Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.0 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E02B0C43381 for ; Mon, 18 Feb 2019 15:15:20 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id B0832217D9 for ; Mon, 18 Feb 2019 15:15:20 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=tresys.onmicrosoft.com header.i=@tresys.onmicrosoft.com header.b="Pjrr+fZc" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726302AbfBRPPU (ORCPT ); Mon, 18 Feb 2019 10:15:20 -0500 Received: from mail-eopbgr720135.outbound.protection.outlook.com ([40.107.72.135]:59465 "EHLO NAM05-CO1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1730214AbfBRPPU (ORCPT ); Mon, 18 Feb 2019 10:15:20 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tresys.onmicrosoft.com; s=selector1-tresys-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8SkGVbUCVdf+8QuJIckdzG1Oa27pButsMA4CgoUzxFk=; b=Pjrr+fZcZQWw0gkHwnByw0+qplYC8KfEEENcmdlL9U7WPjZkCboF3HAz4MvBz0hPtL+V951Qv67KHxyEoLqBUcEE2AL4HWgOjVya9Ksz8bAddbXHnOlrTJslUbI/4YFy4KNtGQUsP7QasI5GNAtwvJejA6PntpgdREXG119nB8k= Received: from CY4PR15MB1509.namprd15.prod.outlook.com (10.172.160.141) by CY4PR15MB1109.namprd15.prod.outlook.com (10.172.176.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1622.20; Mon, 18 Feb 2019 15:15:04 +0000 Received: from CY4PR15MB1509.namprd15.prod.outlook.com ([fe80::14f9:b981:d24b:f988]) by CY4PR15MB1509.namprd15.prod.outlook.com ([fe80::14f9:b981:d24b:f988%7]) with mapi id 15.20.1622.020; Mon, 18 Feb 2019 15:15:04 +0000 From: "Sugar, David" To: "selinux-refpolicy@vger.kernel.org" Subject: [PATCH] Allow systemd-hostnamed to set the hostname Thread-Topic: [PATCH] Allow systemd-hostnamed to set the hostname Thread-Index: AQHUx5y50BUCil4H+U2alY4BO1sziw== Date: Mon, 18 Feb 2019 15:15:03 +0000 Message-ID: <20190218151450.13208-2-dsugar@tresys.com> References: <20190218151450.13208-1-dsugar@tresys.com> In-Reply-To: <20190218151450.13208-1-dsugar@tresys.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [2601:154:c201:cca:6e88:14ff:fed4:292c] x-clientproxiedby: BN6PR14CA0037.namprd14.prod.outlook.com (2603:10b6:404:13f::23) To CY4PR15MB1509.namprd15.prod.outlook.com (2603:10b6:903:fd::13) authentication-results: spf=none (sender IP is ) smtp.mailfrom=dsugar@tresys.com; x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 2.20.1 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 9cdb6395-35fb-4425-e919-08d695b3db9f x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(5600110)(711020)(4605104)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(2017052603328)(7153060)(7193020);SRVR:CY4PR15MB1109; x-ms-traffictypediagnostic: CY4PR15MB1109: x-microsoft-exchange-diagnostics: =?iso-8859-1?Q?1;CY4PR15MB1109;23:kxgxs5ADmgJeBdql3jnDXS3SzvCMPBc8ebhedtt?= =?iso-8859-1?Q?FVn1CsE6orEZXMy+VuheBASXoZbZ9g+6d6WSL/rFhZmXfmK6sJt+0bKgUQ?= =?iso-8859-1?Q?QtGKYx3CYGp6eUpGKI6WzHllH1CH36xRR/si+yAzu1mG+TOl1Js58+BU9M?= =?iso-8859-1?Q?IN0x0ZxIt7lDQiyK0S1PxC8rc+4zbfBdu8ufsv8xpaJUy41WdkvjYKxU21?= =?iso-8859-1?Q?QK0tBJRo2kQJk51+zZtgOIholrHmEooVyDflDta7yo/zamv4IjPE0Ei0jO?= =?iso-8859-1?Q?Tg6JJfkYcUIhFxTEiETcoLSv/Mdv5c1e6JWNe/6bNtxH9V8lH2iL4KNyMY?= =?iso-8859-1?Q?lng11t2w97aZOKzgatN+kSpTpVezdO1iaSwarTFelS7i+iFEUNBH+mbDt0?= =?iso-8859-1?Q?u1WmUK9BIKHiFbnrD5VGLDx7p1hjMSqvIgC3gVXR5iIlEojpgjHFUsmJWl?= =?iso-8859-1?Q?Dvj6QQvlsnRHKJpS2p51qM3CkffFohX1nQNrCFSZdbxChlsp8cW9tEnrr9?= =?iso-8859-1?Q?CSQDkdAMdbDTNy5lVMMcLQrREaTGMUl26qrMuN26ylJfuZfDjUm8hyGHK7?