SELinux is preventing /usr/lib/systemd/systemd-hostnamed from read access on the chr_file . ***** Plugin catchall (100. confidence) suggests ************************** If you believe that systemd-hostnamed should be allowed read access on the chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-hostnam /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_hostnamed_t:s0 Target Context system_u:object_r:tmpfs_t:s0 Target Objects [ chr_file ] Source systemd-hostnam Source Path /usr/lib/systemd/systemd-hostnamed Port <Unknown> Host localhost.localdomain Source RPM Packages systemd-212-4.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-50.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 3.15.0-0.rc4.git4.1.fc21.x86_64 #1 SMP Fri May 9 14:09:57 UTC 2014 x86_64 x86_64 Alert Count 12 First Seen 2014-04-27 23:26:20 PDT Last Seen 2014-05-11 14:30:24 PDT Local ID 47da2187-958b-4dcf-8d01-b9d8a6cabbc6 Raw Audit Messages type=AVC msg=audit(1399843824.658:362): avc: denied { read } for pid=13203 comm="systemd-hostnam" name="urandom" dev="tmpfs" ino=43758 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=chr_file type=SYSCALL msg=audit(1399843824.658:362): arch=x86_64 syscall=open success=no exit=EACCES a0=7f14c5e77b09 a1=80100 a2=0 a3=0 items=0 ppid=1 pid=13203 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-hostnam exe=/usr/lib/systemd/systemd-hostnamed subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) Hash: systemd-hostnam,systemd_hostnamed_t,tmpfs_t,chr_file,read
hostnamed runs with PrivateDevices=yes. This has the effect that systemd mounts a private tmpfs instance into its namespace for /dev with /dev/null and /dev/urandom. Access to the latter is what you see here. Selinux should allow thatvreally.
See https://bugzilla.redhat.com/show_bug.cgi?id=1081429#c6
*** This bug has been marked as a duplicate of bug 1081429 ***