Description of problem: After upgrading from selinux-policy 244 to 245, `hostnamectl set-hostname some.hostname` prints an error and generates this AVC. With 244 it does not. SELinux is preventing systemd-hostnam from 'create' accesses on the file .#hostnameC0Zq0X. ***** Plugin catchall_labels (83.8 confidence) suggests ******************* If you want to allow systemd-hostnam to have create access on the .#hostnameC0Zq0X file Then you need to change the label on .#hostnameC0Zq0X Do # semanage fcontext -a -t FILE_TYPE '.#hostnameC0Zq0X' where FILE_TYPE is one of the following: hostname_etc_t. Then execute: restorecon -v '.#hostnameC0Zq0X' ***** Plugin catchall (17.1 confidence) suggests ************************** If you believe that systemd-hostnam should be allowed create access on the .#hostnameC0Zq0X file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemd-hostnam' --raw | audit2allow -M my-systemdhostnam # semodule -X 300 -i my-systemdhostnam.pp Additional Information: Source Context system_u:system_r:systemd_hostnamed_t:s0 Target Context system_u:object_r:etc_t:s0 Target Objects .#hostnameC0Zq0X [ file ] Source systemd-hostnam Source Path systemd-hostnam Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-245.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.11.0-0.rc2.git2.2.fc26.x86_64 #1 SMP Wed Mar 15 19:55:36 UTC 2017 x86_64 x86_64 Alert Count 1 First Seen 2017-03-17 17:59:34 PDT Last Seen 2017-03-17 17:59:34 PDT Local ID 2c43f0fe-57e0-4b4d-b945-9dc8f1476942 Raw Audit Messages type=AVC msg=audit(1489798774.378:269): avc: denied { create } for pid=3807 comm="systemd-hostnam" name=".#hostnameC0Zq0X" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0 Hash: systemd-hostnam,systemd_hostnamed_t,etc_t,file,create Version-Release number of selected component: selinux-policy-3.13.1-245.fc26.noarch Additional info: component: selinux-policy reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.11.0-0.rc2.git2.2.fc26.x86_64 type: libreport
Adam, Did you update systemd with selinux-policy package? I don't this issue is connected to update but I improve rules for systemd_hostnamed_t domain. Should be fixed now.
selinux-policy-3.13.1-246.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-58233b1a16
No. I tested updating *just* selinux-policy. Before the update setting the hostname worked and produced no AVC. After the update, setting hostname produced the error and the AVC.
selinux-policy-3.13.1-246.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-58233b1a16
selinux-policy-3.13.1-246.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.