Bug 1040444

Summary: SELinux is preventing /usr/lib/systemd/systemd-hostnamed from using the 'dac_override' capabilities.
Product: [Fedora] Fedora Reporter: Jan Sedlák <jsedlak>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: dominick.grift, dwalsh, kparal, lvrabec, mgrepl, robatino
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:f79b490581f756e062dbcbdd4c9f3b55e34e49d1f81ebf4eca2cb8700fc60dbb
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-16 15:42:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Sedlák 2013-12-11 12:42:52 UTC 
Description of problem:
Showed during F20 TC5 installation (Live Desktop).
SELinux is preventing /usr/lib/systemd/systemd-hostnamed from using the 'dac_override' capabilities.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it, 
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If you believe that systemd-hostnamed should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-hostnam /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:systemd_hostnamed_t:s0
Target Context                system_u:system_r:systemd_hostnamed_t:s0
Target Objects                 [ capability ]
Source                        systemd-hostnam
Source Path                   /usr/lib/systemd/systemd-hostnamed
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           systemd-208-8.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-106.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.11.10-300.fc20.x86_64 #1 SMP Fri
                              Nov 29 19:16:48 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-12-11 07:40:17 EST
Last Seen                     2013-12-11 07:40:17 EST
Local ID                      962dcd06-3967-4a59-844c-f04261eac0f5

Raw Audit Messages
type=AVC msg=audit(1386765617.130:531): avc:  denied  { dac_override } for  pid=16712 comm="systemd-hostnam" capability=1  scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=capability


type=SYSCALL msg=audit(1386765617.130:531): arch=x86_64 syscall=open success=yes exit=EIO a0=7f0d8b2b4d20 a1=800c2 a2=180 a3=1 items=0 ppid=1 pid=16712 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=systemd-hostnam exe=/usr/lib/systemd/systemd-hostnamed subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)

Hash: systemd-hostnam,systemd_hostnamed_t,systemd_hostnamed_t,capability,dac_override

Additional info:
reporter:       libreport-2.1.9
hashmarkername: setroubleshoot
kernel:         3.11.10-300.fc20.x86_64
type:           libreport

Potential duplicate: bug 1003178
Comment 1 Kamil Páral 2013-12-11 20:02:12 UTC 
Description of problem:
This appeared at the end of the installation on F20 TC5 Live x86_64 with http://vpodzime.fedorapeople.org/f20_blockers_updates.img used.

Additional info:
reporter:       libreport-2.1.9
hashmarkername: setroubleshoot
kernel:         3.11.10-300.fc20.x86_64
type:           libreport
Comment 2 Kamil Páral 2013-12-11 20:33:51 UTC 
This might violate
"There must be no SELinux denial notifications or crash notifications on boot of or during installation from a release-blocking live image, or at first login after a default install of a release-blocking desktop. "
unless it happens only when (certain) updates.img is used (and not without it).
Comment 3 Daniel Walsh 2013-12-11 21:35:30 UTC 
This usually means some file has the wrong ownership on it.  If you can turn on full auditing and recreate the problem.  We could diagnose this better.


If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it, 
otherwise report as a bugzilla.

Of course it probably will only happen once.
Comment 4 Kamil Páral 2013-12-12 08:31:55 UTC 
This does not happen with F20 RC1. It was probably caused by the updates.img. Removing blocker proposal.