Bug 912036 - SELinux is preventing /usr/lib/systemd/systemd-hostnamed from 'read' accesses on the file pm_profile.
Summary: SELinux is preventing /usr/lib/systemd/systemd-hostnamed from 'read' accesses...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 18
Hardware: i686
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:7ce19211680398fe6b8c755aa22...
: 912037 912100 912283 912668 912669 912670 912671 912676 912677 912685 913106 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-02-17 10:59 UTC by Mikhail
Modified: 2013-03-14 03:00 UTC (History)
75 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-03-14 03:00:06 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Mikhail 2013-02-17 10:59:55 UTC
Description of problem:
SELinux is preventing /usr/lib/systemd/systemd-hostnamed from 'read' accesses on the file pm_profile.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that systemd-hostnamed should be allowed read access on the pm_profile file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-hostnam /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:systemd_hostnamed_t:s0
Target Context                system_u:object_r:sysfs_t:s0
Target Objects                pm_profile [ file ]
Source                        systemd-hostnam
Source Path                   /usr/lib/systemd/systemd-hostnamed
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           systemd-197-1.fc18.2.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-78.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.7.8-202.fc18.i686.PAE #1 SMP Fri
                              Feb 15 17:47:05 UTC 2013 i686 i686
Alert Count                   2
First Seen                    2013-02-17 16:58:24 YEKT
Last Seen                     2013-02-17 16:58:24 YEKT
Local ID                      e1fd1af4-e252-43fe-a31a-96d72b5de697

Raw Audit Messages
type=AVC msg=audit(1361098704.532:349): avc:  denied  { read } for  pid=10179 comm="systemd-hostnam" name="pm_profile" dev="sysfs" ino=697 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file


type=SYSCALL msg=audit(1361098704.532:349): arch=i386 syscall=open success=no exit=EACCES a0=b7743302 a1=88000 a2=1b6 a3=b93f07a8 items=0 ppid=1 pid=10179 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=systemd-hostnam exe=/usr/lib/systemd/systemd-hostnamed subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)

Hash: systemd-hostnam,systemd_hostnamed_t,sysfs_t,file,read

audit2allow

#============= systemd_hostnamed_t ==============
allow systemd_hostnamed_t sysfs_t:file read;

audit2allow -R

#============= systemd_hostnamed_t ==============
allow systemd_hostnamed_t sysfs_t:file read;


Additional info:
hashmarkername: setroubleshoot
kernel:         3.7.8-202.fc18.i686.PAE
type:           libreport

Comment 1 Miroslav Grepl 2013-02-18 10:18:15 UTC
*** Bug 912283 has been marked as a duplicate of this bug. ***

Comment 2 Miroslav Grepl 2013-02-18 10:18:24 UTC
*** Bug 912037 has been marked as a duplicate of this bug. ***

Comment 3 Miroslav Grepl 2013-02-18 10:42:02 UTC
commit 33a62dfff572a0954b36313132a99c8b4da2f02e
Author: Miroslav Grepl <mgrepl>
Date:   Mon Feb 18 11:40:44 2013 +0100

    Backport fixes for systemd-hostname policy to F18

Comment 4 Miroslav Grepl 2013-02-18 10:46:35 UTC
Please execute

semanage permissive -a systemd_hostnamed_t

to make this working for now.

Comment 5 Miroslav Grepl 2013-02-18 10:47:28 UTC
*** Bug 912100 has been marked as a duplicate of this bug. ***

Comment 6 mathieu 2013-02-18 12:22:00 UTC
dropbox logiciel pour synchroniser les fichiers
https://www.dropbox.com/
en connaissez vous un plus sur pour fedora?

depuis la dernière mise à jour, selinux detect un problem, lorsque je clique sur l'icone en haut à droite sur xfce
barre de logiciel réduit

il m'affiche quand même le gestionnaire de fichier après


Package: (null)
OS Release: Fedora release 18 (Spherical Cow)

Comment 7 Hector Rufrancos 2013-02-18 12:24:47 UTC
1) opened nautilus
2) bug report


Package: (null)
Architecture: x86_64
OS Release: Fedora release 18 (Spherical Cow)

Comment 8 Steven Stern 2013-02-18 14:12:55 UTC
reboot after yum update

one of 5 hostnamed related messages on system startup


Package: (null)
Architecture: x86_64
OS Release: Fedora release 18 (Spherical Cow)

Comment 9 Jeremy Beker 2013-02-18 15:59:28 UTC
Launched nautilus from menu.

