Description of problem: SELinux is preventing /usr/lib/systemd/systemd-hostnamed from 'read' accesses on the file pm_profile. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that systemd-hostnamed should be allowed read access on the pm_profile file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-hostnam /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_hostnamed_t:s0 Target Context system_u:object_r:sysfs_t:s0 Target Objects pm_profile [ file ] Source systemd-hostnam Source Path /usr/lib/systemd/systemd-hostnamed Port <Unknown> Host (removed) Source RPM Packages systemd-197-1.fc18.2.i686 Target RPM Packages Policy RPM selinux-policy-3.11.1-78.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.7.8-202.fc18.i686.PAE #1 SMP Fri Feb 15 17:47:05 UTC 2013 i686 i686 Alert Count 2 First Seen 2013-02-17 16:58:24 YEKT Last Seen 2013-02-17 16:58:24 YEKT Local ID e1fd1af4-e252-43fe-a31a-96d72b5de697 Raw Audit Messages type=AVC msg=audit(1361098704.532:349): avc: denied { read } for pid=10179 comm="systemd-hostnam" name="pm_profile" dev="sysfs" ino=697 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file type=SYSCALL msg=audit(1361098704.532:349): arch=i386 syscall=open success=no exit=EACCES a0=b7743302 a1=88000 a2=1b6 a3=b93f07a8 items=0 ppid=1 pid=10179 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=systemd-hostnam exe=/usr/lib/systemd/systemd-hostnamed subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) Hash: systemd-hostnam,systemd_hostnamed_t,sysfs_t,file,read audit2allow #============= systemd_hostnamed_t ============== allow systemd_hostnamed_t sysfs_t:file read; audit2allow -R #============= systemd_hostnamed_t ============== allow systemd_hostnamed_t sysfs_t:file read; Additional info: hashmarkername: setroubleshoot kernel: 3.7.8-202.fc18.i686.PAE type: libreport
*** Bug 912283 has been marked as a duplicate of this bug. ***
*** Bug 912037 has been marked as a duplicate of this bug. ***
commit 33a62dfff572a0954b36313132a99c8b4da2f02e Author: Miroslav Grepl <mgrepl> Date: Mon Feb 18 11:40:44 2013 +0100 Backport fixes for systemd-hostname policy to F18
Please execute semanage permissive -a systemd_hostnamed_t to make this working for now.
*** Bug 912100 has been marked as a duplicate of this bug. ***
dropbox logiciel pour synchroniser les fichiers https://www.dropbox.com/ en connaissez vous un plus sur pour fedora? depuis la dernière mise à jour, selinux detect un problem, lorsque je clique sur l'icone en haut à droite sur xfce barre de logiciel réduit il m'affiche quand même le gestionnaire de fichier après Package: (null) OS Release: Fedora release 18 (Spherical Cow)
1) opened nautilus 2) bug report Package: (null) Architecture: x86_64 OS Release: Fedora release 18 (Spherical Cow)
reboot after yum update one of 5 hostnamed related messages on system startup Package: (null) Architecture: x86_64 OS Release: Fedora release 18 (Spherical Cow)
Launched nautilus from menu. Package: (null) Architecture: x86_64 OS Release: Fedora release 18 (Spherical Cow)
The SELinux troubleshoot icon appeared at some time during my daily routine, without any warning. Package: (null) Architecture: x86_64 OS Release: Fedora release 18 (Spherical Cow)
At every boot Package: (null) OS Release: Fedora release 18 (Spherical Cow)
Open Nautilus Package: (null) Architecture: x86_64 OS Release: Fedora release 18 (Spherical Cow)
Every time I open nautilus. Package: (null) Architecture: x86_64 OS Release: Fedora release 18 (Spherical Cow)
I clicked on my user name at the upper right hand corner, then clicked on "System Settings". In the window that appeared, I clicked on "Details", and this SELinux alert appeared. Package: (null) OS Release: Fedora release 18 (Spherical Cow)
i don't know Package: (null) OS Release: Fedora release 18 (Spherical Cow)
Opening secondary folder via nautilus Package: (null) Architecture: x86_64 OS Release: Fedora release 18 (Spherical Cow)
Just at boot, seems to be systemd Package: (null) Architecture: x86_64 OS Release: Fedora release 18 (Spherical Cow)
Problem occurs when trying to open "Details" from System Settings menu.
