RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1976684 - [RHEL-9.0] avc: denied { add_name } for comm="systemd-hostnam" name=".#default-hostnamenhVgzU"
Summary: [RHEL-9.0] avc: denied { add_name } for comm="systemd-hostnam" name=".#defau...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: selinux-policy
Version: 9.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: beta
: 9.1
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-06-28 03:05 UTC by Yongcheng Yang
Modified: 2022-11-15 12:56 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-34.1.40-1.el9
Doc Type: Bug Fix
Doc Text:
Cause: Systemd-hostnamed creates files in /run/systemd/* with wrong label, which leads to the following SELinux denial Consequence: SELinux is preventing systemd-hostnam from add_name access on the directory .#default-hostnamenhVgzU. Fix: Allow systemd_hostnamed_t to create files in /run/systemd/* with label hostnamed_etc_t. Result: No AVC
Clone Of:
Environment:
Last Closed: 2022-11-15 11:13:13 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:8283 0 None None None 2022-11-15 11:13:38 UTC

Description Yongcheng Yang 2021-06-28 03:05:46 UTC 
Description of problem:
Even on the newer version than selinux-policy-34.1.7-1.el9 (for Bug 1966492) there still exist a similar AVC after executing the `hostnamectl` command.

type=AVC msg=audit(1624848894.585:670): avc:  denied  { add_name } for  pid=42286 comm="systemd-hostnam" name=".#default-hostnamenhVgzU" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0


Version-Release number of selected component (if applicable):
selinux-policy-34.1.9-1.el9

How reproducible:
always

Steps to Reproduce:
1. hostnamectl set-hostname ""
2.
3.

Actual results:
[root@ibm-x3850x5-03-vm-01 ~]# grep denied /var/log/audit/audit.log
[root@ibm-x3850x5-03-vm-01 ~]# hostnamectl 
 Static hostname: ibm-x3850x5-03-vm-01.rhts.eng.pek2.redhat.com
       Icon name: computer-vm
         Chassis: vm
      Machine ID: 31814cc3aa8845248f6924f164e40405
         Boot ID: 04dbf3c5016f4999897ac0db2587c22c
  Virtualization: kvm
Operating System: Red Hat Enterprise Linux 9.0 Beta (Plow)
     CPE OS Name: cpe:/o:redhat:enterprise_linux:9::baseos
          Kernel: Linux 5.13.0-0.rc7.51.el9.x86_64
    Architecture: x86-64
 Hardware Vendor: Red Hat
  Hardware Model: KVM
[root@ibm-x3850x5-03-vm-01 ~]# grep denied /var/log/audit/audit.log
[root@ibm-x3850x5-03-vm-01 ~]# hostnamectl set-hostname ""
[root@ibm-x3850x5-03-vm-01 ~]# hostnamectl 
   Static hostname: n/a                                                                        
Transient hostname: ibm-x3850x5-03-vm-01.rhts.eng.pek2.redhat.com
         Icon name: computer-vm
           Chassis: vm
        Machine ID: 31814cc3aa8845248f6924f164e40405
           Boot ID: 04dbf3c5016f4999897ac0db2587c22c
    Virtualization: kvm
  Operating System: Red Hat Enterprise Linux 9.0 Beta (Plow)
       CPE OS Name: cpe:/o:redhat:enterprise_linux:9::baseos
            Kernel: Linux 5.13.0-0.rc7.51.el9.x86_64
      Architecture: x86-64
   Hardware Vendor: Red Hat
    Hardware Model: KVM
[root@ibm-x3850x5-03-vm-01 ~]# grep denied /var/log/audit/audit.log
type=AVC msg=audit(1624848894.585:670): avc:  denied  { add_name } for  pid=42286 comm="systemd-hostnam" name=".#default-hostnamenhVgzU" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0
[root@ibm-x3850x5-03-vm-01 ~]# hostnamectl set-hostname "$HOSTNAME"
[root@ibm-x3850x5-03-vm-01 ~]# rpm -q selinux-policy
selinux-policy-34.1.9-1.el9.noarch
[root@ibm-x3850x5-03-vm-01 ~]# 
[root@ibm-x3850x5-03-vm-01 ~]# sealert -a /var/log/audit/audit.log                                                                                
100% done                                                                
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------
                                                                         
SELinux is preventing systemd-hostnam from add_name access on the directory .#default-hostnamenhVgzU.