Package: (null)
Architecture: x86_64
OS Release: Fedora release 18 (Spherical Cow)

Comment 10 Simone Deponti 2013-02-18 17:33:36 UTC
The SELinux troubleshoot icon appeared at some time during my daily routine, without any warning.

Package: (null)
Architecture: x86_64
OS Release: Fedora release 18 (Spherical Cow)

Comment 11 gabrielevincenzi1982 2013-02-18 20:34:56 UTC
At every boot

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)

Comment 12 tuxor 2013-02-18 22:28:10 UTC
Open Nautilus

Package: (null)
Architecture: x86_64
OS Release: Fedora release 18 (Spherical Cow)

Comment 13 Guido Kroon 2013-02-18 22:37:48 UTC
Every time I open nautilus.

Package: (null)
Architecture: x86_64
OS Release: Fedora release 18 (Spherical Cow)

Comment 14 John Bouras 2013-02-18 23:05:22 UTC
I clicked on my user name at the upper right hand corner, then clicked on "System Settings". In the window that appeared, I clicked on "Details", and this SELinux alert appeared.

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)

Comment 15 Enzo Ahumada 2013-02-18 23:48:12 UTC
i don't know

Package: (null)
OS Release: Fedora release 18 (Spherical Cow)

Comment 16 Paul Lazaga 2013-02-18 23:59:50 UTC
Opening secondary folder via nautilus

Package: (null)
Architecture: x86_64
OS Release: Fedora release 18 (Spherical Cow)

Comment 17 Fabian Salamanca 2013-02-19 03:10:13 UTC
Just at boot, seems to be systemd

Package: (null)
Architecture: x86_64
OS Release: Fedora release 18 (Spherical Cow)

Comment 18 kyleponting 2013-02-19 07:52:28 UTC
Problem occurs when trying to open "Details" from System Settings menu.

Comment 19 sonbello 2013-02-19 08:10:54 UTC
scegli
i dont no


Package: (null)
Architecture: x86_64
OS Release: Fedora release 18 (Spherical Cow)

Comment 20 Fedora Update System 2013-02-19 09:29:49 UTC
selinux-policy-3.11.1-79.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-79.fc18

Comment 21 Javier Jardón 2013-02-19 11:19:56 UTC
Try to access the "Details" panel in control center

Package: (null)
Architecture: x86_64
OS Release: Fedora release 18 (Spherical Cow)

Comment 22 Miroslav Grepl 2013-02-19 12:07:18 UTC
*** Bug 912676 has been marked as a duplicate of this bug. ***

Comment 23 Miroslav Grepl 2013-02-19 12:07:27 UTC
*** Bug 912671 has been marked as a duplicate of this bug. ***

Comment 24 Miroslav Grepl 2013-02-19 12:07:32 UTC
*** Bug 912670 has been marked as a duplicate of this bug. ***

Comment 25 Miroslav Grepl 2013-02-19 12:07:38 UTC
*** Bug 912669 has been marked as a duplicate of this bug. ***

Comment 26 Miroslav Grepl 2013-02-19 12:07:46 UTC
*** Bug 912668 has been marked as a duplicate of this bug. ***

Comment 27 Miroslav Grepl 2013-02-19 12:07:54 UTC
*** Bug 912677 has been marked as a duplicate of this bug. ***

Comment 28 Miloslav Trmač 2013-02-19 12:11:18 UTC
Tried to select a keyboard layout in GNOME control center.

