On Mon, 2019-02-18 at 15:15 +0000, Sugar, David wrote:
> When calling hostnamectl to set the hostname it needs sys_admin
> capability to actually set the hostname.
>
> Feb 13 11:47:14 localhost.localdomain systemd-hostnamed[7221]: Failed
> to set host name: Operation not permitted
> type=AVC msg=audit(1550058524.656:1988): avc: denied { sys_admin }
> for pid=7873 comm="systemd-hostnam"
> capability=21 scontext=system_u:system_r:systemd_hostnamed_t:s0
> tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=capability
> permissive=0
>
> Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx>
> ---
> policy/modules/system/systemd.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/system/systemd.te
> b/policy/modules/system/systemd.te
> index 2b25a7d5..b88bf232 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -331,6 +331,8 @@
> seutil_search_default_contexts(systemd_coredump_t)
> # Hostnamed policy
> #
>
> +allow systemd_hostnamed_t self:capability { sys_admin };
> +
> kernel_read_kernel_sysctls(systemd_hostnamed_t)
>
> dev_read_sysfs(systemd_hostnamed_t)
Merged.
--
Chris PeBenito
