Description of problem: ======================= I'm getting selinux alerts while using unbound+dnssec, all started after upgrade to f26, autorelabel didn't help. ~~~ $ sealert -l 74107b33-d2e7-4f50-ab08-8e2aaa21b652 SELinux is preventing sh from execute_no_trans access on the file /usr/libexec/dnssec-trigger-script. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that sh should be allowed execute_no_trans access on the dnssec-trigger-script file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'sh' --raw | audit2allow -M my-sh # semodule -X 300 -i my-sh.pp Additional Information: Source Context system_u:system_r:dnssec_trigger_t:s0 Target Context system_u:object_r:dnssec_trigger_exec_t:s0 Target Objects /usr/libexec/dnssec-trigger-script [ file ] Source sh Source Path sh Port <Unknown> Host localhost.localdomain Source RPM Packages Target RPM Packages dnssec-trigger-0.13-3.fc26.x86_64 Policy RPM selinux-policy-3.13.1-260.6.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 4.12.8-300.fc26.x86_64 #1 SMP Thu Aug 17 15:30:20 UTC 2017 x86_64 x86_64 Alert Count 580 First Seen 2017-07-15 20:37:50 CEST Last Seen 2017-09-03 09:48:20 CEST Local ID 74107b33-d2e7-4f50-ab08-8e2aaa21b652 Raw Audit Messages type=AVC msg=audit(1504424900.259:940): avc: denied { execute_no_trans } for pid=4475 comm="sh" path="/usr/libexec/dnssec-trigger-script" dev="dm-0" ino=1280997 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:dnssec_trigger_exec_t:s0 tclass=file permissive=0 Hash: sh,dnssec_trigger_t,dnssec_trigger_exec_t,file,execute_no_trans ~~~ In the logs I see: ~~~ Sep 03 09:48:20 localhost.localdomain dnssec-triggerd[1020]: sh: /usr/libexec/dnssec-trigger-script: /usr/bin/python3: bad interpreter: Permission denied Sep 03 09:48:20 localhost.localdomain audit[4475]: AVC avc: denied { execute_no_trans } for pid=4475 comm="sh" path="/usr/libexec/dnssec-trigger-script" dev="dm-0" ino=1280997 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:dnssec_trigger_exec_t:s0 tclass=file permissive=0 Sep 03 09:48:20 localhost.localdomain dnssec-triggerd[1020]: ok Sep 03 09:48:20 localhost.localdomain dnssec-triggerd[1020]: sh: /usr/libexec/dnssec-trigger-script: /usr/bin/python3: bad interpreter: Permission denied Sep 03 09:48:19 localhost.localdomain audit[4471]: AVC avc: denied { execute_no_trans } for pid=4471 comm="sh" path="/usr/libexec/dnssec-trigger-script" dev="dm-0" ino=1280997 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:dnssec_trigger_exec_t:s0 tclass=file permissive=0 Sep 03 09:48:19 localhost.localdomain dnssec-triggerd[1020]: ok ~~~
dnssec-trigger daemon needs to be able to execute /usr/libexec/dnssec-trigger-script. I'm not sure what changed in F26 policy again... Moving to selinux-policy.
I think this might be a dup of #1487912
*** Bug 1450481 has been marked as a duplicate of this bug. ***
selinux-policy-3.13.1-260.14.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d312739a4e
Description of problem: I got this AVC at start of dnssec-trigger service right after its installation Version-Release number of selected component: selinux-policy-3.13.1-260.13.fc26.noarch Additional info: reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.13.9-200.fc26.x86_64 type: libreport
selinux-policy-3.13.1-260.14.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.