Bug 1976684

Summary: [RHEL-9.0] avc: denied { add_name } for comm="systemd-hostnam" name=".#default-hostnamenhVgzU"
Product: Red Hat Enterprise Linux 9 Reporter: Yongcheng Yang <yoyang>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.0CC: lvrabec, mmalik, nknazeko, plautrba, ssekidde, xzhou
Target Milestone: betaKeywords: Reproducer, Triaged
Target Release: 9.1Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-34.1.40-1.el9 Doc Type: Bug Fix
Doc Text:
Cause: Systemd-hostnamed creates files in /run/systemd/* with wrong label, which leads to the following SELinux denial Consequence: SELinux is preventing systemd-hostnam from add_name access on the directory .#default-hostnamenhVgzU. Fix: Allow systemd_hostnamed_t to create files in /run/systemd/* with label hostnamed_etc_t. Result: No AVC
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-15 11:13:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yongcheng Yang 2021-06-28 03:05:46 UTC 
Description of problem:
Even on the newer version than selinux-policy-34.1.7-1.el9 (for Bug 1966492) there still exist a similar AVC after executing the `hostnamectl` command.

type=AVC msg=audit(1624848894.585:670): avc:  denied  { add_name } for  pid=42286 comm="systemd-hostnam" name=".#default-hostnamenhVgzU" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0


Version-Release number of selected component (if applicable):
selinux-policy-34.1.9-1.el9

How reproducible:
always

Steps to Reproduce:
1. hostnamectl set-hostname ""
2.
3.

Actual results:
[root@ibm-x3850x5-03-vm-01 ~]# grep denied /var/log/audit/audit.log
[root@ibm-x3850x5-03-vm-01 ~]# hostnamectl 
 Static hostname: ibm-x3850x5-03-vm-01.rhts.eng.pek2.redhat.com
       Icon name: computer-vm
         Chassis: vm
      Machine ID: 31814cc3aa8845248f6924f164e40405
         Boot ID: 04dbf3c5016f4999897ac0db2587c22c
  Virtualization: kvm
Operating System: Red Hat Enterprise Linux 9.0 Beta (Plow)
     CPE OS Name: cpe:/o:redhat:enterprise_linux:9::baseos
          Kernel: Linux 5.13.0-0.rc7.51.el9.x86_64
    Architecture: x86-64
 Hardware Vendor: Red Hat
  Hardware Model: KVM
[root@ibm-x3850x5-03-vm-01 ~]# grep denied /var/log/audit/audit.log
[root@ibm-x3850x5-03-vm-01 ~]# hostnamectl set-hostname ""
[root@ibm-x3850x5-03-vm-01 ~]# hostnamectl 
   Static hostname: n/a                                                                        
Transient hostname: ibm-x3850x5-03-vm-01.rhts.eng.pek2.redhat.com
         Icon name: computer-vm
           Chassis: vm
        Machine ID: 31814cc3aa8845248f6924f164e40405
           Boot ID: 04dbf3c5016f4999897ac0db2587c22c
    Virtualization: kvm
  Operating System: Red Hat Enterprise Linux 9.0 Beta (Plow)
       CPE OS Name: cpe:/o:redhat:enterprise_linux:9::baseos
            Kernel: Linux 5.13.0-0.rc7.51.el9.x86_64
      Architecture: x86-64
   Hardware Vendor: Red Hat
    Hardware Model: KVM
[root@ibm-x3850x5-03-vm-01 ~]# grep denied /var/log/audit/audit.log
type=AVC msg=audit(1624848894.585:670): avc:  denied  { add_name } for  pid=42286 comm="systemd-hostnam" name=".#default-hostnamenhVgzU" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0
[root@ibm-x3850x5-03-vm-01 ~]# hostnamectl set-hostname "$HOSTNAME"
[root@ibm-x3850x5-03-vm-01 ~]# rpm -q selinux-policy
selinux-policy-34.1.9-1.el9.noarch
[root@ibm-x3850x5-03-vm-01 ~]# 
[root@ibm-x3850x5-03-vm-01 ~]# sealert -a /var/log/audit/audit.log                                                                                
100% done                                                                
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------
                                                                         
SELinux is preventing systemd-hostnam from add_name access on the directory .#default-hostnamenhVgzU.

