Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1147030 - SELinux is preventing /usr/bin/bash from read access on the file .
Summary: SELinux is preventing /usr/bin/bash from read access on the file .
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 20
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: Default_Local_DNS_Resolver
TreeView+ depends on / blocked
 
Reported: 2014-09-26 15:58 UTC by Paul Wouters
Modified: 2016-05-16 14:35 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-04-13 21:33:53 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Paul Wouters 2014-09-26 15:58:23 UTC
Description of problem:
Not sure. Booted at a coffeeshop, got on the network, dnssec-trigger prompted me for a hotspot login. I might just be a little sensitive to bash denials now :)

Version-Release number of selected component (if applicable):
dnssec-trigger-0.12-13.fc20.x86_64
unbound-1.4.22-5.fc20.x86_64


paul@thinkpad:~$  sudo sealert -l 4bf086b5-8b34-4d7f-bc82-296717a59804
SELinux is preventing /usr/bin/bash from read access on the file .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that bash should be allowed read access on the  file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sh /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:dnssec_trigger_t:s0
Target Context                system_u:object_r:named_exec_t:s0
Target Objects                 [ file ]
Source                        sh
Source Path                   /usr/bin/bash
Port                          <Unknown>
Host                          thinkpad.nohats.ca
Source RPM Packages           bash-4.2.47-4.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-183.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     thinkpad.nohats.ca
Platform                      Linux thinkpad.nohats.ca 3.15.9-200.fc20.x86_64 #1
                              SMP Sat Aug 9 09:02:55 UTC 2014 x86_64 x86_64
Alert Count                   5
First Seen                    2014-09-26 11:48:40 EDT
Last Seen                     2014-09-26 11:49:30 EDT
Local ID                      4bf086b5-8b34-4d7f-bc82-296717a59804

Raw Audit Messages
type=AVC msg=audit(1411746570.823:505): avc:  denied  { read } for  pid=3421 comm="sh" name="unbound-control" dev="dm-2" ino=1773164 scontext=system_u:system_r:dnssec_trigger_t:s0 tcontext=system_u:object_r:named_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1411746570.823:505): arch=x86_64 syscall=access success=yes exit=0 a0=b3ebd0 a1=4 a2=7ffffda04490 a3=12 items=0 ppid=1804 pid=3421 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sh exe=/usr/bin/bash subj=system_u:system_r:dnssec_trigger_t:s0 key=(null)

Hash: sh,dnssec_trigger_t,named_exec_t,file,read

Comment 1 Pavel Šimerda (pavlix) 2015-01-21 12:38:20 UTC
Looks like the bash is called from dnssec-triggerd and wants to access unbound-control. That would happen when dnssec-trigger calls unbound-control in ubhook.c to configure unbound forward zones and other stuff. 

I think there's no relation to dnssec-trigger-script as that build of dnssec-trigger doesn't call it directly from the daemon but later builds are, so there's a risk that this issue will get broader.

We'll need to watch for it, taking it for now because of the above. If you still has the logs, are there any details just after the selinux alert? The ubhook.c would normally report failures.

Comment 2 Pavel Šimerda (pavlix) 2015-01-21 15:46:28 UTC
This looks like a duplicate to bug #1147705 except the Fedora branch. Not sure whether it's practical to merge them or keep them separate.

Comment 3 Pavel Šimerda (pavlix) 2015-04-01 13:42:31 UTC
Hi folks, could you please tell me about the differneces from bug #1147705 and explain the empty or "." file name in this case? From the dnssec-triggerd side, we're just calling "system()" which in turn starts a shell with "unbound-control" plus some arguments as the command.

Comment 4 Charles R. Anderson 2015-04-01 14:25:57 UTC
IMO, system() should be avoided.  Can you call fork()+exec() on unbound-control instead and avoid the intermediate bash process completely?

Comment 5 Pavel Šimerda (pavlix) 2015-04-01 14:47:47 UTC
(In reply to Charles R. Anderson from comment #4)
> IMO, system() should be avoided.  Can you call fork()+exec() on
> unbound-control instead and avoid the intermediate bash process completely?

I don't think we're going to fix this any soon as this is how upstream works and has worked for a while now. But we can consider it when we know why is bash a problem here.

Anyway I'm curious why this hasn't been reported by others with later versions of the package. Is there a possibility that this has been already fixed?

