Bug 1133368 - SELinux is preventing systemd-hostnam from 'unlink' accesses on the file hostname.
Summary: SELinux is preventing systemd-hostnam from 'unlink' accesses on the file host...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: anaconda
Version: 21
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Brian Lane
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:17e87595f761f76bc6612c45a32...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-25 03:43 UTC by Ankur Sinha (FranciscoD)
Modified: 2014-10-31 00:58 UTC (History)
27 users (show)

Fixed In Version: anaconda-21.48.10-1.fc21
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-20 23:01:35 UTC


Attachments (Terms of Use)

Description Ankur Sinha (FranciscoD) 2014-08-25 03:43:28 UTC
Description of problem:
I *think* I changed the name of my system in gnome > settings > details.
SELinux is preventing systemd-hostnam from 'unlink' accesses on the file hostname.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow systemd-hostnam to have unlink access on the hostname file
Then you need to change the label on hostname
Do
# semanage fcontext -a -t FILE_TYPE 'hostname'
where FILE_TYPE is one of the following: hostname_etc_t. 
Then execute: 
restorecon -v 'hostname'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that systemd-hostnam should be allowed unlink access on the hostname file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-hostnam /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:systemd_hostnamed_t:s0
Target Context                unconfined_u:object_r:etc_t:s0
Target Objects                hostname [ file ]
Source                        systemd-hostnam
Source Path                   systemd-hostnam
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-75.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.16.1-300.fc21.x86_64 #1 SMP Thu
                              Aug 14 15:06:34 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-08-25 13:41:50 AEST
Last Seen                     2014-08-25 13:41:50 AEST
Local ID                      b99309ab-e1a4-4019-aeea-474702eac1cb

Raw Audit Messages
type=AVC msg=audit(1408938110.171:647): avc:  denied  { unlink } for  pid=16185 comm="systemd-hostnam" name="hostname" dev="sda3" ino=2891586 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file permissive=0


Hash: systemd-hostnam,systemd_hostnamed_t,etc_t,file,unlink

Version-Release number of selected component:
selinux-policy-3.13.1-75.fc21.noarch

Additional info:
reporter:       libreport-2.2.3
hashmarkername: setroubleshoot
kernel:         3.16.1-300.fc21.x86_64
type:           libreport

Potential duplicate: bug 917275

Comment 1 Miroslav Grepl 2014-08-25 09:08:17 UTC
Your /etc/hostname is mislabeled.

# restorecon -v /etc/hostname

will fix it. Did you place this file by hand or did it happen by default?

Comment 2 Ankur Sinha (FranciscoD) 2014-08-25 09:47:46 UTC
Naw. I didn't place it by hand. It was some system utility - probably gnome settings.

Comment 3 Ankur Sinha (FranciscoD) 2014-08-25 09:48:22 UTC
I've run restorecon. If it comes up again, I'll let you know.

Comment 4 Mathieu Bridon 2014-09-15 07:40:02 UTC
This just happened to me, first login after installing Fedora 21 Alpha TC7.

Seems like something is creating /etc/hostname with the wrong label during the installation?

Comment 5 Flóki Pálsson 2014-09-21 16:34:45 UTC
Description of problem:
Running 
# hostnamectl set-hostname F21TC6 --static
with no error message

in F20 this wsa possible

Version-Release number of selected component:
selinux-policy-3.13.1-82.fc21.noarch

Additional info:
reporter:       libreport-2.2.3
hashmarkername: setroubleshoot
kernel:         3.16.3-300.fc21.x86_64
type:           libreport

Comment 6 Vedran Miletić 2014-09-25 12:51:04 UTC
Description of problem:
Changed hostname with hostnamectl as root

Version-Release number of selected component:
selinux-policy-3.13.1-82.fc21.noarch

Additional info:
reporter:       libreport-2.2.3
hashmarkername: setroubleshoot
kernel:         3.16.3-300.fc21.x86_64
type:           libreport

Comment 7 Daniel Walsh 2014-09-25 14:45:54 UTC
Something tells me this is being created with an alternate name and renamed to /etc/hostname.

Comment 8 James Smith 2014-10-02 11:18:05 UTC
Description of problem:
Changed hostname within 'details'/ 'All Settings'

Version-Release number of selected component:
selinux-policy-3.13.1-84.fc21.noarch

Additional info:
reporter:       libreport-2.2.3
hashmarkername: setroubleshoot
kernel:         3.16.3-302.fc21.x86_64
type:           libreport

Comment 9 Zbigniew Jędrzejewski-Szmek 2014-10-03 12:49:03 UTC
(In reply to Daniel Walsh from comment #7)
> Something tells me this is being created with an alternate name and renamed
> to /etc/hostname.

Yes, of course. The file is created as /etc/hostname.XXXXXXX and written and then atomically renamed to /etc/hostname.

Comment 10 Zbigniew Jędrzejewski-Szmek 2014-10-03 13:06:02 UTC
static int context_write_data_static_hostname(Context *c) {
        write_string_file_atomic_label("/etc/hostname", c->data[PROP_STATIC_HOSTNAME]);
}

int write_string_file_atomic_label(const char *fn, const char *line) {
        label_context_set(fn, S_IFREG);
        write_string_file_atomic(fn, line);
        label_context_clear();
}

Comment 11 Daniel Walsh 2014-10-12 11:07:00 UTC
Well this looks like it is mislabeled before systemd touches it, systemd has the proper labeling code to handle it and make sure it is labeled correctly after it modifies it,  But systemd-hostname is prevented from removing the original file since it is labeled incorrectly during the install.