scegli i dont no Package: (null) Architecture: x86_64 OS Release: Fedora release 18 (Spherical Cow)
selinux-policy-3.11.1-79.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-79.fc18
Try to access the "Details" panel in control center Package: (null) Architecture: x86_64 OS Release: Fedora release 18 (Spherical Cow)
*** Bug 912676 has been marked as a duplicate of this bug. ***
*** Bug 912671 has been marked as a duplicate of this bug. ***
*** Bug 912670 has been marked as a duplicate of this bug. ***
*** Bug 912669 has been marked as a duplicate of this bug. ***
*** Bug 912668 has been marked as a duplicate of this bug. ***
*** Bug 912677 has been marked as a duplicate of this bug. ***
Tried to select a keyboard layout in GNOME control center. Package: (null) Architecture: x86_64 OS Release: Fedora release 18 (Spherical Cow)
*** Bug 912685 has been marked as a duplicate of this bug. ***
Running System Settings -> Detail Package: (null) Architecture: x86_64 OS Release: Fedora release 18 (Spherical Cow)
(In reply to comment #20) > selinux-policy-3.11.1-79.fc18 has been submitted as an update for Fedora 18. > https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-79.fc18 I installed the new rpms, rebooted and issue seems to be gone. I am opening Nautilus with no warnings so far.
Openning nautilus Package: (null) Architecture: x86_64 OS Release: Fedora release 18 (Spherical Cow)
While loading a USB drive onto the system, I opened Files to wait for it to synchronize. Package: (null) Architecture: x86_64 OS Release: Fedora release 18 (Spherical Cow)
A chaque ouverture de Nautilus Package: (null) Architecture: x86_64 OS Release: Fedora release 18 (Spherical Cow)
Description of problem: When opening "details" in GNOME control centre, SElinux blocks systemd-hostnamed Additional info: hashmarkername: setroubleshoot kernel: 3.7.8-202.fc18.x86_64 type: libreport
This happens quite frequently, and results in whatever program I am using crashing. In this specific case it was steam for linux, although it has occured for things like software updater before. Package: (null) Architecture: x86_64 OS Release: Fedora release 18 (Spherical Cow)
I opened the file manager Package: (null) Architecture: x86_64 OS Release: Fedora release 18 (Spherical Cow)
After a reboot, then logging in, it immediately happed after opening Nautilus. Package: (null) Architecture: x86_64 OS Release: Fedora release 18 (Spherical Cow)
Doing update via yumex instead of Software Install program associated with PackageKit which wasn't installing, only downloading Originally my hostname was fully qualified local only dns address of gbserver.gbdomain.local. Thinking that this was the issue and having had a difficult experience with installing Ubuntu on my system, seeing how they suggested the short host name rather than the full one for the system in install process, so vi /etc/hosts and vi /etc/hostname to just gbserver to see if that reduced the instances of alerts. Have just reversed adding short name to loopback in case this has caused the issue as it would mean two short names for loopback which in hindsight doesn't sound practical? Cross fingers X Package: (null) Architecture: x86_64 OS Release: Fedora release 18 (Spherical Cow)
yum update; rebooted. Package: (null) Architecture: x86_64 OS Release: Fedora release 18 (Spherical Cow)
selinux-policy-3.11.1-79.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
I'm still getting this error pop up and my system is up to date. SELinux is preventing /usr/lib/systemd/systemd-hostnamed from read access on the lnk_file id. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that systemd-hostnamed should be allowed read access on the id lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-hostnam /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_hostnamed_t:s0 Target Context system_u:object_r:sysfs_t:s0 Target Objects id [ lnk_file ] Source systemd-hostnam Source Path /usr/lib/systemd/systemd-hostnamed Port <Unknown> Host slimtop Source RPM Packages systemd-197-1.fc18.1.i686 Target RPM Packages Policy RPM selinux-policy-3.11.1-78.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name slimtop Platform Linux slimtop 3.7.8-202.fc18.i686 #1 SMP Fri Feb 15 17:57:07 UTC 2013 i686 i686 Alert Count 4 First Seen 2013-02-19 20:05:34 GMT Last Seen 2013-02-20 10:25:41 GMT Local ID 3e9a73c2-5184-45c9-9e9e-a28f258348b8 Raw Audit Messages type=AVC msg=audit(1361355941.518:100): avc: denied { read } for pid=6601 comm="systemd-hostnam" name="id" dev="sysfs" ino=141 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1361355941.518:100): arch=i386 syscall=open success=no exit=EACCES a0=b7725da4 a1=88000 a2=1b6 a3=b7918790 items=0 ppid=1 pid=6601 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=systemd-hostnam exe=/usr/lib/systemd/systemd-hostnamed subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) Hash: systemd-hostnam,systemd_hostnamed_t,sysfs_t,lnk_file,read