Comment 6 Lukas Vrabec 2015-04-02 08:45:14 UTC
(In reply to Pavel Šimerda (pavlix) from comment #3)
> Hi folks, could you please tell me about the differneces from bug #1147705
> and explain the empty or "." file name in this case? From the
> dnssec-triggerd side, we're just calling "system()" which in turn starts a
> shell with "unbound-control" plus some arguments as the command.
The only difference is old version of Fedora. 
In this case there is also old version of selinux-policy package. 

Paul,
You need to update selinux-policy package, we allowed this rule.

Comment 7 Paul Wouters 2015-04-13 21:33:53 UTC
lukas: ok, that's good enough for me.

Comment 8 Peter H. Jones 2015-08-12 14:03:23 UTC
I think I got this bug in FC22. Please reopen if you feel appropriate. I wasn't working with the iso file, so I don't know how what caused this alert.

The elinux details are below:

"SELinux is preventing pool from read access on the file antiX-15-V_x64-base.iso.

*****  Plugin mozplugger (93.0 confidence) suggests   ************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Firefox plugins.
Do
# setsebool -P unconfined_mozilla_plugin_transition 0

*****  Plugin catchall_labels (6.67 confidence) suggests   *******************

If you want to allow pool to have read access on the antiX-15-V_x64-base.iso file
Then you need to change the label on antiX-15-V_x64-base.iso
Do
# semanage fcontext -a -t FILE_TYPE 'antiX-15-V_x64-base.iso'
where FILE_TYPE is one of the following: NetworkManager_etc_rw_t, NetworkManager_etc_t, NetworkManager_exec_t, NetworkManager_initrc_exec_t, NetworkManager_tmp_t, abrt_dump_oops_exec_t, abrt_etc_t, abrt_exec_t, abrt_handle_event_exec_t, abrt_helper_exec_t, abrt_initrc_exec_t, abrt_retrace_coredump_exec_t, abrt_retrace_worker_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_run_t, accountsd_exec_t, acct_exec_t, acct_initrc_exec_t, admin_crontab_tmp_t, admin_passwd_exec_t, afs_cache_t, afs_initrc_exec_t, aiccu_etc_t, aiccu_initrc_exec_t, aide_exec_t, ajaxterm_initrc_exec_t, alsa_etc_rw_t, alsa_exec_t, alsa_home_t, alsa_tmp_t, amanda_exec_t, amanda_recover_exec_t, amanda_tmp_t, amtu_exec_t, amtu_initrc_exec_t, anacron_exec_t, antivirus_conf_t, antivirus_home_t, antivirus_initrc_exec_t, antivirus_tmp_t, apcupsd_initrc_exec_t, apcupsd_tmp_t, apm_exec_t, apmd_initrc_exec_t, apmd_tmp_t, arpwatch_initrc_exec_t, arpwatch_tmp_t, asterisk_etc_t, asterisk_initrc_exec_t, asterisk_tmp_t, audio_home_t, audisp_exec_t, auditadm_sudo_tmp_t, auditctl_exec_t, auditd_initrc_exec_t, auth_home_t, authconfig_exec_t, autofs_t, automount_initrc_exec_t, automount_tmp_t, avahi_exec_t, avahi_initrc_exec_t, awstats_tmp_t, bacula_admin_exec_t, bacula_initrc_exec_t, bacula_tmp_t, bacula_unconfined_script_exec_t, bcfg2_initrc_exec_t, bin_t, bitlbee_conf_t, bitlbee_initrc_exec_t, bitlbee_tmp_t, blueman_exec_t, bluetooth_conf_t, bluetooth_helper_exec_t, bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_initrc_exec_t, bluetooth_tmp_t, boinc_initrc_exec_t, boinc_project_tmp_t, boinc_tmp_t, boot_t, bootloader_etc_t, bootloader_exec_t, bootloader_tmp_t, brctl_exec_t, bugzilla