Package: (null)
Architecture: x86_64
OS Release: Fedora release 18 (Spherical Cow)

Comment 29 Miroslav Grepl 2013-02-19 12:57:43 UTC
*** Bug 912685 has been marked as a duplicate of this bug. ***

Comment 30 Steve Searle 2013-02-19 13:22:37 UTC
Running  System Settings -> Detail

Package: (null)
Architecture: x86_64
OS Release: Fedora release 18 (Spherical Cow)

Comment 31 Boricua 2013-02-19 13:44:12 UTC
(In reply to comment #20)
> selinux-policy-3.11.1-79.fc18 has been submitted as an update for Fedora 18.
> https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-79.fc18

I installed the new rpms, rebooted and issue seems to be gone. I am opening Nautilus with no warnings so far.

Comment 32 Daniel Colquitt 2013-02-19 14:20:40 UTC
Openning nautilus

Package: (null)
Architecture: x86_64
OS Release: Fedora release 18 (Spherical Cow)

Comment 33 Peter Hogan-De Paul 2013-02-19 16:32:35 UTC
While loading a USB drive onto the system, I opened Files to wait for it to synchronize.

Package: (null)
Architecture: x86_64
OS Release: Fedora release 18 (Spherical Cow)

Comment 34 le.poittevin.laurent 2013-02-19 17:26:32 UTC
A chaque ouverture de Nautilus

Package: (null)
Architecture: x86_64
OS Release: Fedora release 18 (Spherical Cow)

Comment 35 Artur M. 2013-02-19 17:56:18 UTC
Description of problem:
When opening "details" in GNOME control centre, SElinux blocks systemd-hostnamed

Additional info:
hashmarkername: setroubleshoot
kernel:         3.7.8-202.fc18.x86_64
type:           libreport

Comment 36 Joshua Gerrard 2013-02-19 22:17:26 UTC
This happens quite frequently, and results in whatever program I am using crashing. In this specific case it was steam for linux, although it has occured for things like software updater before.

Package: (null)
Architecture: x86_64
OS Release: Fedora release 18 (Spherical Cow)

Comment 37 neil.mcfarlane 2013-02-20 00:57:22 UTC
I opened the file manager

Package: (null)
Architecture: x86_64
OS Release: Fedora release 18 (Spherical Cow)

Comment 38 Scott Plough 2013-02-20 01:25:26 UTC
After a reboot, then logging in, it immediately happed after opening Nautilus.  

Package: (null)
Architecture: x86_64
OS Release: Fedora release 18 (Spherical Cow)

Comment 39 Gerard Barker 2013-02-20 02:35:21 UTC
Doing update via yumex instead of Software Install program associated with PackageKit which wasn't installing, only downloading

Originally my hostname was fully qualified local only dns address of gbserver.gbdomain.local.

Thinking that this was the issue and having had a difficult experience with installing
Ubuntu on my system, seeing how they suggested the short host name rather than the full one
for the system in install process, so vi /etc/hosts and vi /etc/hostname to just gbserver
to see if that reduced the instances of alerts.

Have just reversed adding short name to loopback in case this has caused the issue as it
would mean two short names for loopback which in hindsight doesn't sound practical?

Cross fingers X


Package: (null)
Architecture: x86_64
OS Release: Fedora release 18 (Spherical Cow)

Comment 40 Rob K 2013-02-20 03:27:22 UTC
yum update; rebooted.

Package: (null)
Architecture: x86_64
OS Release: Fedora release 18 (Spherical Cow)

Comment 41 Fedora Update System 2013-02-20 04:01:31 UTC
selinux-policy-3.11.1-79.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 42 NickG 2013-02-20 10:31:51 UTC
I'm still getting this error pop up and my system is up to date.

