diff options
author | Sugar, David <dsugar@tresys.com> | 2019-01-15 03:20:29 +0000 |
---|---|---|
committer | Jason Zaman <jason@perfinion.com> | 2019-02-10 12:11:25 +0800 |
commit | 5b718f3466777e255c0a899936324a01af81058c (patch) | |
tree | 5eb6fd5f2ae6aef3da92ee658f8cfe8a012a5a39 | |
parent | Interface with systemd_hostnamed over dbus to set hostname (diff) | |
download | hardened-refpolicy-5b718f3466777e255c0a899936324a01af81058c.tar.gz hardened-refpolicy-5b718f3466777e255c0a899936324a01af81058c.tar.bz2 hardened-refpolicy-5b718f3466777e255c0a899936324a01af81058c.zip |
Modify type for /etc/hostname
hostnamectl updates /etc/hostname
This change is setting the type for the file /etc/hostname to
net_conf_t and granting hostnamectl permission to edit this file.
Note that hostnamectl is initially creating a new file .#hostname*
which is why the create permissions are requied.
type=AVC msg=audit(1547039052.041:563): avc: denied { write } for pid=7564 comm="systemd-hostnam" name="etc" dev="dm-1" ino=101 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547039052.041:563): avc: denied { add_name } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547039052.041:563): avc: denied { create } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547039052.041:563): avc: denied { write } for pid=7564 comm="systemd-hostnam" path="/etc/.#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1547039052.041:563): arch=c000003e syscall=2 success=yes exit=8 a0=560d0bba34b0 a1=800c2 a2=180 a3=5c35f14c items=2 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(1547039052.041:564): avc: denied { setattr } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1547039052.041:564): arch=c000003e syscall=91 success=yes exit=0 a0=8 a1=1a4 a2=fbad2484 a3=24 items=1 ppid=1 pid=7564 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)
type=AVC msg=audit(1547039052.041:565): avc: denied { remove_name } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547039052.041:565): avc: denied { rename } for pid=7564 comm="systemd-hostnam" name=".#hostnamezyqZ9t" dev="dm-1" ino=1094726 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547039052.041:565): avc: denied { unlink } for pid=7564 comm="systemd-hostnam" name="hostname" dev="dm-1" ino=1094712 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
Signed-off-by: Jason Zaman <jason@perfinion.com>
-rw-r--r-- | policy/modules/system/sysnetwork.fc | 1 | ||||
-rw-r--r-- | policy/modules/system/systemd.te | 3 |
2 files changed, 4 insertions, 0 deletions
diff --git a/policy/modules/system/sysnetwork.fc b/policy/modules/system/sysnetwork.fc index 430eb93d..cd8a9e80 100644 --- a/policy/modules/system/sysnetwork.fc +++ b/policy/modules/system/sysnetwork.fc @@ -18,6 +18,7 @@ ifdef(`distro_debian',` /etc/hosts -- gen_context(system_u:object_r:net_conf_t,s0) /etc/hosts\.allow.* -- gen_context(system_u:object_r:net_conf_t,s0) /etc/hosts\.deny.* -- gen_context(system_u:object_r:net_conf_t,s0) +/etc/hostname -- gen_context(system_u:object_r:net_conf_t,s0) /etc/denyhosts.* -- gen_context(system_u:object_r:net_conf_t,s0) /etc/resolv\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) /etc/yp\.conf.* -- gen_context(system_u:object_r:net_conf_t,s0) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 0b1dc9d0..04a518c7 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -335,6 +335,9 @@ files_read_etc_files(systemd_hostnamed_t) seutil_read_file_contexts(systemd_hostnamed_t) +sysnet_etc_filetrans_config(systemd_hostnamed_t) +sysnet_manage_config(systemd_hostnamed_t) + systemd_log_parse_environment(systemd_hostnamed_t) optional_policy(` |