_tmp_t, cache_home_t, calamaris_exec_t, callweaver_initrc_exec_t, canna_initrc_exec_t, cardctl_exec_t, cardmgr_dev_t, ccs_initrc_exec_t, ccs_tmp_t, cdcc_exec_t, cdcc_tmp_t, cdrecord_exec_t, cert_t, certmaster_initrc_exec_t, certmonger_initrc_exec_t, certmonger_unconfined_exec_t, certwatch_exec_t, cfengine_initrc_exec_t, cgconfig_etc_t, cgconfig_initrc_exec_t, cgred_initrc_exec_t, cgrules_etc_t, checkpc_exec_t, checkpolicy_exec_t, chfn_exec_t, chkpwd_exec_t, chrome_sandbox_exec_t, chrome_sandbox_home_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_tmp_t, chronyd_initrc_exec_t, cifs_t, cinder_api_tmp_t, cinder_backup_tmp_t, cinder_scheduler_tmp_t, cinder_volume_tmp_t, ciped_initrc_exec_t, cloud_init_tmp_t, cluster_conf_t, cluster_initrc_exec_t, cluster_tmp_t, clvmd_initrc_exec_t, cmirrord_initrc_exec_t, cobbler_etc_t, cobbler_tmp_t, cobblerd_initrc_exec_t, cockpit_tmp_t, collectd_initrc_exec_t, collectd_script_tmp_t, colord_exec_t, colord_tmp_t, comsat_tmp_t, condor_conf_t, condor_initrc_exec_t, condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, config_home_t, config_usr_t, conman_tmp_t, consolehelper_exec_t, consolekit_exec_t, couchdb_conf_t, couchdb_initrc_exec_t, couchdb_tmp_t, courier_etc_t, courier_exec_t, cpu_online_t, cpucontrol_conf_t, cpucontrol_exec_t, cpufreqselector_exec_t, cpuplug_initrc_exec_t, cpuspeed_exec_t, crack_exec_t, crack_tmp_t, crond_initrc_exec_t, crond_tmp_t, crontab_exec_t, crontab_tmp_t, ctdbd_initrc_exec_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_config_exec_t, cupsd_etc_t, cupsd_initrc_exec_t, cupsd_lpd_tmp_t, cupsd_rw_etc_t, cupsd_tmp_t, cvs_exec_t, cvs_home_t, cvs_initrc_exec_t, cvs_tmp_t, cyphesis_exec_t, cyphesis_initrc_exec_t, cyphesis_tmp_t, cyrus_initrc_exec_t, cyrus_tmp_t, data_home_t, dbadm_sudo_tmp_t, dbskkd_tmp_t, dbus_home_t, dbusd_etc_t, dbusd_exec_t, dcc_client_exec_t, dcc_client_tmp_t, dcc_dbclean_exec_t, dcc_dbclean_tmp_t, dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_etc_t, ddclient_initrc_exec_t, ddclient_tmp_t, debuginfo_exec_t, deltacloudd_tmp_t, denyhosts_initrc_exec_t, depmod_exec_t, devicekit_disk_exec_t, devicekit_exec_t, devicekit_power_exec_t, devicekit_tmp_t, dhcp_etc_t, dhcpc_exec_t, dhcpc_helper_exec_t, dhcpc_tmp_t, dhcpd_initrc_exec_t, dhcpd_tmp_t, dictd_etc_t, dictd_initrc_exec_t, dirsrv_tmp_t, dirsrvadmin_tmp_t, disk_munin_plugin_exec_t, disk_munin_plugin_tmp_t, dkim_milter_tmp_t, dlm_controld_initrc_exec_t, dmesg_exec_t, dmidecode_exec_t, dnsmasq_etc_t, dnsmasq_initrc_exec_t, dnssec_trigger_tmp_t, docker_config_t, docker_home_t, docker_tmp_t, dosfs_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t, dovecot_etc_t, dovecot_initrc_exec_t, dovecot_tmp_t, drbd_initrc_exec_t, drbd_tmp_t, dspam_initrc_exec_t, ecryptfs_t, efivarfs_t, entropyd_initrc_exec_t, etc_mail_t, etc_runtime_t, etc_t, exim_exec_t, exim_initrc_exec_t, exim_tmp_t, exports_t, fail2ban_client_exec_t, fail2ban_initrc_exec_t, fail2ban_tmp_t, fcoemon_initrc_exec_t, fenced_tmp_t, fetchmail_etc_t, fetchmail_exec_t, fetchmail_home_t, fetchmail_initrc_exec_t, file_context_t, fingerd_etc_t, firewalld_etc_rw_t, firewalld