd_var_lib_t, staff_sudo_tmp_t, stapserver_tmp_t, stunnel_tmp_t, svirt_tmp_t, svnserve_tmp_t, swat_tmp_t, swift_tmp_t, sysadm_passwd_tmp_t, sysadm_sudo_tmp_t, sysfs_t, syslogd_tmp_t, system_conf_t, system_cronjob_tmp_t, system_db_t, system_dbusd_tmp_t, system_dbusd_var_lib_t, system_mail_tmp_t, system_munin_plugin_tmp_t, systemd_logind_var_run_t, systemd_passwd_agent_exec_t, systemd_passwd_var_run_t, systemd_systemctl_exec_t, tcpd_tmp_t, telepathy_gabble_tmp_t, telepathy_idle_tmp_t, telepathy_logger_tmp_t, telepathy_mission_control_tmp_t, telepathy_msn_tmp_t, telepathy_salut_tmp_t, telepathy_sofiasip_tmp_t, telepathy_stream_engine_tmp_t, telepathy_sunshine_tmp_t, telnetd_tmp_t, tetex_data_t, textrel_shlib_t, tgtd_tmp_t, thumb_tmp_t, tmp_t, tomcat_tmp_t, tuned_tmp_t, tvtime_tmp_t, tvtime_tmpfs_t, udev_tmp_t, udev_var_run_t, uml_tmp_t, uml_tmpfs_t, unconfined_munin_plugin_tmp_t, update_modules_tmp_t, user_cron_spool_t, user_fonts_t, user_mail_tmp_t, user_tmp_t, usr_t, uucpd_tmp_t, var_spool_t, varnishd_tmp_t, virt_lxc_var_run_t, virt_qemu_ga_tmp_t, virt_tmp_t, virt_var_run_t, vmtools_tmp_t, vmware_host_tmp_t, vmware_tmp_t, vmware_tmpfs_t, vpnc_tmp_t, w3c_validator_tmp_t, webadm_tmp_t, webalizer_tmp_t, wireshark_tmp_t, wireshark_tmpfs_t, xauth_tmp_t, xend_tmp_t, xenstored_tmp_t, xserver_tmpfs_t, ypbind_exec_t, ypbind_initrc_exec_t, ypbind_tmp_t, ypbind_unit_file_t, ypbind_var_run_t, ypserv_tmp_t, zabbix_tmp_t, zarafa_deliver_tmp_t, zarafa_indexer_tmp_t, zarafa_server_tmp_t, zarafa_var_lib_t, zebra_tmp_t. 
Then execute: 
restorecon -v 'resolv.conf'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that dhclient should be allowed read access on the resolv.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep dhclient /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:dhcpc_t:s0
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                resolv.conf [ file ]
Source                        dhclient
Source Path                   dhclient
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-122.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.0.4-301.fc22.x86_64 #1 SMP Thu
                              May 21 13:10:33 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-09-10 12:29:11 BST
Last Seen                     2015-09-10 12:29:11 BST
Local ID                      4d133c92-ea8f-4dd7-8b78-0174c145a267

Raw Audit Messages
type=AVC msg=audit(1441884551.417:547): avc:  denied  { read } for  pid=2840 comm="dhclient" name="resolv.conf" dev="sda9" ino=1051176 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0


Hash: dhclient,dhcpc_t,unlabeled_t,file,read







SELinux is preventing geoclue from 'getattr' accesses on the file /etc/resolv.conf.

*****  Plugin restorecon (94.8 confidence) suggests   ************************

If you want to fix the label. 
/etc/resolv.conf default label should be net_conf_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /etc/resolv.conf

