From: "Sugar, David" <dsugar@tresys.com>
To: "selinux-refpolicy@vger.kernel.org" <selinux-refpolicy@vger.kernel.org>
Subject: [PATCH 2/2 v2] Modify type for /etc/hostname
Date: Tue, 15 Jan 2019 03:20:29 +0000 [thread overview]
Message-ID: <20190115032018.28662-4-dsugar@tresys.com> (raw)
In-Reply-To: <20190115032018.28662-1-dsugar@tresys.com>
hostnamectl updates /etc/hostname
This change is setting the type for the file /etc/hostname to
net_conf_t and granting hostnamectl permission to edit this file.
Note that hostnamectl is initially creating a new file .#hostname*
which is why the create permissions are requied.
type=AVC msg=audit(1547039052.041:563): avc: denied { write } for pid=7564 comm="systemd-hostnam" name="etc" dev="dm-1" ino=101 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547039052.041:563): avc: denied { add_name } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547039052.041:563): avc: denied { create } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547039052.041:563): avc: denied { write } for pid=7564 comm="systemd-hostnam" path="/etc/.#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1547039052.041:563): arch=c000003e syscall=2 success=yes exit=8 a0=560d0bba34b0 a1=800c2 a2=180 a3=5c35f14c items=2 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(1547039052.041:564): avc: denied { setattr } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1547039052.041:564): arch=c000003e syscall=91 success=yes exit=0 a0=8 a1=1a4 a2=fbad2484 a3=24 items=1 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(1547039052.041:565): avc: denied { remove_name } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547039052.041:565): avc: denied { rename } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547039052.041:565): avc: denied { unlink } for pid=7564 comm="systemd-hostnam" name="hostname" dev="dm-1" ino=1094712 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
policy/modules/system/sysnetwork.fc | 1 +
policy/modules/system/systemd.te | 3 +++
2 files changed, 4 insertions(+)
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc
index cd528938..1e5432a4 100644
--- a/policy/modules/system/sysnetwork.fc
+++ b/policy/modules/system/sysnetwork.fc
@@ -18,6 +18,7 @@ ifdef(`distro_debian',`
/etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/hosts\.allow.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0)
+/etc/hostname -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
/etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index abcc52f5..75ee4310 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -325,6 +325,9 @@ files_read_etc_files(systemd_hostnamed_t)
seutil_read_file_contexts(systemd_hostnamed_t)
+sysnet_etc_filetrans_config(systemd_hostnamed_t)
+sysnet_manage_config(systemd_hostnamed_t)
+
systemd_log_parse_environment(systemd_hostnamed_t)
optional_policy(`
--
2.20.1
next prev parent reply other threads:[~2019-01-15 3:20 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-15 3:20 [PATCH] Interface to read and write the mount_runtime_t directory Sugar, David
2019-01-15 3:20 ` [PATCH 1/2] Interface with systemd_hostnamed over dbus to set hostname Sugar, David
2019-01-16 23:12 ` Chris PeBenito
2019-01-15 3:20 ` Sugar, David [this message]
2019-01-16 23:13 ` [PATCH 2/2 v2] Modify type for /etc/hostname Chris PeBenito
2019-01-15 3:20 ` [PATCH] label journald configuraiton files syslog_conf_t Sugar, David
2019-01-16 23:12 ` Chris PeBenito
2019-01-16 23:06 ` [PATCH] Interface to read and write the mount_runtime_t directory Chris PeBenito
2019-01-22 14:47 ` Sugar, David
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190115032018.28662-4-dsugar@tresys.com \
--to=dsugar@tresys.com \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.