_exec_t, firewalld_initrc_exec_t, firewalld_tmp_t, firewallgui_exec_t, firewallgui_tmp_t, firstboot_etc_t, firstboot_exec_t, foghorn_initrc_exec_t, fonts_cache_t, fonts_t, fprintd_exec_t, freqset_exec_t, fsadm_exec_t, fsadm_tmp_t, fsdaemon_initrc_exec_t, fsdaemon_tmp_t, ftpd_etc_t, ftpd_initrc_exec_t, ftpd_tmp_t, ftpdctl_exec_t, ftpdctl_tmp_t, fusefs_t, games_exec_t, games_tmp_t, games_tmpfs_t, gconf_etc_t, gconf_home_t, gconf_tmp_t, gconfd_exec_t, gconfdefaultsm_exec_t, gdomap_conf_t, gdomap_initrc_exec_t, geoclue_exec_t, geoclue_tmp_t, getty_etc_t, getty_exec_t, getty_tmp_t, git_script_tmp_t, git_user_content_t, gitd_exec_t, gitosis_exec_t, gkeyringd_exec_t, gkeyringd_gnome_home_t, gkeyringd_tmp_t, glance_api_initrc_exec_t, glance_registry_initrc_exec_t, glance_registry_tmp_t, glance_scrubber_initrc_exec_t, glance_tmp_t, glusterd_initrc_exec_t, glusterd_tmp_t, gnome_home_t, gnomesystemmm_exec_t, gpg_agent_exec_t, gpg_agent_tmp_t, gpg_exec_t, gpg_helper_exec_t, gpg_pinentry_tmp_t, gpg_pinentry_tmpfs_t, gpg_secret_t, gpm_conf_t, gpm_initrc_exec_t, gpm_tmp_t, gpsd_exec_t, gpsd_initrc_exec_t, groupadd_exec_t, gssd_tmp_t, gstreamer_home_t, hddtemp_etc_t, hddtemp_initrc_exec_t, home_bin_t, home_cert_t, hostname_etc_t, hostname_exec_t, httpd_config_t, httpd_initrc_exec_t, httpd_passwd_exec_t, httpd_php_tmp_t, httpd_suexec_tmp_t, httpd_tmp_t, httpd_user_content_t, httpd_user_htaccess_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t, hugetlbfs_t, hwclock_exec_t, hypervkvp_initrc_exec_t, icc_data_home_t, iceauth_exec_t, iceauth_home_t, icecast_exec_t, icecast_initrc_exec_t, ifconfig_exec_t, inetd_child_tmp_t, inetd_tmp_t, init_tmp_t, initrc_exec_t, initrc_tmp_t, innd_etc_t, innd_initrc_exec_t, insmod_exec_t, install_exec_t, iodined_initrc_exec_t, iotop_exec_t, ipa_helper_exec_t, ipsec_initrc_exec_t, ipsec_mgmt_exec_t, ipsec_tmp_t, iptables_exec_t, iptables_initrc_exec_t, iptables_tmp_t, irc_conf_t, irc_exec_t, irc_home_t, irc_tmp_t, irqbalance_initrc_exec_t, irssi_etc_t, irssi_exec_t, irssi_home_t, iscsi_tmp_t, isnsd_initrc_exec_t, iso9660_t, iwhd_initrc_exec_t, jabberd_initrc_exec_t, jockey_exec_t, journalctl_exec_t, kadmind_tmp_t, kdump_etc_t, kdump_exec_t, kdump_initrc_exec_t, kdumpctl_tmp_t, kdumpgui_exec_t, kdumpgui_tmp_t, keepalived_unconfined_script_exec_t, kerberos_initrc_exec_t, keystone_initrc_exec_t, keystone_tmp_t, kismet_exec_t, kismet_home_t, kismet_initrc_exec_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t, kmscon_conf_t, krb5_conf_t, krb5_home_t, krb5_host_rcache_t, krb5kdc_conf_t, krb5kdc_tmp_t, ksmtuned_initrc_exec_t, ktalkd_tmp_t, l2tp_conf_t, l2tpd_initrc_exec_t, l2tpd_tmp_t, ld_so_cache_t, ld_so_t, ldconfig_exec_t, ldconfig_tmp_t, lib_t, likewise_etc_t, likewise_initrc_exec_t, lircd_etc_t, lircd_initrc_exec_t, livecd_exec_t, livecd_tmp_t, lldpad_initrc_exec_t, load_policy_exec_t, loadkeys_exec_t, local_login_home_t, locale_t, locate_exec_t, lockdev_exec_t, login_exec_t, logrotate_mail_tmp_t, logrotate_tmp_t, logwatch_exec_t, logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_exec_t, lpr_tmp_t, lsassd_tmp_t, lsmd_plugin_exec_t, lsmd_plugin_tmp_t, lvm_etc_t, lvm_exec_t, lvm_tmp_t, machineid_t, mail_home_rw_t, mail_home_t, mail_munin_plugin_exec_t, mail_munin_plugin_tmp_t, mailman_cgi_tmp_t, mailman_mail_tmp_t, mailman_queue_tmp_t, man_cache_t, man_t, mandb_cache_t, mandb_home_t, mcelog_etc_t, mcelog_exec_t, mcelog_initrc_exec_t, mdadm_conf_t, mdadm_initrc_exec_t, mediawiki_tmp_t, memcached_initrc_exec_t, mencoder_exec_t, minidlna_conf_t, minidlna_initrc_exec_t, minissdpd_conf_t, minissdpd_initrc_exec_t, mock_build_exec_t, mock_etc_t, mock_exec_t, mock_tmp_t, modemmanager_exec_t, modules_conf_t, mojomojo_tmp_t, mon_statd_initrc_exec_t, mongod_initrc_exec_t, mongod_tmp_t, mount_ecryptfs_exec_t, mount_exec_t, mount_tmp_t, mozilla_conf_t, mozilla_exec_t, mozilla_home_t, mozilla_plugin_config_exec_t, mozilla_plugin_exec_t, mozilla_plugin_rw_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_tmp_t, mozilla_tmpfs_t, mpd_etc_t, mpd_exec_t, mpd_home_t, mpd_initrc_exec_t, mpd_tmp_t, mpd_user_data_t, mplayer_etc_t, mplayer_exec_t, mplayer_home_t, mplayer_tmpfs_t, mrtg_etc_t, mrtg_exec_t, mrtg_initrc_exec_t, mscan_etc_t, mscan_initrc_exec_t, mscan_tmp_t, munin_etc_t, munin_initrc_exec_t, munin_script_tmp_t, munin_tmp_t, mysqld_etc_t, mysqld_home_t, mysqld_initrc_exec_t, mysqld_tmp_t, mysqlmanagerd_initrc_exec_t, naemon_initrc_exec_t, nagios_admin_plugin_exec_t, nagios_checkdisk_plugin_exec_t, nagios_etc_t, nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_tmp_t, nagios_initrc_exec_t, nagios_mail_plugin_exec_t, nagios_openshift_plugin_exec_t, nagios_openshift_plugin_tmp_t, nagios_services_plugin_exec_t, nagios_system_plugin_exec_t, nagios_system_plugin_tmp_t, nagios_tmp_t, nagios_unconfined_plugin_exec_t, named_checkconf_exec_t, named_conf_t, named_exec_t, named_initrc_exec_t, named_tmp_t, namespace_init_exec_t, ncftool_exec_t, ndc_exec_t, net_conf_t, netlabel_mgmt_exec_t, netutils_exec_t, netutils_tmp_t, neutron_initrc_exec_t, neutron_tmp_t, newrole_exec_t, nfs_t, nfsd_initrc_exec_t, nis_initrc_exec_t, nova_tmp_t, nrpe_etc_t, nscd_initrc_exec_t, nslcd_conf_t, nslcd_initrc_exec_t, ntop_etc_t, ntop_initrc_exec_t, ntop_tmp_t, ntp_conf_t, ntpd_initrc_exec_t, ntpd_tmp_t, ntpdate_exec_t, nut_conf_t, nut_upsd_tmp_t, nut_upsdrvctl_tmp_t, nut_upsmon_tmp_t, nx_server_tmp_t, obex_exec_t, oddjob_mkhomedir_exec_t, openct_initrc_exec_t, openhpid_initrc_exec_t, openshift_cgroup_read_exec_t, openshift_cgroup_read_tmp_t, openshift_cron_tmp_t, openshift_initrc_tmp_t, openshift_net_read_exec_t, openshift_tmp_t, openshift_var_lib_t, openvpn_etc_rw_t, openvpn_etc_t, openvpn_initrc_exec_t, openvpn_tmp_t, openvswitch_rw_t, openvswitch_tmp_t, openwsman_tmp_t, oracleasm_initrc_exec_t, osad_initrc_exec_t, pads_config_t, pads_exec_t, pads_initrc_exec_t, pam_console_exec_t, pam_timestamp_tmp_t, passenger_tmp_t, passwd_exec_t, passwd_file_t, pcp_pmcd_initrc_exec_t, pcp_pmie_initrc_exec_t, pcp_pmlogger_initrc_exec_t, pcp_pmmgr_initrc_exec_t, pcp_pmproxy_initrc_exec_t, pcp_pmwebd_initrc_exec_t, pcp_tmp_t, pcscd_initrc_exec_t, pegasus_conf_t, pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, pinentry_exec_t, ping_exec_t, pingd_etc_t, pingd_initrc_exec_t, piranha_etc_rw_t, piranha_pulse_initrc_exec_t, piranha_web_conf_t, piranha_web_tmp_t, pkcs_slotd_initrc_exec_t, pkcs_slotd_tmp_t, pki_ra_script_exec_t, pki_tomcat_tmp_t, pki_tps_script_exec_t, plymouth_exec_t, podsleuth_exec_t, podsleuth_tmp_t, podsleuth_tmpfs_t, policykit_auth_exec_t, policykit_exec_t, policykit_grant_exec_t, policykit_resolve_exec_t, policykit_tmp_t, polipo_cache_home_t, polipo_config_home_t, polipo_etc_t, polipo_exec_t, polipo_initrc_exec_t, portmap_helper_exec_t, portmap_initrc_exec_t, portmap_tmp_t, portreserve_etc_t, portreserve_initrc_exec_t, postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_etc_t, postfix_exec_t, postfix_initrc_exec_t, postfix_local_tmp_t, postfix_map_exec_t, postfix_map_tmp_t, postfix_pickup_tmp_t, postfix_pipe_tmp_t, postfix_postdrop_exec_t, postfix_postdrop_t, postfix_postqueue_exec_t, postfix_qmgr_tmp_t, postfix_showq_exec_t, postfix_smtp_tmp_t, postfix_smtpd_tmp_t, postfix_virtual_tmp_t, postgresql_etc_t, postgresql_initrc_exec_t, postgresql_tmp_t, postgrey_etc_t, postgrey_initrc_exec_t, pppd_etc_t, pppd_exec_t, pppd_initrc_exec_t, pppd_tmp_t, prelink_exec_t, prelink_tmp_t, prelude_correlator_config_t, prelude_initrc_exec_t, prelude_lml_tmp_t, preupgrade_exec_t, printconf_t, privoxy_initrc_exec_t, proc_t, procmail_exec_t, procmail_home_t, procmail_tmp_t, prosody_tmp_t, psad_etc_t, psad_initrc_exec_t, psad_tmp_t, ptal_etc_t, ptchown_exec_t, pulseaudio_exec_t, pulseaudio_home_t, pulseaudio_tmpfs_t, puppet_etc_t, puppet_tmp_t, puppetagent_initrc_exec_t, puppetca_exec_t, puppetmaster_initrc_exec_t, puppetmaster_tmp_t, pwauth_exec_t, qemu_exec_t, qmail_etc_t, qmail_tcp_env_exec_t, qpidd_initrc_exec_t, qpidd_tmp_t, quota_exec_t, rabbitmq_initrc_exec_t, racoon_tmp_t, radiusd_etc_t, radiusd_initrc_exec_t, radvd_etc_t, radvd_initrc_exec_t, readahead_exec_t, realmd_exec_t, realmd_tmp_t, redis_initrc_exec_t, removable_t, rhev_agentd_tmp_t, rhnsd_conf_t, rhnsd_initrc_exec_t, rhsmcertd_exec_t, rhsmcertd_initrc_exec_t, rhsmcertd_tmp_t, ricci_initrc_exec_t, ricci_tmp_t, rlogind_home_t, rlogind_tmp_t, rngd_initrc_exec_t, rolekit_tmp_t, roundup_initrc_exec_t, rpcbind_initrc_exec_t, rpcbind_tmp_t, rpcd_initrc_exec_t, rpm_exec_t, rpm_script_tmp_t, rpm_tmp_t, rssh_chroot_helper_exec_t, rssh_exec_t, rssh_ro_t, rssh_rw_t, rsync_etc_t, rsync_exec_t, rsync_tmp_t, rtas_errd_tmp_t, rtkit_daemon_exec_t, rtkit_daemon_initrc_exec_t, run_init_exec_t, rwho_initrc_exec_t, samba_etc_t, samba_initrc_exec_t, samba_net_exec_t, samba_net_tmp_t, samba_var_t, sambagui_exec_t, sandbox_file_t, sanlock_initrc_exec_t, saslauthd_initrc_exec_t, sblim_initrc_exec_t, sblim_tmp_t, screen_exec_t, screen_home_t, secadm_sudo_tmp_t, sectool_tmp_t, sectoolm_exec_t, selinux_munin_plugin_exec_t, selinux_munin_plugin_tmp_t, semanage_exec_t, semanage_tmp_t, sendmail_exec_t, sendmail_initrc_exec_t, sendmail_tmp_t, sensord_initrc_exec_t, services_munin_plugin_exec_t, services_munin_plugin_tmp_t, session_dbusd_tmp_t, setfiles_exec_t, setkey_exec_t, setrans_initrc_exec_t, setroubleshoot_fixit_exec_t, setroubleshootd_exec_t, setsebool_exec_t, seunshare_exec_t, sge