Bug 1242583

Summary: allow dhcpc_t systemd_hostnamed_t:dbus send_msg
Product: [Fedora] Fedora Reporter: Jiri Popelka <jpopelka>
Component: selinux-policy-targetedAssignee: Vit Mojzis <vmojzis>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: high    
Version: 23CC: dwalsh, fdeutsch, jpopelka, mgrepl, vmojzis
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-155.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-26 20:58:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
te file for local policy none

Description Jiri Popelka 2015-07-13 16:11:27 UTC 
Hi,

I'm dhcp package maintainer and I've been thinking about changing the way the
/sbin/dhclient-script sets hostname (obtained from DHCP server).
Now it uses the legacy 'hostname' utility, but it'd be better to use
'hostnamectl set-hostname --transient --no-ask-password'.

Do you think it'd be possible to change the policy to allow it ?

From /var/log/audit/audit.log:

msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.hostname1 member=SetHostname dest=org.freedesktop.hostname1 sp
id=1177 tpid=1178 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon
" sauid=81 hostname=? addr=? terminal=?'
Comment 1 Jan Kurik 2015-07-15 13:17:46 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle.
Changing version to '23'.

(As we did not run this process for some time, it could affect also pre-Fedora 23 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23
Comment 2 Fabian Deutsch 2015-10-12 13:39:36 UTC 
Maybe this bug has an impact con bug 1241712 comment 4
Comment 3 Miroslav Grepl 2015-10-12 17:01:16 UTC 
Jiri,
does it work correctly with a local policy for this AVC?
Comment 4 Jiri Popelka 2015-10-13 10:33:46 UTC 
After creating local policy for the AVC in comment #0 there was one more AVC:

type=USER_AVC msg=audit(1444729900.815:2459): pid=928 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.465 spid=28893 tpid=28935 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Since I added also that one to the local policy, everything seems to be working OK. I'll attach the te file created from those two AVCs via audit2allow.
Comment 5 Jiri Popelka 2015-10-13 10:40:33 UTC 
Created attachment 1082324 [details]
te file for local policy

This was created via
# cat audit.log | audit2allow -m dhcpchostname > dhcpchostname.te

Compiling and loading the module fixes the problem:
# checkmodule -M -m -o dhcpchostname.mod dhcpchostname.te
# semodule_package -o dhcpchostname.pp -m dhcpchostname.mod
# semodule -i dhcpchostname.pp
Comment 6 Jiri Popelka 2015-11-02 12:01:14 UTC 
ping, can we move forward with this ?
Comment 7 Miroslav Grepl 2015-11-09 19:08:57 UTC 
I believe Vit is working on a pull request with fixes.
Comment 8 Vit Mojzis 2015-11-12 08:50:03 UTC 
commit 7dd4cfb0b3c072d0aad298dc77a42b9844eceef6
Merge: 02f981d 754cbf0
Author: Miroslav Grepl <mgrepl>
Date:   Thu Nov 12 08:31:02 2015 +0100

    Merge pull request #63 from vmojzis/f23-base
    
    Allow systemd-hostnamed to communicate with dhcp via dbus.

commit 754cbf035b40e06a4f37d63efa61e7c28dfdac8e
Author: Vit Mojzis <vmojzis>
Date:   Wed Nov 11 16:49:13 2015 +0100

    Allow systemd-hostnamed to communicate with dhcp via dbus. #1242583
Comment 9 Fedora Update System 2015-11-20 13:16:03 UTC 
selinux-policy-3.13.1-155.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-0d84d6c75f
Comment 10 Fedora Update System 2015-11-22 14:26:13 UTC 
selinux-policy-3.13.1-155.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update selinux-policy'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-0d84d6c75f
Comment 11 Fedora Update System 2015-11-26 20:57:30 UTC 
selinux-policy-3.13.1-155.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.