Bug 948663

Summary: SELinux is preventing /usr/lib/systemd/systemd-hostnamed from 'unlink' accesses on the file hostname.
Product: [Fedora] Fedora Reporter: Dean Hunter <deanhunter>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:27a36cb31143c6d4f7dae1398c2ddeaed0ab7518922ae485b3ab2d4a155aac58
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-19 05:56:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dean Hunter 2013-04-05 02:13:09 UTC
Description of problem:
hostnamectl set-hostname fedora19.hunter.org
SELinux is preventing /usr/lib/systemd/systemd-hostnamed from 'unlink' accesses on the file hostname.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that systemd-hostnamed should be allowed unlink access on the hostname file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-hostnam /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:systemd_hostnamed_t:s0
Target Context                system_u:object_r:etc_runtime_t:s0
Target Objects                hostname [ file ]
Source                        systemd-hostnam
Source Path                   /usr/lib/systemd/systemd-hostnamed
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           systemd-200-3.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-24.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.9.0-0.rc5.git1.301.fc19.x86_64
                              #1 SMP Tue Apr 2 20:37:45 UTC 2013 x86_64 x86_64
Alert Count                   2
First Seen                    2013-04-04 20:55:16 CDT
Last Seen                     2013-04-04 21:09:07 CDT
Local ID                      dcf1b23b-5c19-4153-9fdd-836e2e6f704c

Raw Audit Messages
type=AVC msg=audit(1365127747.620:441): avc:  denied  { unlink } for  pid=1757 comm="systemd-hostnam" name="hostname" dev="dm-1" ino=276641 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file


type=SYSCALL msg=audit(1365127747.620:441): arch=x86_64 syscall=rename success=no exit=EACCES a0=7fcab6427320 a1=7fcab5c6c588 a2=7fcab644e080 a3=22 items=0 ppid=1 pid=1757 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=systemd-hostnam exe=/usr/lib/systemd/systemd-hostnamed subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)

Hash: systemd-hostnam,systemd_hostnamed_t,etc_runtime_t,file,unlink

audit2allow

#============= systemd_hostnamed_t ==============
allow systemd_hostnamed_t etc_runtime_t:file unlink;

audit2allow -R
require {
	type systemd_hostnamed_t;
}

#============= systemd_hostnamed_t ==============
files_create_boot_flag(systemd_hostnamed_t)


Additional info:
hashmarkername: setroubleshoot
kernel:         3.9.0-0.rc5.git1.301.fc19.x86_64
type:           libreport

Comment 1 Miroslav Grepl 2013-04-05 15:43:23 UTC
/etc/hostname is mislabeled. 

IF you run 

# restorecon -R -v /etc/hostname

are you able to reproduce it this issue then?

Comment 2 Dean Hunter 2013-04-05 22:04:44 UTC
???

Today, after I rebuilt the Fedora 19 VM, there is no error and the file "/etc/hostname" starts with the correct type:

[root@fedora19 ~]# ls -lZ /etc/hostname
-rw-r--r--. root root system_u:object_r:etc_runtime_t:s0 /etc/hostname

[root@fedora19 ~]# hostnamectl
   Static hostname: fedora19.hunter.org
   Pretty hostname: n/a
         Icon name: computer
           Chassis: n/a
        Machine ID: 6178f68fc74c210c5e37823fb078bed7
           Boot ID: 1183c3175c1a4f5b99a3654a10a308d9
    Virtualization: kvm
  Operating System: Fedora 19 (Schrödinger’s Cat)
       CPE OS Name: cpe:/o:fedoraproject:fedora:19
            Kernel: Linux 3.9.0-0.rc5.git1.301.fc19.x86_64
      Architecture: x86_64

[root@fedora19 ~]# hostnamectl set-hostname "Fedora 19" --pretty

[root@fedora19 ~]# hostnamectl
   Static hostname: fedora19.hunter.org
   Pretty hostname: Fedora 19
         Icon name: computer
           Chassis: n/a
        Machine ID: 6178f68fc74c210c5e37823fb078bed7
           Boot ID: 1183c3175c1a4f5b99a3654a10a308d9
    Virtualization: kvm
  Operating System: Fedora 19 (Schrödinger’s Cat)
       CPE OS Name: cpe:/o:fedoraproject:fedora:19
            Kernel: Linux 3.9.0-0.rc5.git1.301.fc19.x86_64
      Architecture: x86_64

[root@fedora19 ~]# ls -lZ /etc/hostname
-rw-r--r--. root root system_u:object_r:etc_runtime_t:s0 /etc/hostname


[root@fedora19 ~]# yum list installed selinux-policy
Loaded plugins: langpacks, refresh-packagekit
Installed Packages
selinux-policy.noarch                  3.12.1-24.fc19                  @anaconda

Comment 3 Miroslav Grepl 2013-04-08 09:26:25 UTC
Fixed in selinux-policy-3.12.1-28.fc19.noarch

Comment 4 Fedora Update System 2013-04-08 11:44:37 UTC
selinux-policy-3.12.1-28.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/FEDORA-2013-5045/selinux-policy-3.12.1-28.fc19

Comment 5 Fedora Update System 2013-04-08 15:57:31 UTC
Package selinux-policy-3.12.1-28.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-28.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-5045/selinux-policy-3.12.1-28.fc19
then log in and leave karma (feedback).

Comment 6 Dean Hunter 2013-04-11 15:14:14 UTC
I have verified the correction in selinux-policy-3.12.1-28.fc19 and updated the karma. Thank you for your efforts.

Comment 7 Fedora Update System 2013-04-19 05:56:50 UTC
selinux-policy-3.12.1-28.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.