_job_exec_t, sge_shepherd_exec_t, sge_tmp_t, shell_exec_t, shorewall_etc_t, shorewall_initrc_exec_t, shorewall_tmp_t, showmount_exec_t, slapd_etc_t, slapd_initrc_exec_t, slapd_tmp_t, slpd_initrc_exec_t, smbcontrol_exec_t, smbd_tmp_t, smokeping_initrc_exec_t, smoltclient_exec_t, smoltclient_tmp_t, smsd_initrc_exec_t, smsd_tmp_t, snapperd_conf_t, snapperd_exec_t, snmpd_initrc_exec_t, snort_etc_t, snort_initrc_exec_t, snort_tmp_t, sosreport_exec_t, sosreport_tmp_t, soundd_etc_t, soundd_initrc_exec_t, soundd_tmp_t, spamc_exec_t, spamc_home_t, spamc_tmp_t, spamd_etc_t, spamd_initrc_exec_t, spamd_tmp_t, spamd_update_exec_t, speech-dispatcher_exec_t, speech-dispatcher_home_t, speech-dispatcher_tmp_t, squid_conf_t, squid_cron_exec_t, squid_initrc_exec_t, squid_tmp_t, squirrelmail_spool_t, src_t, ssh_agent_exec_t, ssh_agent_tmp_t, ssh_exec_t, ssh_home_t, ssh_keygen_exec_t, ssh_keygen_tmp_t, ssh_keysign_exec_t, ssh_tmpfs_t, sshd_initrc_exec_t, sssd_conf_t, sssd_initrc_exec_t, sssd_public_t, sssd_selinux_manager_exec_t, sssd_var_lib_t, staff_sudo_tmp_t, stapserver_tmp_t, stunnel_etc_t, stunnel_tmp_t, su_exec_t, sudo_exec_t, sulogin_exec_t, svc_conf_t, svc_multilog_exec_t, svc_run_exec_t, svc_start_exec_t, svirt_home_t, svirt_sandbox_file_t, svirt_tmp_t, svnserve_initrc_exec_t, svnserve_tmp_t, swat_tmp_t, swift_tmp_t, sysadm_passwd_tmp_t, sysadm_sudo_tmp_t, sysctl_fs_t, sysctl_t, sysfs_t, syslog_conf_t, syslogd_initrc_exec_t, syslogd_tmp_t, sysstat_exec_t, sysstat_initrc_exec_t, system_conf_t, system_cronjob_tmp_t, system_db_t, system_dbusd_tmp_t, system_dbusd_var_lib_t, system_mail_tmp_t, system_munin_plugin_exec_t, system_munin_plugin_tmp_t, systemd_home_t, systemd_logind_sessions_t, sysv_t, tcpd_tmp_t, tcsd_initrc_exec_t, telepathy_cache_home_t, telepathy_data_home_t, telepathy_gabble_cache_home_t, telepathy_gabble_exec_t, telepathy_gabble_tmp_t, telepathy_idle_exec_t, telepathy_idle_tmp_t, telepathy_logger_cache_home_t, telepathy_logger_data_home_t, telepathy_logger_exec_t, telepathy_logger_tmp_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_data_home_t, telepathy_mission_control_exec_t, telepathy_mission_control_home_t, telepathy_mission_control_tmp_t, telepathy_msn_exec_t, telepathy_msn_tmp_t, telepathy_salut_exec_t, telepathy_salut_tmp_t, telepathy_sofiasip_exec_t, telepathy_sofiasip_tmp_t, telepathy_stream_engine_exec_t, telepathy_stream_engine_tmp_t, telepathy_sunshine_exec_t, telepathy_sunshine_home_t, telepathy_sunshine_tmp_t, telnetd_tmp_t, tetex_data_t, texlive_home_t, textrel_shlib_t, tftpd_etc_t, tgtd_initrc_exec_t, tgtd_tmp_t, thumb_exec_t, thumb_home_t, thumb_tmp_t, tmp_t, tmpfs_t, tmpreaper_exec_t, tomcat_tmp_t, tor_etc_t, tor_initrc_exec_t, traceroute_exec_t, tuned_etc_t, tuned_initrc_exec_t, tuned_rw_etc_t, tuned_tmp_t, tvtime_exec_t, tvtime_home_t, tvtime_tmp_t, tvtime_tmpfs_t, udev_etc_t, udev_tmp_t, udev_var_run_t, ulogd_etc_t, ulogd_initrc_exec_t, uml_exec_t, uml_ro_t, uml_rw_t, uml_tmp_t, uml_tmpfs_t, unconfined_exec_t, unconfined_munin_plugin_exec_t, unconfined_munin_plugin_tmp_t, update_modules_exec_t, update_modules_tmp_t, updfstab_exec_t, usbfs_t, usbmodules_exec_t, usbmuxd_exec_t, user_cron_spool_t, user_fonts_cache_t, user_fonts_config_t, user_fonts_t, user_home_t, user_mail_tmp_t, user_tmp_t, useradd_exec_t, userhelper_conf_t, userhelper_exec_t, usernetctl_exec_t, usr_t, utempter_exec_t, uucpd_initrc_exec_t, uucpd_tmp_t, uuidd_initrc_exec_t, uux_exec_t, var_spool_t, varnishd_etc_t, varnishd_initrc_exec_t, varnishd_tmp_t, varnishlog_initrc_exec_t, vdagentd_initrc_exec_t, vhostmd_initrc_exec_t, virsh_exec_t, virt_content_t, virt_etc_t, virt_home_t, virt_qemu_ga_tmp_t, virt_qemu_ga_unconfined_exec_t, virt_tmp_t, virtd_initrc_exec_t, virtd_lxc_exec_t, vlock_exec_t, vmblock_t, vmtools_helper_exec_t, vmtools_tmp_t, vmware_conf_t, vmware_exec_t, vmware_file_t, vmware_host_tmp_t, vmware_sys_conf_t, vmware_tmp_t, vmware_tmpfs_t, vnstat_exec_t, vnstatd_initrc_exec_t, vpnc_exec_t, vpnc_tmp_t, vxfs_t, w3c_validator_tmp_t, watchdog_initrc_exec_t, watchdog_unconfined_exec_t, wdmd_initrc_exec_t, webadm_tmp_t, webalizer_etc_t, webalizer_exec_t, webalizer_tmp_t, wine_exec_t, wine_home_t, wireshark_exec_t, wireshark_home_t, wireshark_tmp_t, wireshark_tmpfs_t, wpa_cli_exec_t, xauth_exec_t, xauth_home_t, xauth_tmp_t, xdm_etc_t, xdm_exec_t, xdm_home_t, xdm_rw_etc_t, xdm_unconfined_exec_t, xdm_var_run_t, xend_tmp_t, xenfs_t, xenstored_tmp_t, xserver_etc_t, xserver_exec_t, xserver_tmpfs_t, ypbind_initrc_exec_t, ypbind_tmp_t, ypserv_conf_t, ypserv_tmp_t, zabbix_agent_initrc_exec_t, zabbix_initrc_exec_t, zabbix_script_exec_t, zabbix_tmp_t, zarafa_deliver_tmp_t, zarafa_etc_t, zarafa_indexer_tmp_t, zarafa_server_tmp_t, zarafa_var_lib_t, zebra_conf_t, zebra_initrc_exec_t, zebra_tmp_t, zoneminder_initrc_exec_t, zos_remote_exec_t. 
Then execute: 
restorecon -v 'antiX-15-V_x64-base.iso'


*****  Plugin catchall (1.73 confidence) suggests   **************************

If you believe that pool should be allowed read access on the antiX-15-V_x64-base.iso file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep pool /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Context                unconfined_u:object_r:unlabeled_t:s0
Target Objects                antiX-15-V_x64-base.iso [ file ]
Source                        pool
Source Path                   pool
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.8.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 4.1.4-200.fc22.x86_64
                              #1 SMP Tue Aug 4 03:22:33 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-08-12 08:45:57 EDT
Last Seen                     2015-08-12 08:45:57 EDT
Local ID                      1c1bc8b5-57ca-4221-89fe-b1274111b1c8

Raw Audit Messages
type=AVC msg=audit(1439383557.542:600): avc:  denied  { read } for  pid=3545 comm="pool" name="antiX-15-V_x64-base.iso" dev="dm-2" ino=262253 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file permissive=0


Hash: pool,mozilla_plugin_t,unlabeled_t,file,read
"

Comment 9 Daniel Walsh 2015-08-13 09:51:09 UTC
Where is this iso?  You should just need to run restorecon on it.

What firefox plugin is reading an ISO?


Note You need to log in before you can comment on or make changes to this bug.