And another one that I didn't file a few days ago: SELinux is preventing /usr/lib/systemd/systemd-hostnamed from write access on the chr_file kmsg. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that systemd-hostnamed should be allowed write access on the kmsg chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-hostnam /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_hostnamed_t:s0 Target Context system_u:object_r:kmsg_device_t:s0 Target Objects kmsg [ chr_file ] Source systemd-hostnam Source Path /usr/lib/systemd/systemd-hostnamed Port <Unknown> Host slimtop Source RPM Packages systemd-197-1.fc18.1.i686 Target RPM Packages Policy RPM selinux-policy-3.11.1-78.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name slimtop Platform Linux slimtop 3.7.8-202.fc18.i686 #1 SMP Fri Feb 15 17:57:07 UTC 2013 i686 i686 Alert Count 2 First Seen 2013-02-19 20:05:34 GMT Last Seen 2013-02-20 10:25:41 GMT Local ID ff000d02-a034-453d-bd0b-a943e7cb57a5 Raw Audit Messages type=AVC msg=audit(1361355941.458:90): avc: denied { write } for pid=6601 comm="systemd-hostnam" name="kmsg" dev="devtmpfs" ino=1034 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:kmsg_device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1361355941.458:90): arch=i386 syscall=open success=no exit=EACCES a0=b7727430 a1=88101 a2=0 a3=6 items=0 ppid=1 pid=6601 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=systemd-hostnam exe=/usr/lib/systemd/systemd-hostnamed subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) Hash: systemd-hostnam,systemd_hostnamed_t,kmsg_device_t,chr_file,write Should their already be a fix applied to the system? In which case this would indicate it failed to resolve the issue and the bug should be reopened?
Got it again today. System updated (no testing repos). SELinux is preventing /usr/lib/systemd/systemd-hostnamed from read access on the lnk_file id. ***** Plugin catchall (100. confidence) suggests *************************** If sie denken, dass es systemd-hostnamed standardmässig erlaubt sein sollte, read Zugriff auf id lnk_file zu erhalten. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen: # grep systemd-hostnam /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_hostnamed_t:s0 Target Context system_u:object_r:sysfs_t:s0 Target Objects id [ lnk_file ] Source systemd-hostnam Source Path /usr/lib/systemd/systemd-hostnamed Port <Unknown> Host martin.fedora Source RPM Packages systemd-197-1.fc18.1.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-78.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name martin.fedora Platform Linux martin.fedora 3.7.7-201.fc18.x86_64 #1 SMP Tue Feb 12 22:35:01 UTC 2013 x86_64 x86_64 Alert Count 5 First Seen 2013-02-19 20:13:39 CET Last Seen 2013-02-20 12:17:55 CET Local ID 1de6ee1e-8a1e-494d-8fe8-6ab04e0feabb Raw Audit Messages type=AVC msg=audit(1361359075.879:504): avc: denied { read } for pid=21303 comm="systemd-hostnam" name="id" dev="sysfs" ino=149 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file type=SYSCALL msg=audit(1361359075.879:504): arch=x86_64 syscall=open success=no exit=EACCES a0=7f595403f890 a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=21303 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=systemd-hostnam exe=/usr/lib/systemd/systemd-hostnamed subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) Hash: systemd-hostnam,systemd_hostnamed_t,sysfs_t,lnk_file,read
*** Bug 913106 has been marked as a duplicate of this bug. ***
I just applied selinux-policy 3.11.1-79 and rebooted. Bug Reported thinks the error reported below is a duplicate of this. SELinux is preventing /usr/lib/systemd/systemd-hostnamed from read access on the file /etc/hostname. ***** Plugin restorecon (99.5 confidence) suggests ************************* If you want to fix the label. /etc/hostname default label should be etc_t. Then you can run restorecon. Do # /sbin/restorecon -v /etc/hostname ***** Plugin catchall (1.49 confidence) suggests *************************** If you believe that systemd-hostnamed should be allowed read access on the hostname file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-hostnam /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_hostnamed_t:s0 Target Context system_u:object_r:etc_runtime_t:s0 Target Objects /etc/hostname [ file ] Source systemd-hostnam Source Path /usr/lib/systemd/systemd-hostnamed Port <Unknown> Host (removed) Source RPM Packages systemd-197-1.fc18.1.x86_64 Target RPM Packages systemd-197-1.fc18.1.x86_64 Policy RPM selinux-policy-3.11.1-79.