*****  Plugin catchall (100. confidence) suggests   **************************
                                                                                                                                                  If you believe that systemd-hostnam should be allowed add_name access on the .#default-hostnamenhVgzU directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do                                                                       
allow this access for now by executing:
# ausearch -c 'systemd-hostnam' --raw | audit2allow -M my-systemdhostnam
# semodule -X 300 -i my-systemdhostnam.pp


Additional Information:
Source Context                system_u:system_r:systemd_hostnamed_t:s0
Target Context                system_u:object_r:init_var_run_t:s0
Target Objects                .#default-hostnamenhVgzU [ dir ]
Source                        systemd-hostnam
Source Path                   systemd-hostnam
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-34.1.9-1.el9.noarch
Local Policy RPM              selinux-policy-targeted-34.1.9-1.el9.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ibm-x3850x5-03-vm-01.rhts.eng.pek2.redhat.com
Platform                      Linux
                              ibm-x3850x5-03-vm-01.rhts.eng.pek2.redhat.com
                              5.13.0-0.rc7.51.el9.x86_64 #1 SMP Tue Jun 22
                              12:56:04 EDT 2021 x86_64 x86_64
Alert Count                   1
First Seen                    2021-06-27 22:54:54 EDT
Last Seen                     2021-06-27 22:54:54 EDT
Local ID                      2c73be75-5185-4bca-8a73-5cc3c7dae8d2

Raw Audit Messages
type=AVC msg=audit(1624848894.585:670): avc:  denied  { add_name } for  pid=42286 comm="systemd-hostnam" name=".#default-hostnamenhVgzU" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0


Hash: systemd-hostnam,systemd_hostnamed_t,init_var_run_t,dir,add_name

[root@ibm-x3850x5-03-vm-01 ~]# 


Expected results:


Additional info:
Comment 1 Zdenek Pytela 2021-11-26 14:17:52 UTC 
Hi,

I cannot reproduce this issue. Are there any special conditions required?

If it still appears on your system, please enable full auditing and provide audit logs:

1) Open the /etc/audit/rules.d/audit.rules file in an editor.
2) Remove the following line if it exists:
-a task,never
3) Add the following line to the end of the file:
-w /etc/shadow -p w
4) Restart the audit daemon:
  # service auditd restart
5) Re-run your scenario
6) Collect AVC denials:
  # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
Comment 2 Yongcheng Yang 2021-11-29 03:47:35 UTC 
Yes, I can still reproduce this issue.
To trigger this warning we need to set an empty hostname i.e. hostnamectl set-hostname "".

[root@hp-dl380pg8-14 ~]# rpm -q selinux-policy
selinux-policy-34.1.18-1.el9.noarch
[root@hp-dl380pg8-14 ~]# vi /etc/audit/rules.d/audit.rules
[root@hp-dl380pg8-14 ~]# grep ^[^#] /etc/audit/rules.d/audit.rules
-D
-b 8192
--backlog_wait_time 60000
-f 1
-w /etc/shadow -p w
[root@hp-dl380pg8-14 ~]# service auditd restart
Stopping logging:                                          [  OK  ]
Redirecting start to /bin/systemctl start auditd.service
[root@hp-dl380pg8-14 ~]# > /var/log/audit/audit.log
[root@hp-dl380pg8-14 ~]# hostname
hp-dl380pg8-14.rhts.eng.pek2.redhat.com
[root@hp-dl380pg8-14 ~]# hostnamectl set-hostname ""
[root@hp-dl380pg8-14 ~]# grep denied /var/log/audit/audit.log
type=AVC msg=audit(1638157281.884:402): avc:  denied  { add_name } for  pid=19561 comm="systemd-hostnam" name=".#default-hostnameRy0mHd" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0
[root@hp-dl380pg8-14 ~]#
[root@hp-dl380pg8-14 ~]# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
----
type=PROCTITLE msg=audit(11/28/2021 22:41:21.884:402) : proctitle=/usr/lib/systemd/systemd-hostnamed
type=PATH msg=audit(11/28/2021 22:41:21.884:402) : item=0 name=/run/systemd/ inode=2 dev=00:19 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:init_var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(11/28/2021 22:41:21.884:402) : cwd=/
type=SYSCALL msg=audit(11/28/2021 22:41:21.884:402) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55a652679b50 a2=O_RDWR|O_CREAT|O_EXCL|O_CLOEXEC a3=0x180 items=1 ppid=1 pid=19561 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-hostnam exe=/usr/lib/systemd/systemd-hostnamed subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(11/28/2021 22:41:21.884:402) : avc:  denied  { add_name } for  pid=19561 comm=systemd-hostnam name=.#default-hostnameRy0mHd scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:init_var_run_t:s0 tclass=dir permissive=0
[root@hp-dl380pg8-14 ~]#
[root@hp-dl380pg8-14 ~]#
Comment 26 errata-xmlrpc 2022-11-15 11:13:13 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8283
Note You need to log in before you can comment on or make changes to this bug.