Bug 1242583 - allow dhcpc_t systemd_hostnamed_t:dbus send_msg
Summary: allow dhcpc_t systemd_hostnamed_t:dbus send_msg
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 23
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Vit Mojzis
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2015-07-13 16:11 UTC by Jiri Popelka
Modified: 2015-11-26 20:58 UTC (History)
5 users (show)

Fixed In Version: selinux-policy-3.13.1-155.fc23
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-11-26 20:58:14 UTC
Type: Bug

Attachments (Terms of Use)
te file for local policy (292 bytes, text/plain)
2015-10-13 10:40 UTC, Jiri Popelka
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla Red Hat1241712 1 None None None 2021-01-20 06:05:38 UTC

Internal Links: Red Hat1241712

Description Jiri Popelka 2015-07-13 16:11:27 UTC

I'm dhcp package maintainer and I've been thinking about changing the way the
/sbin/dhclient-script sets hostname (obtained from DHCP server).
Now it uses the legacy 'hostname' utility, but it'd be better to use
'hostnamectl set-hostname --transient --no-ask-password'.

Do you think it'd be possible to change the policy to allow it ?

From /var/log/audit/audit.log:

msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.hostname1 member=SetHostname dest=org.freedesktop.hostname1 sp
id=1177 tpid=1178 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon
" sauid=81 hostname=? addr=? terminal=?'

Comment 1 Jan Kurik 2015-07-15 13:17:46 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle.
Changing version to '23'.

(As we did not run this process for some time, it could affect also pre-Fedora 23 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.)

More information and reason for this action is here:

Comment 2 Fabian Deutsch 2015-10-12 13:39:36 UTC
Maybe this bug has an impact con Red Hatbug 1241712 comment 4

Comment 3 Miroslav Grepl 2015-10-12 17:01:16 UTC
does it work correctly with a local policy for this AVC?

Comment 4 Jiri Popelka 2015-10-13 10:33:46 UTC
After creating local policy for the AVC in comment #0 there was one more AVC:

type=USER_AVC msg=audit(1444729900.815:2459): pid=928 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.465 spid=28893 tpid=28935 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Since I added also that one to the local policy, everything seems to be working OK. I'll attach the te file created from those two AVCs via audit2allow.

Comment 5 Jiri Popelka 2015-10-13 10:40:33 UTC
Created attachment 1082324 [details]
te file for local policy

This was created via
# cat audit.log | audit2allow -m dhcpchostname > dhcpchostname.te

Compiling and loading the module fixes the problem:
# checkmodule -M -m -o dhcpchostname.mod dhcpchostname.te
# semodule_package -o dhcpchostname.pp -m dhcpchostname.mod
# semodule -i dhcpchostname.pp

Comment 6 Jiri Popelka 2015-11-02 12:01:14 UTC
ping, can we move forward with this ?

Comment 7 Miroslav Grepl 2015-11-09 19:08:57 UTC
I believe Vit is working on a pull request with fixes.

Comment 8 Vit Mojzis 2015-11-12 08:50:03 UTC
commit 7dd4cfb0b3c072d0aad298dc77a42b9844eceef6
Merge: 02f981d 754cbf0
Author: Miroslav Grepl <mgrepl>
Date:   Thu Nov 12 08:31:02 2015 +0100

    Merge pull request #63 from vmojzis/f23-base
    Allow systemd-hostnamed to communicate with dhcp via dbus.

commit 754cbf035b40e06a4f37d63efa61e7c28dfdac8e
Author: Vit Mojzis <vmojzis>
Date:   Wed Nov 11 16:49:13 2015 +0100

    Allow systemd-hostnamed to communicate with dhcp via dbus. #1242583

Comment 9 Fedora Update System 2015-11-20 13:16:03 UTC
selinux-policy-3.13.1-155.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-0d84d6c75f

Comment 10 Fedora Update System 2015-11-22 14:26:13 UTC
selinux-policy-3.13.1-155.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update selinux-policy'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-0d84d6c75f

Comment 11 Fedora Update System 2015-11-26 20:57:30 UTC
selinux-policy-3.13.1-155.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.