Bug 1279182
| Summary: | AVC: systemd hostnamed and networkd cannot talk over dbus | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | DaveG <daveg> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 22 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl, plautrba |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-128.22.fc22 selinux-policy-3.13.1-128.28.fc22 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-05-10 17:57:54 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
commit a71f15f874f9fa82c9970283815e409c0734ba90
Author: Lukas Vrabec <lvrabec>
Date: Wed Dec 2 16:35:59 2015 +0100
Adding support for dbus communication between systemd-networkd and systemd-hostnamed. BZ(1279182)
selinux-policy-3.13.1-128.22.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-8083abc683 selinux-policy-3.13.1-128.22.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update selinux-policy' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-8083abc683 selinux-policy-3.13.1-128.25.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-825869e1a4 selinux-policy-3.13.1-128.25.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-825869e1a4 selinux-policy-3.13.1-128.27.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab selinux-policy-3.13.1-128.27.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab selinux-policy-3.13.1-128.28.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab selinux-policy-3.13.1-128.28.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab selinux-policy-3.13.1-128.28.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: Hosts using systemd-networkd cannot set the host name from DHCP information due to AVC denial on dbus send_msg. Version-Release number of selected component (if applicable): kernel-4.2.5-201.fc22.x86_64 selinux-policy-3.13.1-128.18.fc22.noarch systemd-219-25.fc22.x86_64 How reproducible: Configure a host to set host name from systemd-networkd DHCP and boot. Steps to Reproduce: Actual results: journal... ... audit[790]: <audit-1107> pid=790 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.hostname1 member=SetHostname dest=org.freedesktop.hostname1 spid=955 tpid=990 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=dbus ... audit[790]: <audit-1107> pid=790 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.7 spid=990 tpid=955 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:system_r:systemd_networkd_t:s0 tclass=dbus Expected results: No AVC denials. Additional info: fgrep 'send_msg' /var/log/audit/audit.log | audit2allow -r require { type systemd_networkd_t; type systemd_hostnamed_t; class dbus send_msg; } #============= systemd_hostnamed_t ============== allow systemd_hostnamed_t systemd_networkd_t:dbus send_msg; #============= systemd_networkd_t ============== allow systemd_networkd_t systemd_hostnamed_t:dbus send_msg;