*****  Plugin catchall (100. confidence) suggests   **************************
                                                                                                                                                  If you believe that systemd-hostnam should be allowed add_name access on the .#default-hostnamenhVgzU directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do                                                                       
allow this access for now by executing:
# ausearch -c 'systemd-hostnam' --raw | audit2allow -M my-systemdhostnam
# semodule -X 300 -i my-systemdhostnam.pp


Additional Information:
Source Context                system_u:system_r:systemd_hostnamed_t:s0
Target Context                system_u:object_r:init_var_run_t:s0
Target Objects                .#default-hostnamenhVgzU [ dir ]
Source                        systemd-hostnam
Source Path                   systemd-hostnam
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-34.1.9-1.el9.noarch
Local Policy RPM              selinux-policy-targeted-34.1.9-1.el9.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ibm-x3850x5-03-vm-01.rhts.eng.pek2.redhat.com
Platform                      Linux
                              ibm-x3850x5-03-vm-01.rhts.eng.pek2.redhat.com
                              5.13.0-0.rc7.51.el9.x86_64 #1 SMP Tue Jun 22
                              12:56:04 EDT 2021 x86_64 x86_64
Alert Count                   1
First Seen                    2021-06-27 22:54:54 EDT
Last Seen                     2021-06-27 22:54:54 EDT
Local ID                      2c73be75-5185-4bca-8a73-5cc3c7dae8d2

Raw Audit Messages
type=AVC msg=audit(1624848894.585:670): avc:  denied  { add_name } for  pid=42286 comm="systemd-hostnam" name=".#default-hostnamenhVgzU" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0


Hash: systemd-hostnam,systemd_hostnamed_t,init_var_run_t,dir,add_name

[root@ibm-x3850x5-03-vm-01 ~]# 


Expected results:


Additional info:
Comment 1 Zdenek Pytela 2021-11-26 14:17:52 UTC 
Hi,

I cannot reproduce this issue. Are there any special conditions required?

If it still appears on your system, please enable full auditing and provide audit logs:

1) Open the /etc/audit/rules.d/audit.rules file in an editor.
2) Remove the following line if it exists:
-a task,never
3) Add the following line to the end of the file:
-w /etc/shadow -p w
4) Restart the audit daemon:
  # service auditd restart
5) Re-run your scenario
6) Collect AVC denials:
  # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
Comment 2 Yongcheng Yang 2021-11-29 03:47:35 UTC 
Yes, I can still reproduce this issue.
To trigger this warning we need to set an empty hostname i.e. hostnamectl set-hostname "".

[root@hp-dl380pg8-14 ~]# rpm -q selinux-policy
selinux-policy-34.1.18-1.el9.noarch
[root@hp-dl380pg8-14 ~]# vi /etc/audit/rules.d/audit.rules
[root@hp-dl380pg8-14 ~]# grep ^[^#] /etc/audit/rules.d/audit.rules
-D
-b 8192
--backlog_wait_time 60000
-f 1
-w /etc/shadow -p w
[root@hp-dl380pg8-14 ~]# service auditd restart
Stopping logging:                                          [  OK  ]
Redirecting start to /bin/systemctl start auditd.service
[root@hp-dl380pg8-14 ~]# > /var/log/audit/audit.log
[root@hp-dl380pg8-14 ~]# hostname
hp-dl380pg8-14.rhts.eng.pek2.redhat.com
[root@hp-dl380pg8-14 ~]# hostnamectl set-hostname ""
[root@hp-dl380pg8-14 ~]# grep denied /var/log/audit/audit.log
type=AVC msg=audit(1638157281.884:402): avc:  denied  { add_name } for  pid=19561 comm="systemd-hostnam" name=".#default-hostnameRy0mHd" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0
[root@hp-dl380pg8-14 ~]#
[root@hp-dl380pg8-14 ~]# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
----
type=PROCTITLE msg=audit(11/28/2021 22:41:21.884:402) : proctitle=/usr/lib/systemd/systemd-hostnamed
type=PATH msg=audit(11/28/2021 22:41:21.884:402) : item=0 name=/run/systemd/ inode=2 dev=00:19 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(11/28/2021 22:41:21.884:402) : cwd=/
type=SYSCALL msg=audit(11/28/2021 22:41:21.884:402) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55a652679b50 a2=O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC a3=0x180 items=1 ppid=1 pid=19561 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-hostnam exe=/usr/lib/systemd/systemd-hostnamed subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(11/28/2021 22:41:21.884:402) : avc:  denied  { add_name } for  pid=19561 comm=systemd-hostnam name=.#default-hostnameRy0mHd scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0
[root@hp-dl380pg8-14 ~]#
[root@hp-dl380pg8-14 ~]#
Comment 26 errata-xmlrpc 2022-11-15 11:13:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8283