SELinux is preventing /usr/lib/systemd/systemd-hostnamed from read access on the lnk_file id.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that systemd-hostnamed should be allowed read access on the id lnk_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-hostnam /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:systemd_hostnamed_t:s0
Target Context                system_u:object_r:sysfs_t:s0
Target Objects                id [ lnk_file ]
Source                        systemd-hostnam
Source Path                   /usr/lib/systemd/systemd-hostnamed
Port                          <Unknown>
Host                          slimtop
Source RPM Packages           systemd-197-1.fc18.1.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-78.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     slimtop
Platform                      Linux slimtop 3.7.8-202.fc18.i686 #1 SMP Fri Feb
                              15 17:57:07 UTC 2013 i686 i686
Alert Count                   4
First Seen                    2013-02-19 20:05:34 GMT
Last Seen                     2013-02-20 10:25:41 GMT
Local ID                      3e9a73c2-5184-45c9-9e9e-a28f258348b8

Raw Audit Messages
type=AVC msg=audit(1361355941.518:100): avc:  denied  { read } for  pid=6601 comm="systemd-hostnam" name="id" dev="sysfs" ino=141 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file


type=SYSCALL msg=audit(1361355941.518:100): arch=i386 syscall=open success=no exit=EACCES a0=b7725da4 a1=88000 a2=1b6 a3=b7918790 items=0 ppid=1 pid=6601 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=systemd-hostnam exe=/usr/lib/systemd/systemd-hostnamed subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)

Hash: systemd-hostnam,systemd_hostnamed_t,sysfs_t,lnk_file,read

Comment 43 NickG 2013-02-20 10:33:52 UTC
And another one that I didn't file a few days ago:

SELinux is preventing /usr/lib/systemd/systemd-hostnamed from write access on the chr_file kmsg.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that systemd-hostnamed should be allowed write access on the kmsg chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-hostnam /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:systemd_hostnamed_t:s0
Target Context                system_u:object_r:kmsg_device_t:s0
Target Objects                kmsg [ chr_file ]
Source                        systemd-hostnam
Source Path                   /usr/lib/systemd/systemd-hostnamed
Port                          <Unknown>
Host                          slimtop
Source RPM Packages           systemd-197-1.fc18.1.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-78.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     slimtop
Platform                      Linux slimtop 3.7.8-202.fc18.i686 #1 SMP Fri Feb
                              15 17:57:07 UTC 2013 i686 i686
Alert Count                   2
First Seen                    2013-02-19 20:05:34 GMT
Last Seen                     2013-02-20 10:25:41 GMT
Local ID                      ff000d02-a034-453d-bd0b-a943e7cb57a5

Raw Audit Messages
type=AVC msg=audit(1361355941.458:90): avc:  denied  { write } for  pid=6601 comm="systemd-hostnam" name="kmsg" dev="devtmpfs" ino=1034 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file


type=SYSCALL msg=audit(1361355941.458:90): arch=i386 syscall=open success=no exit=EACCES a0=b7727430 a1=88101 a2=0 a3=6 items=0 ppid=1 pid=6601 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=systemd-hostnam exe=/usr/lib/systemd/systemd-hostnamed subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)

Hash: systemd-hostnam,systemd_hostnamed_t,kmsg_device_t,chr_file,write


Should their already be a fix applied to the system? In which case this would indicate it failed to resolve the issue and the bug should be reopened?

Comment 44 Martin Angermeier 2013-02-20 11:27:26 UTC
Got it again today. System updated (no testing repos).

SELinux is preventing /usr/lib/systemd/systemd-hostnamed from read access on the lnk_file id.

*****  Plugin catchall (100. confidence) suggests  ***************************

If sie denken, dass es systemd-hostnamed standardmässig erlaubt sein sollte, read Zugriff auf id lnk_file zu erhalten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
# grep systemd-hostnam /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:systemd_hostnamed_t:s0
Target Context                system_u:object_r:sysfs_t:s0
Target Objects                id [ lnk_file ]
Source                        systemd-hostnam
Source Path                   /usr/lib/systemd/systemd-hostnamed
Port                          <Unknown>
Host                          martin.fedora
Source RPM Packages           systemd-197-1.fc18.1.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-78.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     martin.fedora
Platform                      Linux martin.fedora 3.7.7-201.fc18.x86_64 #1 SMP
                              Tue Feb 12 22:35:01 UTC 2013 x86_64 x86_64
Alert Count                   5
First Seen                    2013-02-19 20:13:39 CET
Last Seen                     2013-02-20 12:17:55 CET
Local ID                      1de6ee1e-8a1e-494d-8fe8-6ab04e0feabb