*****  Plugin catchall_labels (5.21 confidence) suggests   *******************

If you want to allow geoclue to have getattr access on the resolv.conf file
Then you need to change the label on /etc/resolv.conf
Do
# semanage fcontext -a -t FILE_TYPE '/etc/resolv.conf'
where FILE_TYPE is one of the following: NetworkManager_log_t, NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_log_t, abrt_var_run_t, acct_data_t, admin_crontab_tmp_t, admin_home_t, afs_logfile_t, aide_log_t, alsa_tmp_t, amanda_log_t, amanda_tmp_t, antivirus_log_t, antivirus_tmp_t, apcupsd_log_t, apcupsd_tmp_t, apmd_log_t, apmd_tmp_t, arpwatch_tmp_t, asterisk_log_t, asterisk_tmp_t, auditadm_sudo_tmp_t, auth_cache_t, automount_tmp_t, awstats_tmp_t, bacula_log_t, bacula_tmp_t, bin_t, bitlbee_log_t, bitlbee_tmp_t, bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_tmp_t, boinc_log_t, boinc_project_tmp_t, boinc_tmp_t, boot_t, bootloader_tmp_t, bugzilla_tmp_t, calamaris_log_t, callweaver_log_t, canna_log_t, cardmgr_dev_t, ccs_tmp_t, ccs_var_lib_t, ccs_var_log_t, cdcc_tmp_t, cert_t, certmaster_var_log_t, cfengine_log_t, cgred_log_t, checkpc_log_t, chrome_sandbox_tmp_t, chronyd_var_log_t, cinder_api_tmp_t, cinder_backup_tmp_t, cinder_log_t, cinder_scheduler_tmp_t, cinder_volume_tmp_t, cloud_init_tmp_t, cloud_log_t, cluster_tmp_t, cluster_var_log_t, cobbler_tmp_t, cobbler_var_log_t, cockpit_tmp_t, collectd_script_tmp_t, colord_tmp_t, comsat_tmp_t, condor_log_t, condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, conman_log_t, conman_tmp_t, consolekit_log_t, couchdb_log_t, couchdb_tmp_t, cpu_online_t, crack_tmp_t, cron_log_t, crond_tmp_t, crontab_tmp_t, ctdbd_log_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_log_t, cupsd_lpd_tmp_t, cupsd_tmp_t, cvs_tmp_t, cyphesis_log_t, cyphesis_tmp_t, cyrus_tmp_t, dbadm_sudo_tmp_t, dbskkd_tmp_t, dbusd_etc_t, dcc_client_tmp_t, dcc_dbclean_tmp_t, dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_log_t, ddclient_tmp_t, deltacloudd_log_t, deltacloudd_tmp_t, denyhosts_var_log_t, devicekit_tmp_t, devicekit_var_log_t, dhcpc_tmp_t, dhcpd_tmp_t, dirsrv_snmp_var_log_t, dirsrv_tmp_t, dirsrv_var_log_t, dirsrvadmin_tmp_t, disk_munin_plugin_tmp_t, dkim_milter_tmp_t, dlm_controld_var_log_t, dnsmasq_var_log_t, docker_log_t, docker_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t, dovecot_tmp_t, dovecot_var_log_t, drbd_tmp_t, dspam_log_t, etc_runtime_t, etc_t, evtchnd_var_log_t, exim_log_t, exim_tmp_t, fail2ban_log_t, fail2ban_tmp_t, faillog_t, fenced_tmp_t, fenced_var_log_t, fetchmail_log_t, file_context_t, fingerd_log_t, firewalld_tmp_t, firewalld_var_log_t, firewallgui_tmp_t, foghorn_var_log_t, fonts_cache_t, fonts_t, fsadm_log_t, fsadm_tmp_t, fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_tmp_t, games_tmp_t, games_tmpfs_t, gconf_tmp_t, gear_log_t, geoclue_exec_t, geoclue_tmp_t, geoclue_var_lib_t, getty_log_t, getty_tmp_t, gfs_controld_var_log_t, git_script_tmp_t, gkeyringd_tmp_t, glance_log_t, glance_registry_tmp_t, glance_tmp_t, glusterd_log_t, glusterd_tmp_t, gpg_agent_tmp_t, gpg_pinentry_tmp_t, gpg_pinentry