Comment 12 Zbigniew Jędrzejewski-Szmek 2014-10-12 22:27:14 UTC
Yes, /etc/hostname seems to be created 'unconfined'. I think anaconda creates the file, reassigning.

Summary: Installation from F21 Live results in /etc/hostname which has SELinux context unconfined_u:object_r:etc_t:s0 instead of the expected system_u:object_r:hostname_etc_t:s0. This causes problems later when systemd-hostnamed tries to replace the file to set a new value.

Comment 13 Fedora Update System 2014-10-15 13:07:36 UTC
anaconda-21.48.10-1.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/anaconda-21.48.10-1.fc21

Comment 14 Fedora Update System 2014-10-16 17:18:19 UTC
Package anaconda-21.48.10-1.fc21, pykickstart-1.99.63-2.fc21, python-blivet-0.61.5-1.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing anaconda-21.48.10-1.fc21 pykickstart-1.99.63-2.fc21 python-blivet-0.61.5-1.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-12944/pykickstart-1.99.63-2.fc21,python-blivet-0.61.5-1.fc21,anaconda-21.48.10-1.fc21
then log in and leave karma (feedback).

Comment 15 Richard J. Turner 2014-10-17 19:50:30 UTC
Description of problem:
Attempted to run 'sudo hostnamectl --static set-hostname ansalon.home'. The command returned with 'Could not set property: Access denied'.

Version-Release number of selected component:
selinux-policy-3.13.1-85.fc21.noarch

Additional info:
reporter:       libreport-2.2.3
hashmarkername: setroubleshoot
kernel:         3.17.0-301.fc21.x86_64
type:           libreport

Comment 16 Vasilis Keramidas 2014-10-18 09:44:24 UTC
Description of problem:
I tried to set the hostname of my PC using the hostnamectl command

Version-Release number of selected component:
selinux-policy-3.13.1-86.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.1-300.fc21.x86_64
type:           libreport

Comment 17 Kristjan Stefansson 2014-10-18 17:26:30 UTC
user@localhost ~ $ sudo hostnamectl set-hostname --static "Hostname"
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for user: 
Could not set property: Access denied
user@localhost ~ $ su
Password: 
root ~ # hostnamectl set-hostname --static "Hostname"
Could not set property: Access denied
root ~ #  /sbin/restorecon -v /etc/hostname
/sbin/restorecon reset /etc/hostname context unconfined_u:object_r:etc_t:s0->unconfined_u:object_r:hostname_etc_t:s0
root ~ # semanage fcontext -a -t FILE_TYPE '/etc/hostname'
ValueError: Type FILE_TYPE is invalid, must be a file or device type
root ~ # semanage fcontext -a -t hostname_etc_t '/etc/hostname'
root ~ # restorecon -v '/etc/hostname'
root ~ # grep systemd-hostnam /var/log/audit/audit.log | audit2allow -M mypol
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mypol.pp

root ~ # semodule -i mypol.pp
root ~ # hostnamectl set-hostname --static "Hostname"
root ~ # exit

Comment 18 Vasilis Keramidas 2014-10-20 18:58:41 UTC
Description of problem:
Tried to change the hostname using the hostnamectl command

Version-Release number of selected component:
selinux-policy-3.13.1-86.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.1-302.fc21.x86_64
type:           libreport

Comment 19 Fedora Update System 2014-10-20 23:01:35 UTC
anaconda-21.48.10-1.fc21, pykickstart-1.99.63-2.fc21, python-blivet-0.61.5-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Yasuaki Taniguchi 2014-10-25 20:46:16 UTC
Description of problem:
$ su -
Password: Enter password
# hostnamectl set-hostname --static fdrdev01
Could not set property: Access denied

Version-Release number of selected component:
selinux-policy-3.13.1-90.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.16.1-301.fc21.x86_64
type:           libreport

Comment 21 Zbigniew Jędrzejewski-Szmek 2014-10-26 14:47:51 UTC
Richard, Vasilis, Kristjan, Taniguchi: as you can see from comment #12, the selinux policy is fine, and its version is irrelevant. anaconda was changed to run restorecon on /etc/hostname, but that happens only when anaconda is run. You can simply run 'restorecon /etc/hostname' by hand.

Comment 22 Charles Tryon 2014-10-31 00:26:41 UTC
Description of problem:
Installed Fedora 21 (Alpha) and forgot to set hostname in the initial configuration
Later, tried to set the system hostname through the command: sudo hostnamectl set-hostname --static "somethimg.somewhere.net"

Version-Release number of selected component:
selinux-policy-3.13.1-90.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.17.1-304.fc21.x86_64
type:           libreport

Comment 23 Zbigniew Jędrzejewski-Szmek 2014-10-31 00:58:14 UTC
Charles, see comment #21. (Alpha was released on Sep 23, before the update we're talking about here was released.)


Note You need to log in before you can comment on or make changes to this bug.