Raw Audit Messages
type=AVC msg=audit(1361359075.879:504): avc:  denied  { read } for  pid=21303 comm="systemd-hostnam" name="id" dev="sysfs" ino=149 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file


type=SYSCALL msg=audit(1361359075.879:504): arch=x86_64 syscall=open success=no exit=EACCES a0=7f595403f890 a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=21303 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=systemd-hostnam exe=/usr/lib/systemd/systemd-hostnamed subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)

Hash: systemd-hostnam,systemd_hostnamed_t,sysfs_t,lnk_file,read

Comment 45 Daniel Walsh 2013-02-20 12:17:48 UTC
*** Bug 913106 has been marked as a duplicate of this bug. ***

Comment 46 Dean Hunter 2013-02-20 21:28:45 UTC
I just applied selinux-policy 3.11.1-79 and rebooted.

Bug Reported thinks the error reported below is a duplicate of this.

SELinux is preventing /usr/lib/systemd/systemd-hostnamed from read access on the file /etc/hostname.

*****  Plugin restorecon (99.5 confidence) suggests  *************************

If you want to fix the label. 
/etc/hostname default label should be etc_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /etc/hostname

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If you believe that systemd-hostnamed should be allowed read access on the hostname file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-hostnam /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:systemd_hostnamed_t:s0
Target Context                system_u:object_r:etc_runtime_t:s0
Target Objects                /etc/hostname [ file ]
Source                        systemd-hostnam
Source Path                   /usr/lib/systemd/systemd-hostnamed
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           systemd-197-1.fc18.1.x86_64
Target RPM Packages           systemd-197-1.fc18.1.x86_64
Policy RPM                    selinux-policy-3.11.1-79.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux client18 3.7.8-202.fc18.x86_64 #1 SMP Fri
                              Feb 15 17:33:07 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-02-20 15:16:42 CST
Last Seen                     2013-02-20 15:16:42 CST
Local ID                      6f0f9410-6cf3-4c02-80b8-d57767cb2048

Raw Audit Messages
type=AVC msg=audit(1361395002.237:339): avc:  denied  { read } for  pid=1756 comm="systemd-hostnam" name="hostname" dev="dm-1" ino=1836350 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file


type=AVC msg=audit(1361395002.237:339): avc:  denied  { open } for  pid=1756 comm="systemd-hostnam" path="/etc/hostname" dev="dm-1" ino=1836350 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file


type=SYSCALL msg=audit(1361395002.237:339): arch=x86_64 syscall=open success=yes exit=EINTR a0=7fc0e1f6ad68 a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=1756 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=systemd-hostnam exe=/usr/lib/systemd/systemd-hostnamed subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)

Hash: systemd-hostnam,systemd_hostnamed_t,etc_runtime_t,file,read

audit2allow

#============= systemd_hostnamed_t ==============
allow systemd_hostnamed_t etc_runtime_t:file { read open };

audit2allow -R

#============= systemd_hostnamed_t ==============
allow systemd_hostnamed_t etc_runtime_t:file { read open };

Comment 47 Dean Hunter 2013-02-25 20:27:55 UTC
After applying selinux-policy-3.11.1-81.fc18 from build ID 397492 to resolve bug report 912813, the SELinux alert changed from /etc/hostname to /etc/machine-info. SELinux Troubleshooter is reporting:

--- Running report_Bugzilla ---
Logging into Bugzilla at https://bugzilla.redhat.com
Checking for duplicates
Bug is already reported: 912100
Bug 912100 is a duplicate, using parent bug 912036
Logging out
Status: CLOSED CURRENTRELEASE https://bugzilla.redhat.com/show_bug.cgi?id=912036

Comment 48 Daniel Walsh 2013-02-26 21:09:24 UTC
Please attach the new AVC messages.

Comment 49 Devon Janitz 2013-02-27 14:58:06 UTC
This is still broken.  Is this the message below you need?  If not tell me where to find it.
Thanks, Devon

SELinux is preventing /usr/lib/systemd/systemd-hostnamed from read access on the file /etc/hostname.

