Description of problem: Seems to have been triggered when laptop resumed from a suspended state. SELinux is preventing sh from 'execute_no_trans' accesses on the file /usr/libexec/dnssec-trigger-script. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sh should be allowed execute_no_trans access on the dnssec-trigger-script file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sh' --raw | audit2allow -M my-sh # semodule -X 300 -i my-sh.pp Additional Information: Source Context system_u:system_r:dnssec_trigger_t:s0 Target Context system_u:object_r:dnssec_trigger_exec_t:s0 Target Objects /usr/libexec/dnssec-trigger-script [ file ] Source sh Source Path sh Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages dnssec-trigger-0.13-3.fc26.x86_64 Policy RPM selinux-policy-3.13.1-251.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.11.0-1.fc26.x86_64 #1 SMP Mon May 1 17:34:37 UTC 2017 x86_64 x86_64 Alert Count 18 First Seen 2017-05-12 00:31:19 BST Last Seen 2017-05-12 18:36:00 BST Local ID 404c0a56-7f33-49b3-a61f-52c9b62d9ec8 Raw Audit Messages type=AVC msg=audit(1494610560.352:387): avc: denied { execute_no_trans } for pid=4410 comm="sh" path="/usr/libexec/dnssec-trigger-script" dev="nvme0n1p3" ino=4599947 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:dnssec_trigger_exec_t:s0 tclass=file permissive=0 Hash: sh,dnssec_trigger_t,dnssec_trigger_exec_t,file,execute_no_trans Version-Release number of selected component: selinux-policy-3.13.1-251.fc26.noarch Additional info: component: selinux-policy reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.11.0-1.fc26.x86_64 type: libreport
Description of problem: This started happening after upgrading F25 to F26 after connecting to any wifi network. Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.11.9-300.fc26.x86_64 type: libreport
For me this is reproducing 100% on a wired connection as well.
Description of problem: When NetworkManager is configured to use unbound, NetworkManager.conf: [main] dns=unbound During boot this selinux alert is triggered by dnssec-trigger-script. Version-Release number of selected component: selinux-policy-3.13.1-260.8.fc26.noarch Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.12.9-300.fc26.x86_64 type: libreport
(In reply to Federico Simoncelli from comment #3) > During boot this selinux alert is triggered by dnssec-trigger-script. And also on every `systemctl restart dnssec-triggerd`
Description of problem: boot up the machine Version-Release number of selected component: selinux-policy-3.13.1-260.8.fc26.noarch Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.12.12-300.fc26.x86_64 type: libreport
Description of problem: AVC comes up on boot. Version-Release number of selected component: selinux-policy-3.13.1-260.8.fc26.noarch Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.12.12-300.fc26.x86_64 type: libreport
Just installed dnssec-trigger dnssec-trigger-panel unbound on fedora 26 workstation and ran into this issue: repo on f26 workstation: 1. dnf install dnssec-trigger dnssec-trigger-panel 2. sudo systemctl start dnssec-triggerd --> AVC denial 3. /usr/bin/dnssec-trigger-panel 4. right-click icon -> reprobe -> AVC denial
*** This bug has been marked as a duplicate of bug 1487912 ***