Bug 1274988 - Selinux avc denial for systemd-hostnamed
Selinux avc denial for systemd-hostnamed
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: systemd (Show other bugs)
7.2
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: systemd-maint
qe-baseos-daemons
:
Depends On:
Blocks: 1400961 1472751
  Show dependency treegraph
 
Reported: 2015-10-24 11:29 EDT by Steeve Goveas
Modified: 2017-10-03 21:24 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Steeve Goveas 2015-10-24 11:29:51 EDT
Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-23.ael7b.noarch

Actual results:

Info: Searching AVC errors produced since 1445602913.79 (Fri Oct 23 08:21:53 2015)
Searching logs...
Running '/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts 10/23/2015 08:21:53 < /dev/null >/mnt/testarea/tmp.rhts-db-submit-result.CRjznt 2>&1'
----
time->Fri Oct 23 08:22:06 2015
type=SYSCALL msg=audit(1445602926.012:78): arch=c0000015 syscall=38 success=no exit=-13 a0=1000a99d190 a1=375ef1d0 a2=21 a3=6d items=0 ppid=1 pid=17823 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(1445602926.012:78): avc:  denied  { unlink } for  pid=17823 comm="systemd-hostnam" name="hostname" dev="dm-0" ino=135968053 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
Fail: AVC messages found.
Checking for errors...
Using stronger AVC checks.
	Define empty RHTS_OPTION_STRONGER_AVC parameter if this causes any problems.
Running 'cat /mnt/testarea/tmp.rhts-db-submit-result.CRjznt | /sbin/ausearch -m AVC -m SELINUX_ERR'
Fail: AVC messages found.
Running 'cat %s | /sbin/ausearch -m USER_AVC >/mnt/testarea/tmp.rhts-db-submit-result.FYAEUb 2>&1'
Info: No AVC messages found.
/bin/grep 'avc: ' /mnt/testarea/dmesg.log | /bin/grep --invert-match TESTOUT.log
No AVC messages found in dmesg
Running '/usr/sbin/sestatus'
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28
Running 'rpm -q selinux-policy || true'
selinux-policy-3.13.1-23.ael7b.noarch
Comment 2 Miroslav Grepl 2015-10-26 02:58:44 EDT
I believe we have fixes for this in Fedora.
Comment 3 Giovanni Tirloni 2017-02-10 20:55:00 EST
Experiencing a similar issue on a fresh install of CentOS 7.3

/var/log/audit/audit.log:

type=SERVICE_START msg=audit(1486777537.759:107): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1486777537.760:108): avc:  denied  { read } for  pid=1911 comm="systemd-hostnam" name="machine-info" dev="vda1" ino=513 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file
type=SYSCALL msg=audit(1486777537.760:108): arch=c000003e syscall=2 success=no exit=-13 a0=7f3edaa17f54 a1=80000 a2=1b6 a3=24 items=0 ppid=1 pid=1911 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=SERVICE_STOP msg=audit(1486777537.764:109): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'

audit2allow output:

#============= systemd_hostnamed_t ==============

#!!!! WARNING: 'unlabeled_t' is a base type.
allow systemd_hostnamed_t unlabeled_t:file read;

 ls -lZ /etc/machine-info  /usr/lib/systemd/systemd /usr/lib/systemd/systemd-hostnamed
-rw-r--r--. root root system_u:object_r:unlabeled_t:s0 /etc/machine-info
-rwxr-xr-x. root root system_u:object_r:init_exec_t:s0 /usr/lib/systemd/systemd
-rwxr-xr-x. root root system_u:object_r:systemd_hostnamed_exec_t:s0 /usr/lib/systemd/systemd-hostnamed

Files:

$ ls -lZ /etc/machine-info  /usr/lib/systemd/systemd /usr/lib/systemd/systemd-hostnamed
-rw-r--r--. root root system_u:object_r:unlabeled_t:s0 /etc/machine-info
-rwxr-xr-x. root root system_u:object_r:init_exec_t:s0 /usr/lib/systemd/systemd
-rwxr-xr-x. root root system_u:object_r:systemd_hostnamed_exec_t:s0 /usr/lib/systemd/systemd-hostnamed


Workaround:

# fixfiles -f relabel
Cleaning out /tmp
Warning: Skipping the following R/O filesystems:
/sys/fs/cgroup
Warning: Skipping the following R/O filesystems:
/sys/fs/cgroup
Relabeling / /dev /dev/hugepages /dev/mqueue /dev/pts /dev/shm /run /run/user/0 /sys
100.0%
Cleaning up labels on /tmp

$ ls -lZ /etc/machine-info  /usr/lib/systemd/systemd /usr/lib/systemd/systemd-hostnamed
-rw-r--r--. root root system_u:object_r:hostname_etc_t:s0 /etc/machine-info
-rwxr-xr-x. root root system_u:object_r:init_exec_t:s0 /usr/lib/systemd/systemd
-rwxr-xr-x. root root system_u:object_r:systemd_hostnamed_exec_t:s0 /usr/lib/systemd/systemd-hostnamed


VM was installed by virt-builder / virt-install on a KVM hypervisor.

Note You need to log in before you can comment on or make changes to this bug.