*****  Plugin restorecon (99.5 confidence) suggests  *************************

If you want to fix the label. 
/etc/hostname default label should be etc_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /etc/hostname

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If you believe that systemd-hostnamed should be allowed read access on the hostname file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-hostnam /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:systemd_hostnamed_t:s0
Target Context                system_u:object_r:etc_runtime_t:s0
Target Objects                /etc/hostname [ file ]
Source                        systemd-hostnam
Source Path                   /usr/lib/systemd/systemd-hostnamed
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           systemd-197-1.fc18.2.x86_64
Target RPM Packages           systemd-197-1.fc18.2.x86_64
Policy RPM                    selinux-policy-3.11.1-81.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux dcj-fed-lap.fisc.int 3.7.9-201.fc18.x86_64
                              #1 SMP Mon Feb 18 21:07:56 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-02-27 09:51:21 EST
Last Seen                     2013-02-27 09:51:21 EST
Local ID                      3dd67b72-cbae-4c14-80d7-de6672807705

Raw Audit Messages
type=AVC msg=audit(1361976681.265:349): avc:  denied  { read } for  pid=3095 comm="systemd-hostnam" name="hostname" dev="dm-1" ino=919920 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file


type=AVC msg=audit(1361976681.265:349): avc:  denied  { open } for  pid=3095 comm="systemd-hostnam" path="/etc/hostname" dev="dm-1" ino=919920 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file


type=SYSCALL msg=audit(1361976681.265:349): arch=x86_64 syscall=open success=yes exit=EINTR a0=7f968ff89d68 a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=3095 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=systemd-hostnam exe=/usr/lib/systemd/systemd-hostnamed subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)

Hash: systemd-hostnam,systemd_hostnamed_t,etc_runtime_t,file,read

audit2allow

#============= systemd_hostnamed_t ==============
allow systemd_hostnamed_t etc_runtime_t:file { read open };

audit2allow -R

#============= systemd_hostnamed_t ==============
allow systemd_hostnamed_t etc_runtime_t:file { read open };

Comment 50 Devon Janitz 2013-02-27 14:59:29 UTC
PS Happens every time I open Nautilus.
Devon

Comment 51 Alex Villacís Lasso 2013-02-27 15:04:43 UTC
[root@localhost ~]# restorecon -v /etc/hostname 
restorecon reset /etc/hostname context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
[root@localhost ~]#

Comment 52 Dean Hunter 2013-03-07 22:28:47 UTC
There is still a problem when executing a query with hostnamectl.

[root@host ~]# yum list installed selinux-policy*
Loaded plugins: langpacks, presto, refresh-packagekit
Installed Packages
selinux-policy.noarch                       3.11.1-82.fc18              @updates
selinux-policy-devel.noarch                 3.11.1-82.fc18              @updates
selinux-policy-doc.noarch                   3.11.1-82.fc18              @updates
selinux-policy-targeted.noarch              3.11.1-82.fc18              @updates

[root@host ~]# hostnamectl
   Static hostname: host.hunter.org
   Pretty hostname: n/a
         Icon name: computer-desktop
           Chassis: desktop
        Machine ID: e443777ec9cc4e02a25edf346f5a89b2
           Boot ID: efe19bc3918d4d3191a64df3ecf6f6f8
  Operating System: Fedora 18 (Spherical Cow)
       CPE OS Name: cpe:/o:fedoraproject:fedora:18
            Kernel: Linux 3.8.1-201.fc18.x86_64
      Architecture: x86_64

***
*** This is when the SELinux alert is raised.
***

[root@host ~]# ls -lZ /etc/hostname
-rw-r--r--. root root system_u:object_r:etc_runtime_t:s0 /etc/hostname