_tmpfs_t, gpm_tmp_t, groupd_var_log_t, gssd_tmp_t, haproxy_var_log_t, httpd_log_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_tmp_t, icecast_log_t, inetd_child_tmp_t, inetd_log_t, inetd_tmp_t, init_tmp_t, initrc_tmp_t, initrc_var_log_t, innd_log_t, ipsec_log_t, ipsec_tmp_t, iptables_tmp_t, iscsi_log_t, iscsi_tmp_t, iwhd_log_t, jetty_log_t, jockey_var_log_t, kadmind_log_t, kadmind_tmp_t, kdumpctl_tmp_t, kdumpgui_tmp_t, keystone_log_t, keystone_tmp_t, kismet_log_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t, krb5_conf_t, krb5_host_rcache_t, krb5kdc_log_t, krb5kdc_tmp_t, ksmtuned_log_t, ktalkd_log_t, ktalkd_tmp_t, l2tpd_tmp_t, lastlog_t, ld_so_cache_t, ld_so_t, ldconfig_tmp_t, lib_t, livecd_tmp_t, locale_t, logrotate_mail_tmp_t, logrotate_tmp_t, logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_tmp_t, lsassd_tmp_t, lsmd_plugin_tmp_t, lvm_tmp_t, machineid_t, mail_munin_plugin_tmp_t, mailman_cgi_tmp_t, mailman_log_t, mailman_mail_tmp_t, mailman_queue_tmp_t, man_cache_t, man_t, mandb_cache_t, mcelog_log_t, mediawiki_tmp_t, minidlna_log_t, mirrormanager_log_t, mock_tmp_t, mojomojo_tmp_t, mongod_log_t, mongod_tmp_t, motion_log_t, mount_tmp_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_tmp_t, mozilla_tmpfs_t, mpd_log_t, mpd_tmp_t, mplayer_tmpfs_t, mrtg_log_t, mscan_tmp_t, munin_log_t, munin_script_tmp_t, munin_tmp_t, mysqld_log_t, mysqld_tmp_t, mythtv_var_log_t, naemon_log_t, nagios_eventhandler_plugin_tmp_t, nagios_log_t, nagios_openshift_plugin_tmp_t, nagios_system_plugin_tmp_t, nagios_tmp_t, named_log_t, named_tmp_t, net_conf_t, netutils_tmp_t, neutron_log_t, neutron_tmp_t, nova_ajax_tmp_t, nova_api_tmp_t, nova_cert_tmp_t, nova_compute_tmp_t, nova_conductor_tmp_t, nova_console_tmp_t, nova_direct_tmp_t, nova_log_t, nova_network_tmp_t, nova_objectstore_tmp_t, nova_scheduler_tmp_t, nova_vncproxy_tmp_t, nova_volume_tmp_t, nscd_log_t, ntop_tmp_t, ntpd_log_t, ntpd_tmp_t, numad_var_log_t, nut_upsd_tmp_t, nut_upsdrvctl_tmp_t, nut_upsmon_tmp_t, nx_server_tmp_t, openshift_cgroup_read_tmp_t, openshift_cron_tmp_t, openshift_initrc_tmp_t, openshift_log_t, openshift_tmp_t, opensm_log_t, openvpn_status_t, openvpn_tmp_t, openvpn_var_log_t, openvswitch_log_t, openvswitch_tmp_t, openwsman_log_t, openwsman_tmp_t, osad_log_t, pam_timestamp_tmp_t, passenger_log_t, passenger_tmp_t, passwd_file_t, pcp_log_t, pcp_tmp_t, pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, piranha_log_t, piranha_web_tmp_t, pkcs_slotd_tmp_t, pki_ra_log_t, pki_tomcat_log_t, pki_tomcat_tmp_t, pki_tps_log_t, plymouthd_var_log_t, podsleuth_tmp_t, podsleuth_tmpfs_t, policykit_tmp_t, polipo_log_t, portmap_tmp_t, postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_local_tmp_t, postfix_map_tmp_t, postfix_pickup_tmp_t, postfix_pipe_tmp_t, postfix_qmgr_tmp_t, postfix_smtp_tmp_t, postfix_smtpd_tmp_t, postfix_virtual_tmp_t, postgresql_log_t, postgresql_tmp_t, pppd_log_t, pppd_tmp_t, pptp_log_t, prelink_exec_t, prelink_log_t, prelink_tmp_t, prelude_lml_tmp_t, prelude_log_t, privoxy_log_t, procmail_log_t, procmail_tmp_t, psad_tmp_t, psad_var_log_t, pulseaudio_tmpfs_t, puppet_log_t, puppet_tmp_t, puppetmaster_tmp_t, pyicqt_log_t, qdiskd_var_log_t, qpidd_tmp_t, rabbitmq_var_log_t, racoon_tmp_t, radiusd_log_t, realmd_tmp_t, redis_log_t, rhev_agentd_log_t, rhev_agentd_tmp_t, rhsmcertd_log_t, rhsmcertd_tmp_t, ricci_modcluster_var_log_t, ricci_tmp_t, ricci_var_log_t, rkhunter_var_lib_t, rlogind_tmp_t, rolekit_tmp_t, rpm_log_t, rpm_script_tmp_t, rpm_tmp_t, rsync_log_t, rsync_tmp_t, rtas_errd_log_t, rtas_errd_tmp_t, samba_log_t, samba_net_tmp_t, sanlock_log_t, sblim_tmp_t, secadm_sudo_tmp_t, sectool_tmp_t, sectool_var_log_t, selinux_munin_plugin_tmp_t, semanage_tmp_t, sendmail_log_t, sendmail_tmp_t, sensord_log_t, services_munin_plugin_tmp_t, session_dbusd_tmp_t, setroubleshoot_var_log_t, sge_tmp_t, shell_exec_t, shorewall_log_t, shorewall_tmp_t, slapd_log_t, slapd_tmp_t, slpd_log_t, smbd_tmp_t, smoltclient_tmp_t, smsd_log_t, smsd_tmp_t, snapperd_log_t, snmpd_log_t, snort_log_t, snort_tmp_t, sosreport_tmp_t, soundd_tmp_t, spamc_tmp_t, spamd_log_t, spamd_tmp_t, speech-dispatcher_log_t, speech-dispatcher_tmp_t, squid_log_t, squid_tmp_t, squirrelmail_spool_t, src_t, ssh_agent_tmp_t, ssh_keygen_tmp_t, ssh_tmpfs_t, sssd_public_t, sssd_var_log_t, staff_sudo_tmp_t, stapserver_log_t, stapserver_tmp_t, stunnel_tmp_t, svirt_tmp_t, svnserve_tmp_t, swat_tmp_t, swift_tmp_t, sysadm_passwd_tmp_t, sysadm_sudo_tmp_t, syslogd_tmp_t, sysstat_log_t, system_conf_t, system_cronjob_tmp_t, system_db_t, system_dbusd_tmp_t, system_dbusd_var_lib_t, system_mail_tmp_t, system_munin_plugin_tmp_t, tcpd_tmp_t, telepathy_gabble_tmp_t, telepathy_idle_tmp_t, telepathy_logger_tmp_t, telepathy_mission_control_tmp_t, telepathy_msn_tmp_t, telepathy_salut_tmp_t, telepathy_sofiasip_tmp_t, telepathy_stream_engine_tmp_t, telepathy_sunshine_tmp_t, telnetd_tmp_t, tetex_data_t, textrel_shlib_t, tgtd_tmp_t, thin_aeolus_configserver_log_t, thin_log_t, thumb_tmp_t, tmp_t, tomcat_log_t, tomcat_tmp_t, tor_var_log_t, tuned_log_t, tuned_tmp_t, tvtime_tmp_t, tvtime_tmpfs_t, udev_tmp_t, ulogd_var_log_t, uml_tmp_t, uml_tmpfs_t, unconfined_munin_plugin_tmp_t, update_modules_tmp_t, user_cron_spool_t, user_fonts_t, user_home_t, user_mail_tmp_t, user_tmp_t, usr_t, uucpd_log_t, uucpd_tmp_t, var_log_t, var_spool_t, varnishd_tmp_t, varnishlog_log_t, vdagent_log_t, virt_log_t, virt_qemu_ga_log_t, virt_qemu_ga_tmp_t, virt_tmp_t, vmtools_tmp_t, vmware_host_tmp_t, vmware_log_t, vmware_tmp_t, vmware_tmpfs_t, vpnc_tmp_t, w3c_validator_tmp_t, watchdog_log_t, webadm_tmp_t, webalizer_tmp_t, winbind_log_t, wireshark_tmp_t, wireshark_tmpfs_t, wtmp_t, xauth_tmp_t, xdm_log_t, xend_tmp_t, xend_var_log_t, xenstored_tmp_t, xenstored_var_log_t, xferlog_t, xserver_log_t, xserver_tmpfs_t, ypbind_tmp_t, ypserv_tmp_t, zabbix_log_t, zabbix_tmp_t, zarafa_deliver_log_t, zarafa_deliver_tmp_t, zarafa_gateway_log_t, zarafa_ical_log_t, zarafa_indexer_log_t, zarafa_indexer_tmp_t, zarafa_monitor_log_t, zarafa_server_log_t, zarafa_server_tmp_t, zarafa_spooler_log_t, zarafa_var_lib_t, zebra_log_t, zebra_tmp_t, zoneminder_log_t. 
Then execute: 
restorecon -v '/etc/resolv.conf'