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux client18 3.7.8-202.fc18.x86_64 #1 SMP Fri Feb 15 17:33:07 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-02-20 15:16:42 CST Last Seen 2013-02-20 15:16:42 CST Local ID 6f0f9410-6cf3-4c02-80b8-d57767cb2048 Raw Audit Messages type=AVC msg=audit(1361395002.237:339): avc: denied { read } for pid=1756 comm="systemd-hostnam" name="hostname" dev="dm-1" ino=1836350 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file type=AVC msg=audit(1361395002.237:339): avc: denied { open } for pid=1756 comm="systemd-hostnam" path="/etc/hostname" dev="dm-1" ino=1836350 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file type=SYSCALL msg=audit(1361395002.237:339): arch=x86_64 syscall=open success=yes exit=EINTR a0=7fc0e1f6ad68 a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=1756 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=systemd-hostnam exe=/usr/lib/systemd/systemd-hostnamed subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) Hash: systemd-hostnam,systemd_hostnamed_t,etc_runtime_t,file,read audit2allow #============= systemd_hostnamed_t ============== allow systemd_hostnamed_t etc_runtime_t:file { read open }; audit2allow -R #============= systemd_hostnamed_t ============== allow systemd_hostnamed_t etc_runtime_t:file { read open };
After applying selinux-policy-3.11.1-81.fc18 from build ID 397492 to resolve bug report 912813, the SELinux alert changed from /etc/hostname to /etc/machine-info. SELinux Troubleshooter is reporting: --- Running report_Bugzilla --- Logging into Bugzilla at https://bugzilla.redhat.com Checking for duplicates Bug is already reported: 912100 Bug 912100 is a duplicate, using parent bug 912036 Logging out Status: CLOSED CURRENTRELEASE https://bugzilla.redhat.com/show_bug.cgi?id=912036
Please attach the new AVC messages.
This is still broken. Is this the message below you need? If not tell me where to find it. Thanks, Devon SELinux is preventing /usr/lib/systemd/systemd-hostnamed from read access on the file /etc/hostname. ***** Plugin restorecon (99.5 confidence) suggests ************************* If you want to fix the label. /etc/hostname default label should be etc_t. Then you can run restorecon. Do # /sbin/restorecon -v /etc/hostname ***** Plugin catchall (1.49 confidence) suggests *************************** If you believe that systemd-hostnamed should be allowed read access on the hostname file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-hostnam /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_hostnamed_t:s0 Target Context system_u:object_r:etc_runtime_t:s0 Target Objects /etc/hostname [ file ] Source systemd-hostnam Source Path /usr/lib/systemd/systemd-hostnamed Port <Unknown> Host (removed) Source RPM Packages systemd-197-1.fc18.2.x86_64 Target RPM Packages systemd-197-1.fc18.2.x86_64 Policy RPM selinux-policy-3.11.1-81.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux dcj-fed-lap.fisc.int 3.7.9-201.fc18.x86_64 #1 SMP Mon Feb 18 21:07:56 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-02-27 09:51:21 EST Last Seen 2013-02-27 09:51:21 EST Local ID 3dd67b72-cbae-4c14-80d7-de6672807705 Raw Audit Messages type=AVC msg=audit(1361976681.265:349): avc: denied { read } for pid=3095 comm="systemd-hostnam" name="hostname" dev="dm-1" ino=919920 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file type=AVC msg=audit(1361976681.265:349): avc: denied { open } for pid=3095 comm="systemd-hostnam" path="/etc/hostname" dev="dm-1" ino=919920 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file type=SYSCALL msg=audit(1361976681.265:349): arch=x86_64 syscall=open success=yes exit=EINTR a0=7f968ff89d68 a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=3095 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=systemd-hostnam exe=/usr/lib/systemd/systemd-hostnamed subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) Hash: systemd-hostnam,systemd_hostnamed_t,etc_runtime_t,file,read audit2allow #============= systemd_hostnamed_t ============== allow systemd_hostnamed_t etc_runtime_t:file { read open }; audit2allow -R #============= systemd_hostnamed_t ============== allow systemd_hostnamed_t etc_runtime_t:file { read open };
PS Happens every time I open Nautilus. Devon