[root@host ~]# restorecon -v /etc/hostname
restorecon reset /etc/hostname context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0
[root@host ~]# hostnamectl
   Static hostname: host.hunter.org
   Pretty hostname: n/a
         Icon name: computer-desktop
           Chassis: desktop
        Machine ID: e443777ec9cc4e02a25edf346f5a89b2
           Boot ID: efe19bc3918d4d3191a64df3ecf6f6f8
  Operating System: Fedora 18 (Spherical Cow)
       CPE OS Name: cpe:/o:fedoraproject:fedora:18
            Kernel: Linux 3.8.1-201.fc18.x86_64
      Architecture: x86_64

***
*** Now there is no alert.
***

[root@host ~]# 

This is the alert:

SELinux is preventing /usr/lib/systemd/systemd-hostnamed from read access on the file hostname.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that systemd-hostnamed should be allowed read access on the hostname file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-hostnam /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:systemd_hostnamed_t:s0
Target Context                system_u:object_r:etc_runtime_t:s0
Target Objects                hostname [ file ]
Source                        systemd-hostnam
Source Path                   /usr/lib/systemd/systemd-hostnamed
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           systemd-197-1.fc18.2.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-82.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux host.hunter.org 3.8.1-201.fc18.x86_64 #1 SMP
                              Thu Feb 28 19:23:08 UTC 2013 x86_64 x86_64
Alert Count                   2
First Seen                    2013-03-07 16:05:07 CST
Last Seen                     2013-03-07 16:15:44 CST
Local ID                      d0d740cc-2aed-421f-9690-829788263c17

Raw Audit Messages
type=AVC msg=audit(1362694544.771:358): avc:  denied  { read } for  pid=2617 comm="systemd-hostnam" name="hostname" dev="dm-1" ino=2361710 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file


type=AVC msg=audit(1362694544.771:358): avc:  denied  { open } for  pid=2617 comm="systemd-hostnam" path="/etc/hostname" dev="dm-1" ino=2361710 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file


type=SYSCALL msg=audit(1362694544.771:358): arch=x86_64 syscall=open success=yes exit=EINTR a0=7f5259ae6d68 a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=2617 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=systemd-hostnam exe=/usr/lib/systemd/systemd-hostnamed subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)

Hash: systemd-hostnam,systemd_hostnamed_t,etc_runtime_t,file,read

audit2allow

#============= systemd_hostnamed_t ==============
allow systemd_hostnamed_t etc_runtime_t:file { read open };

audit2allow -R

#============= systemd_hostnamed_t ==============
allow systemd_hostnamed_t etc_runtime_t:file { read open };

Comment 53 Dean Hunter 2013-03-07 22:49:31 UTC
And additional SELinux alerts are raised when I use hostnamectl to set the Pretty Hostname:

[root@host ~]# hostnamectl set-hostname PM-Host --pretty

***
*** This is when the SELinux alerts are raised.
***

[root@host ~]# hostnamectl
   Static hostname: host.hunter.org
   Pretty hostname: PM-Host
         Icon name: computer-desktop
           Chassis: desktop
        Machine ID: e443777ec9cc4e02a25edf346f5a89b2
           Boot ID: efe19bc3918d4d3191a64df3ecf6f6f8
  Operating System: Fedora 18 (Spherical Cow)
       CPE OS Name: cpe:/o:fedoraproject:fedora:18
            Kernel: Linux 3.8.1-201.fc18.x86_64
      Architecture: x86_64

***
*** Now there is are alerts.
***

[root@host ~]# ls -lZ /etc/hostname
-rw-r--r--. root root system_u:object_r:etc_t:s0       /etc/hostname

[root@host ~]#

Comment 54 Miroslav Grepl 2013-03-08 09:41:29 UTC
Fixed in selinux-policy-3.11.1-84.fc18

Comment 55 Dean Hunter 2013-03-08 15:43:05 UTC
Given the size of the CC list and the recurrence of the problem, I think a little more accountability would be courteous. 

- Did you test it on a new build?
- With both a host name query and a host name set?
- Is -84 somewhere that we may test it?
- What are you doing differently so that -85 does not break it?