= =?iso-8859-1?Q?iaaJ5W8zK0rkgjbRixRc4czL9GQarziqGT/XrGX0uN0FBu4YCjeu0n91t5?= =?iso-8859-1?Q?uykFzbPf9KX7+eE8pc3RsEbljcBONPBMRSc7XhF/gAy3tpf6EdtGHwJiMf?= =?iso-8859-1?Q?Pe7bz1Hodtj4jWSC4S9uwnRg+JWU3TdZBvTz3e5esjSiCUDvu1GReymD+Q?= =?iso-8859-1?Q?qGU4kJau13ATmx0/dTCKf35pyU3dHD+9afxMPW045lo29b0ZssIO74ffJR?= =?iso-8859-1?Q?eqpQQUZDFUcG9p+X7yHfkC65FEn/TmEwts1+XQ/MKvMljiZA38LgN5AFyK?= =?iso-8859-1?Q?kOFro3j5wRHrBOPAhSpJDpnoEOlFTvkGPxFIn/2Q2RiKTwN9JTDAdHMjQv?= =?iso-8859-1?Q?xBjf/c/Ix/VNxnjTwMLv9zqGdj/IgCIsU/9+spIMShij9Dzg8y2MHH/YoI?= =?iso-8859-1?Q?tN6eC51gLviKmAcDLW5Ca5YW/+oh1NiJLSXWyIC+9ZAh3IGd+b3AyoRuLb?= =?iso-8859-1?Q?RAwYw8rwM3yuq/jB+d2kpMlD8Jbam4dEl4P1SoA+oYm74JjMNh5Sn31nrN?= =?iso-8859-1?Q?V0tEeVs87DTgB1cGTjFJQOp/24OYRg7ttCPauk/VAuh6xxyHXd3jabgTJV?= =?iso-8859-1?Q?jiNS9H9eNbq5rWMSue4+E6BCnoYy/+TgZIwTyFKref2+EMoy2CuvGQ=3D?= x-microsoft-antispam-prvs: x-forefront-prvs: 09525C61DB x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(346002)(136003)(376002)(39830400003)(366004)(396003)(189003)(199004)(6506007)(386003)(508600001)(46003)(76176011)(305945005)(102836004)(14454004)(186003)(1076003)(99286004)(6916009)(486006)(52116002)(11346002)(446003)(476003)(7736002)(2616005)(97736004)(256004)(6116002)(2501003)(8676002)(81156014)(50226002)(2906002)(81166006)(71200400001)(71190400001)(5640700003)(316002)(53936002)(8936002)(6512007)(6486002)(68736007)(6436002)(5660300002)(106356001)(105586002)(2351001)(86362001)(36756003)(25786009);DIR:OUT;SFP:1102;SCL:1;SRVR:CY4PR15MB1109;H:CY4PR15MB1509.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; received-spf: None (protection.outlook.com: tresys.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: bhlWZtXzWWtb2zN5H/v17q/TRHiX+sSx+ZiEPdEh9PZBktpPJbIoVoy17DUHNAOxFl1FhnKx1+p/ZY1LZdO1vvgI/3nZK+Njr6WEuilYZenjsdVvLUJbykmKjLmPPllDqt5hgQtIyav0MLS+oFEP+m1Qq0cYAziGj4cRrKtqs/ucfj6bAEGqJTA3QGTeqyxL/bbopjF0g4SCgLf734rLlch5SViN/QQ/doyxjllybZqi1ESo6JTe1qOThRUChsKIqzPUfb9YQ5BaY+tFLsZHeOxl289xKuUwhDLrguHMDBEeubWaU900++e12Gh7Q1Dxx1JRYAUQlieNrpRWJsVEqewfKQlukOY2lJHs3Rary1cEqvaxLnc5DFYkn8sFPFXUaykUPOCmcy56kywpu7txDLNkad7RNF0niZ5+0Lw0sI8= Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: tresys.com X-MS-Exchange-CrossTenant-Network-Message-Id: 9cdb6395-35fb-4425-e919-08d695b3db9f X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Feb 2019 15:15:03.3815 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR15MB1109 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org When calling hostnamectl to set the hostname it needs sys_admin capability to actually set the hostname. Feb 13 11:47:14 localhost.localdomain systemd-hostnamed[7221]: Failed to se= t host name: Operation not permitted type=3DAVC msg=3Daudit(1550058524.656:1988): avc: denied { sys_admin } fo= r pid=3D7873 comm=3D"systemd-hostnam" capability=3D21 scontext=3Dsystem_u= :system_r:systemd_hostnamed_t:s0 tcontext=3Dsystem_u:system_r:systemd_hostn= amed_t:s0 tclass=3Dcapability permissive=3D0 Signed-off-by: Dave Sugar --- policy/modules/system/systemd.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/syste= md.te index 2b25a7d5..b88bf232 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -331,6 +331,8 @@ seutil_search_default_contexts(systemd_coredump_t) # Hostnamed policy # =20 +allow systemd_hostnamed_t self:capability { sys_admin }; + kernel_read_kernel_sysctls(systemd_hostnamed_t) =20 dev_read_sysfs(systemd_hostnamed_t) --=20 2.20.1