[root@localhost ~]# restorecon -v /etc/hostname restorecon reset /etc/hostname context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0 [root@localhost ~]#
There is still a problem when executing a query with hostnamectl. [root@host ~]# yum list installed selinux-policy* Loaded plugins: langpacks, presto, refresh-packagekit Installed Packages selinux-policy.noarch 3.11.1-82.fc18 @updates selinux-policy-devel.noarch 3.11.1-82.fc18 @updates selinux-policy-doc.noarch 3.11.1-82.fc18 @updates selinux-policy-targeted.noarch 3.11.1-82.fc18 @updates [root@host ~]# hostnamectl Static hostname: host.hunter.org Pretty hostname: n/a Icon name: computer-desktop Chassis: desktop Machine ID: e443777ec9cc4e02a25edf346f5a89b2 Boot ID: efe19bc3918d4d3191a64df3ecf6f6f8 Operating System: Fedora 18 (Spherical Cow) CPE OS Name: cpe:/o:fedoraproject:fedora:18 Kernel: Linux 3.8.1-201.fc18.x86_64 Architecture: x86_64 *** *** This is when the SELinux alert is raised. *** [root@host ~]# ls -lZ /etc/hostname -rw-r--r--. root root system_u:object_r:etc_runtime_t:s0 /etc/hostname [root@host ~]# restorecon -v /etc/hostname restorecon reset /etc/hostname context system_u:object_r:etc_runtime_t:s0->system_u:object_r:etc_t:s0 [root@host ~]# hostnamectl Static hostname: host.hunter.org Pretty hostname: n/a Icon name: computer-desktop Chassis: desktop Machine ID: e443777ec9cc4e02a25edf346f5a89b2 Boot ID: efe19bc3918d4d3191a64df3ecf6f6f8 Operating System: Fedora 18 (Spherical Cow) CPE OS Name: cpe:/o:fedoraproject:fedora:18 Kernel: Linux 3.8.1-201.fc18.x86_64 Architecture: x86_64 *** *** Now there is no alert. *** [root@host ~]# This is the alert: SELinux is preventing /usr/lib/systemd/systemd-hostnamed from read access on the file hostname. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that systemd-hostnamed should be allowed read access on the hostname file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-hostnam /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:systemd_hostnamed_t:s0 Target Context system_u:object_r:etc_runtime_t:s0 Target Objects hostname [ file ] Source systemd-hostnam Source Path /usr/lib/systemd/systemd-hostnamed Port <Unknown> Host (removed) Source RPM Packages systemd-197-1.fc18.2.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-82.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux host.hunter.org 3.8.1-201.fc18.x86_64 #1 SMP Thu Feb 28 19:23:08 UTC 2013 x86_64 x86_64 Alert Count 2 First Seen 2013-03-07 16:05:07 CST Last Seen 2013-03-07 16:15:44 CST Local ID d0d740cc-2aed-421f-9690-829788263c17 Raw Audit Messages type=AVC msg=audit(1362694544.771:358): avc: denied { read } for pid=2617 comm="systemd-hostnam" name="hostname" dev="dm-1" ino=2361710 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file type=AVC msg=audit(1362694544.771:358): avc: denied { open } for pid=2617 comm="systemd-hostnam" path="/etc/hostname" dev="dm-1" ino=2361710 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file type=SYSCALL msg=audit(1362694544.771:358): arch=x86_64 syscall=open success=yes exit=EINTR a0=7f5259ae6d68 a1=80000 a2=1b6 a3=238 items=0 ppid=1 pid=2617 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm=systemd-hostnam exe=/usr/lib/systemd/systemd-hostnamed subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) Hash: systemd-hostnam,systemd_hostnamed_t,etc_runtime_t,file,read audit2allow #============= systemd_hostnamed_t ============== allow systemd_hostnamed_t etc_runtime_t:file { read open }; audit2allow -R #============= systemd_hostnamed_t ============== allow systemd_hostnamed_t etc_runtime_t:file { read open };
And additional SELinux alerts are raised when I use hostnamectl to set the Pretty Hostname: [root@host ~]# hostnamectl set-hostname PM-Host --pretty *** *** This is when the SELinux alerts are raised. *** [root@host ~]# hostnamectl Static hostname: host.hunter.org Pretty hostname: PM-Host Icon name: computer-desktop Chassis: desktop Machine ID: e443777ec9cc4e02a25edf346f5a89b2 Boot ID: efe19bc3918d4d3191a64df3ecf6f6f8 Operating System: Fedora 18 (Spherical Cow) CPE OS Name: cpe:/o:fedoraproject:fedora:18 Kernel: Linux 3.8.1-201.fc18.x86_64 Architecture: x86_64 *** *** Now there is are alerts. *** [root@host ~]# ls -lZ /etc/hostname -rw-r--r--. root root system_u:object_r:etc_t:s0 /etc/hostname [root@host ~]#
Fixed in selinux-policy-3.11.1-84.fc18
Given the size of the CC list and the recurrence of the problem, I think a little more accountability would be courteous. - Did you test it on a new build? - With both a host name query and a host name set? - Is -84 somewhere that we may test it? - What are you doing differently so that -85 does not break it?
