Hide Forgot
Hi, I'm dhcp package maintainer and I've been thinking about changing the way the /sbin/dhclient-script sets hostname (obtained from DHCP server). Now it uses the legacy 'hostname' utility, but it'd be better to use 'hostnamectl set-hostname --transient --no-ask-password'. Do you think it'd be possible to change the policy to allow it ? From /var/log/audit/audit.log: msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.hostname1 member=SetHostname dest=org.freedesktop.hostname1 sp id=1177 tpid=1178 scontext=system_u:system_r:dhcpc_t:s0 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon " sauid=81 hostname=? addr=? terminal=?'
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle. Changing version to '23'. (As we did not run this process for some time, it could affect also pre-Fedora 23 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23
Maybe this bug has an impact con Red Hatbug 1241712 comment 4
Jiri, does it work correctly with a local policy for this AVC?
After creating local policy for the AVC in comment #0 there was one more AVC: type=USER_AVC msg=audit(1444729900.815:2459): pid=928 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.465 spid=28893 tpid=28935 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=unconfined_u:system_r:dhcpc_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Since I added also that one to the local policy, everything seems to be working OK. I'll attach the te file created from those two AVCs via audit2allow.
Created attachment 1082324 [details] te file for local policy This was created via # cat audit.log | audit2allow -m dhcpchostname > dhcpchostname.te Compiling and loading the module fixes the problem: # checkmodule -M -m -o dhcpchostname.mod dhcpchostname.te # semodule_package -o dhcpchostname.pp -m dhcpchostname.mod # semodule -i dhcpchostname.pp
ping, can we move forward with this ?
I believe Vit is working on a pull request with fixes.
commit 7dd4cfb0b3c072d0aad298dc77a42b9844eceef6 Merge: 02f981d 754cbf0 Author: Miroslav Grepl <mgrepl> Date: Thu Nov 12 08:31:02 2015 +0100 Merge pull request #63 from vmojzis/f23-base Allow systemd-hostnamed to communicate with dhcp via dbus. commit 754cbf035b40e06a4f37d63efa61e7c28dfdac8e Author: Vit Mojzis <vmojzis> Date: Wed Nov 11 16:49:13 2015 +0100 Allow systemd-hostnamed to communicate with dhcp via dbus. #1242583
selinux-policy-3.13.1-155.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-0d84d6c75f
selinux-policy-3.13.1-155.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update selinux-policy' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-0d84d6c75f
selinux-policy-3.13.1-155.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.