Description of problem: AVC denial: type=USER_AVC msg=audit(1676761204.161:9833): pid=543 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" .te file: allow logrotate_t systemd_hostnamed_t:dbus send_msg; Version-Release number of selected component (if applicable): # rpm -qf /usr/bin/dbus-broker dbus-broker-32-1.fc36.x86_64 # rpm -qa | grep selinux-policy selinux-policy-36.17-1.fc36.noarch selinux-policy-targeted-36.17-1.fc36.noarch # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 # rpm -qa | grep logrotate logrotate-3.20.1-2.fc36.x86_64 How reproducible: When logrotate is launched by its own systemd timer. Everytime. Steps to Reproduce: 1. Install logrotate (logrotate is a dependancy for many daemon softwares) 2. Let it run Actual results: Blocked. Expected results: Not blocked. Additional info:
Matthieu, Do you happen to know which system setting is required to trigger this issue? I haven't seen it before and it hasn't been reported by anybody else.
Ah yes, more context :) This issue is triggered by logrotate when logrotate is trying to move ejabberd logs. The issue is not located on ejabberd. This AVC could happen with any command launched by logrotate. The fact is, there is no other daemon on my system which require to launch a command, which requires itself to query systemd-hostnamed. # ll /etc/logrotate.d total 52K -rw-r--r--. 1 root root 155 Jan 19 2022 aide -rw-r--r--. 1 root root 91 Jan 11 2022 bootlog -rw-r--r--. 1 root root 130 Oct 14 2019 btmp -rw-r--r--. 1 root root 160 Aug 29 15:04 chrony -rw-r--r--. 1 root root 88 Sep 9 13:21 dnf -rw-r--r--. 1 root root 278 Aug 17 2021 ejabberd -rw-r--r--. 1 root root 93 Jan 5 18:08 firewalld -rw-r--r--. 1 root root 514 Jan 28 17:09 named -rw-r--r--. 1 root root 288 Jun 7 2021 ntpsec.conf -rw-r--r--. 1 root root 127 Jan 18 09:41 redis -rw-r--r--. 1 root root 237 Aug 26 23:28 sssd -rw-r--r--. 1 root root 262 Jan 15 21:16 tor -rw-r--r--. 1 root root 145 Oct 14 2019 wtmp # rpm -qf /etc/logrotate.d/ejabberd ejabberd-20.07-5.fc36.noarch # cat /etc/logrotate.d/ejabberd /var/log/ejabberd/ejabberd.log /var/log/ejabberd/erlang.log { missingok notifempty create 0640 ejabberd ejabberd sharedscripts postrotate runuser -s /bin/bash - ejabberd -c "/usr/bin/ejabberdctl reopen-log" >/dev/null 2>/dev/null || true endscript } # grep runuser /etc/logrotate.d/* /etc/logrotate.d/ejabberd: runuser -s /bin/bash - ejabberd -c "/usr/bin/ejabberdctl reopen-log" >/dev/null 2>/dev/null || true If ejabberdctl command need to talk to network resources of the machine, like systemd-hostnamed, or even looking at /etc/hosts, I would say "that's normal for a network software", I guess... I can talk for myself: I used to use audit2allow to manage ~10 AVCs triggered by ejabberd, so that AVC was caught with the others. Maybe other people did the same. ejabberd is very hard to manage. ejabberd package in Fedora as been orphaned few months ago.
There is no custom configuration in /etc/logrotate.conf or /etc/logrotate.d/
This message is a reminder that Fedora Linux 36 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 36 on 2023-05-16. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '36'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see it. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 36 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
FEDORA-2023-4cc44986ba has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-4cc44986ba
FEDORA-2023-4cc44986ba has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-4cc44986ba` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-4cc44986ba See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-4cc44986ba has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.