*****  Plugin catchall (1.44 confidence) suggests   **************************

If you believe that geoclue should be allowed getattr access on the resolv.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep geoclue /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:geoclue_t:s0
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                /etc/resolv.conf [ file ]
Source                        geoclue
Source Path                   geoclue
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-122.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.0.4-301.fc22.x86_64 #1 SMP Thu
                              May 21 13:10:33 UTC 2015 x86_64 x86_64
Alert Count                   4
First Seen                    2015-09-10 12:25:59 BST
Last Seen                     2015-09-10 12:35:36 BST
Local ID                      0592ad4e-98fd-46ca-8d49-37ccee6629b4

Raw Audit Messages
type=AVC msg=audit(1441884936.773:678): avc:  denied  { getattr } for  pid=3967 comm="geoclue" path="/etc/resolv.conf" dev="sda9" ino=1051176 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0


Hash: geoclue,geoclue_t,unlabeled_t,file,getattr







SELinux is preventing NetworkManager from 'unlink' accesses on the file resolv.conf.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow NetworkManager to have unlink access on the resolv.conf file
Then you need to change the label on resolv.conf
Do
# semanage fcontext -a -t FILE_TYPE 'resolv.conf'
where FILE_TYPE is one of the following: NetworkManager_etc_rw_t, NetworkManager_tmp_t, NetworkManager_var_lib_t, NetworkManager_var_run_t, dhcpc_state_t, dhcpc_var_run_t, dnsmasq_var_run_t, hostname_etc_t, named_cache_t, net_conf_t, pppd_var_run_t, systemd_passwd_var_run_t. 
Then execute: 
restorecon -v 'resolv.conf'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that NetworkManager should be allowed unlink access on the resolv.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep NetworkManager /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                resolv.conf [ file ]
Source                        NetworkManager
Source Path                   NetworkManager
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-122.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.0.4-301.fc22.x86_64 #1 SMP Thu
                              May 21 13:10:33 UTC 2015 x86_64 x86_64
Alert Count                   8
First Seen                    2015-09-10 12:29:20 BST
Last Seen                     2015-09-10 12:39:53 BST
Local ID                      e895f9e7-0718-4c2c-9b5f-0959cbc37ca4

Raw Audit Messages
type=AVC msg=audit(1441885193.138:748): avc:  denied  { unlink } for  pid=706 comm="NetworkManager" name="resolv.conf" dev="sda9" ino=1051176 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0


Hash: NetworkManager,NetworkManager_t,unlabeled_t,file,unlink
Comment 4 Daniel Walsh 2015-09-28 07:20:07 EDT
Something in the install is leaving an unlabeled file in /etc

restorecon -R -v /etc

Should fix the problem.
Comment 5 David Shea 2015-09-28 10:17:57 EDT

*** This bug has been marked as a duplicate of bug 1229788 ***

Note You need to log in before you can comment on or make changes to this bug.