Comment 56 Fedora Update System 2013-03-08 16:11:15 UTC
selinux-policy-3.11.1-84.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-84.fc18

Comment 57 Dean Hunter 2013-03-08 18:14:38 UTC
After installing selinux-policy-3.11.1-84.fc18 SELinux alerts are still raised when setting the host name:

[root@host ~]# hostnamectl set-hostname PM-Host --pretty

Here are the alerts:

[root@host ~]# ausearch -m avc -ts recent
----
time->Fri Mar  8 11:58:27 2013
type=SYSCALL msg=audit(1362765507.134:342): arch=c000003e syscall=2 success=yes exit=5 a0=7fe1a7e55210 a1=800c2 a2=180 a3=1dc3661ac items=0 ppid=1 pid=1822 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(1362765507.134:342): avc:  denied  { write } for  pid=1822 comm="systemd-hostnam" path="/etc/.machine-infoq2XmRS" dev="dm-1" ino=3019103 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1362765507.134:342): avc:  denied  { create } for  pid=1822 comm="systemd-hostnam" name=".machine-infoq2XmRS" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
----
time->Fri Mar  8 11:58:27 2013
type=SYSCALL msg=audit(1362765507.135:343): arch=c000003e syscall=91 success=yes exit=0 a0=5 a1=1a4 a2=fbad2484 a3=22 items=0 ppid=1 pid=1822 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(1362765507.135:343): avc:  denied  { setattr } for  pid=1822 comm="systemd-hostnam" name=".machine-infoq2XmRS" dev="dm-1" ino=3019103 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
----
time->Fri Mar  8 11:58:27 2013
type=SYSCALL msg=audit(1362765507.135:344): arch=c000003e syscall=82 success=yes exit=0 a0=7fe1a7e55210 a1=7fe1a667dd48 a2=7fe1a7e583e0 a3=656e696863614d2d items=0 ppid=1 pid=1822 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(1362765507.135:344): avc:  denied  { unlink } for  pid=1822 comm="systemd-hostnam" name="machine-info" dev="dm-1" ino=3018111 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file
type=AVC msg=audit(1362765507.135:344): avc:  denied  { rename } for  pid=1822 comm="systemd-hostnam" name=".machine-infoq2XmRS" dev="dm-1" ino=3019103 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file

[root@host ~]#

Comment 59 Fedora Update System 2013-03-08 23:59:01 UTC
Package selinux-policy-3.11.1-84.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-84.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-3605/selinux-policy-3.11.1-84.fc18
then log in and leave karma (feedback).

Comment 60 Michael Catanzaro 2013-03-10 21:57:39 UTC
Open Nautilus. Still unfixed in selinux-policy-3.11.1-82.fc18

Since this happens EVERY SINGLE TIME you open Nautilus and has been for a couple of weeks now, including after two updates to this package, I'm really confused as to why this hasn't yet been fixed. (Serious question, intended politely - I don't know much about selinux.)


Package: (null)
Architecture: x86_64
OS Release: Fedora release 18 (Spherical Cow)

Comment 61 Daniel Walsh 2013-03-11 12:40:46 UTC
Michael Please attach your exact AVC's after opening nautilus.

ausearch -m avc -ts recent

Comment 62 Miroslav Grepl 2013-03-11 12:52:29 UTC
Ok, I made this domain as unconfined in F19 instead of in F18 by accident.

commit d19ad0559edd33552d3b20c973fa6fd0e36a4ed5
Author: Miroslav Grepl <mgrepl>
Date:   Fri Mar 8 15:59:58 2013 +0100

    Make systemd_hostnamed_t as unconfined domain in F18

Comment 63 Miroslav Grepl 2013-03-11 12:53:31 UTC
Added to selinux-policy-3.11.1-85.fc18

Comment 64 Michael Catanzaro 2013-03-11 13:02:45 UTC
That was an abrt-abetted complaint based on build -82; build -84 seems to have fixed the Nautilus issue, thanks.

Comment 65 Fedora Update System 2013-03-12 23:35:09 UTC
Package selinux-policy-3.11.1-85.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-85.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-3605/selinux-policy-3.11.1-85.fc18
then log in and leave karma (feedback).

Comment 66 Fedora Update System 2013-03-14 03:00:15 UTC
selinux-policy-3.11.1-85.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.