selinux-policy-3.11.1-84.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-84.fc18
After installing selinux-policy-3.11.1-84.fc18 SELinux alerts are still raised when setting the host name: [root@host ~]# hostnamectl set-hostname PM-Host --pretty Here are the alerts: [root@host ~]# ausearch -m avc -ts recent ---- time->Fri Mar 8 11:58:27 2013 type=SYSCALL msg=audit(1362765507.134:342): arch=c000003e syscall=2 success=yes exit=5 a0=7fe1a7e55210 a1=800c2 a2=180 a3=1dc3661ac items=0 ppid=1 pid=1822 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) type=AVC msg=audit(1362765507.134:342): avc: denied { write } for pid=1822 comm="systemd-hostnam" path="/etc/.machine-infoq2XmRS" dev="dm-1" ino=3019103 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=AVC msg=audit(1362765507.134:342): avc: denied { create } for pid=1822 comm="systemd-hostnam" name=".machine-infoq2XmRS" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file ---- time->Fri Mar 8 11:58:27 2013 type=SYSCALL msg=audit(1362765507.135:343): arch=c000003e syscall=91 success=yes exit=0 a0=5 a1=1a4 a2=fbad2484 a3=22 items=0 ppid=1 pid=1822 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) type=AVC msg=audit(1362765507.135:343): avc: denied { setattr } for pid=1822 comm="systemd-hostnam" name=".machine-infoq2XmRS" dev="dm-1" ino=3019103 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file ---- time->Fri Mar 8 11:58:27 2013 type=SYSCALL msg=audit(1362765507.135:344): arch=c000003e syscall=82 success=yes exit=0 a0=7fe1a7e55210 a1=7fe1a667dd48 a2=7fe1a7e583e0 a3=656e696863614d2d items=0 ppid=1 pid=1822 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null) type=AVC msg=audit(1362765507.135:344): avc: denied { unlink } for pid=1822 comm="systemd-hostnam" name="machine-info" dev="dm-1" ino=3018111 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file type=AVC msg=audit(1362765507.135:344): avc: denied { rename } for pid=1822 comm="systemd-hostnam" name=".machine-infoq2XmRS" dev="dm-1" ino=3019103 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file [root@host ~]#
Package selinux-policy-3.11.1-84.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-84.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-3605/selinux-policy-3.11.1-84.fc18 then log in and leave karma (feedback).
Open Nautilus. Still unfixed in selinux-policy-3.11.1-82.fc18 Since this happens EVERY SINGLE TIME you open Nautilus and has been for a couple of weeks now, including after two updates to this package, I'm really confused as to why this hasn't yet been fixed. (Serious question, intended politely - I don't know much about selinux.) Package: (null) Architecture: x86_64 OS Release: Fedora release 18 (Spherical Cow)
Michael Please attach your exact AVC's after opening nautilus. ausearch -m avc -ts recent
Ok, I made this domain as unconfined in F19 instead of in F18 by accident. commit d19ad0559edd33552d3b20c973fa6fd0e36a4ed5 Author: Miroslav Grepl <mgrepl> Date: Fri Mar 8 15:59:58 2013 +0100 Make systemd_hostnamed_t as unconfined domain in F18
Added to selinux-policy-3.11.1-85.fc18
That was an abrt-abetted complaint based on build -82; build -84 seems to have fixed the Nautilus issue, thanks.
Package selinux-policy-3.11.1-85.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-85.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-3605/selinux-policy-3.11.1-85.fc18 then log in and leave karma (feedback).
selinux-policy-3.11.1-85.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.