<div dir="ltr"><div><div>Hello,<br><br></div>I have a system that is an upgrade from
Fedora 23 to Fedora 24 Alpha. Occasionally I get messages about selinux
blocking systemd-hostnamed from mounton access on /home. I can trigger
this issue by running command hostnamectl. <br><br>Is this supposed to
happen? Is systemd-hostnamed supposed to do something in /home
directories and what might be the right fix for this?<br><br></div><div>On the second side I have another Fedora 24 system that is new install
using this same /home partition, and there is no this issue there.<br><br><br><br></div>Secondly, why is name of process trimmed, like (ostnamed), is this intentional?<br><br>Relevant journalctl entries:<br><br>Apr 19 16:14:48 localhost systemd[1]: Starting Hostname Service...<br>Apr 19 16:14:48 localhost audit: NETFILTER_CFG table=filter family=2 entries=0<br>Apr 19 16:14:48 localhost audit: NETFILTER_CFG table=nat family=2 entries=0<br>Apr 19 16:14:48 localhost audit: NETFILTER_CFG table=raw family=2 entries=0<br>Apr 19 16:14:48 localhost audit: NETFILTER_CFG table=mangle family=2 entries=0<br>Apr 19 16:14:48 localhost audit: NETFILTER_CFG table=security family=2 entries=0<br>Apr 19 16:14:48 localhost audit: NETFILTER_CFG table=filter family=10 entries=0<br>Apr 19 16:14:48 localhost audit: NETFILTER_CFG table=nat family=10 entries=0<br>Apr 19 16:14:48 localhost audit: NETFILTER_CFG table=raw family=10 entries=0<br>Apr 19 16:14:48 localhost audit: NETFILTER_CFG table=mangle family=10 entries=0<br>Apr 19 16:14:48 localhost audit: NETFILTER_CFG table=security family=10 entries=0<br>Apr
19 16:14:48 localhost audit[3618]: AVC avc: denied { mounton } for
pid=3618 comm="(ostnamed)" path="/home" dev="md126p2" ino=50332160
scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0<br>Apr 19 16:14:48 localhost dbus[895]: [system] Successfully activated service 'org.freedesktop.hostname1'<br>Apr 19 16:14:48 localhost systemd[1]: Started Hostname Service.<br>Apr 19 16:14:48 localhost audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'<br>Apr
19 16:14:48 localhost kernel: nf_conntrack: automatic helper assignment
is deprecated and it will be removed soon. Use the iptables CT target
to attach helpers instead.<br>Apr 19 16:14:51 localhost dbus[895]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)<br>Apr
19 16:14:51 localhost gvfsd[1716]: ** (gvfsd:1716): WARNING **:
dbus_mount_reply: Error from org.gtk.vfs.Mountable.mount(): Failed to
retrieve share list from server: Connection refused<br>Apr 19 16:14:51
localhost gvfsd[1716]: ** (process:3624): WARNING **: Couldn't create
directory monitor on smb://x-gnome-default-workgroup/. Error: The specified location is not mounted<br>Apr 19 16:14:51 localhost dbus[895]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'<br>Apr
19 16:14:52 localhostA setroubleshoot[3649]: SELinux is preventing
(ostnamed) from mounton access on the directory /home. For complete
SELinux messages. run sealert -l 29306eea-442b-448d-a647-6f1dede9ee78<br>Apr 19 16:14:52 localhost python3[3649]: SELinux is preventing (ostnamed) from mounton access on the directory /home.<br> <br> ***** Plugin restorecon (94.8 confidence) suggests ************************<br> <br> If you want to fix the label. <br> /home default label should be home_root_t.<br> Then you can run restorecon.<br> Do<br> # /sbin/restorecon -v /home<br> <br> ***** Plugin catchall_labels (5.21 confidence) suggests *******************<br> <br> If you want to allow (ostnamed) to have mounton access on the home directory<br> Then you need to change the label on /home<br> Do<br> # semanage fcontext -a -t FILE_TYPE '/home'<br>
where FILE_TYPE is one of the following: admin_home_t, anon_inodefs_t,
audit_spool_t, auditd_log_t, autofs_t, automount_tmp_t, bacula_store_t,
binfmt_misc_fs_t, boot_t, capifs_t, cgroup_t, cifs_t, container_image_t,
debugfs_t, default_t, device_t, devpts_t, dnssec_t, dosfs_t,
ecryptfs_t, efivarfs_t, fusefs_t, home_root_t, hugetlbfs_t,
ifconfig_var_run_t, init_var_run_t, initrc_tmp_t, iso9660_t, kdbusfs_t,
mail_spool_t, mnt_t, mqueue_spool_t, named_conf_t, news_spool_t, nfs_t,
nfsd_fs_t, openshift_tmp_t, openshift_var_lib_t, oracleasmfs_t, proc_t,
proc_xen_t, pstore_t, public_content_rw_t, public_content_t, ramfs_t,
random_seed_t, removable_t, root_t, rpc_pipefs_t, security_t, spufs_t,
src_t, svirt_sandbox_file_t, sysctl_fs_t, sysctl_t, sysfs_t, sysv_t,
tmp_t, tmpfs_t, usbfs_t, user_home_dir_t, user_home_t, user_tmp_t,
usr_t, var_lib_nfs_t, var_lib_t, var_lock_t, var_log_t, var_run_t,
var_t, virt_image_t, virt_var_lib_t, vmblock_t, vxfs_t, xend_var_lib_t,
xend_var_run_t, xenfs_t, xenstored_var_lib_t.<br> Then execute:<br> restorecon -v '/home'<br> <br> <br> ***** Plugin catchall (1.44 confidence) suggests **************************<br> <br> If you believe that (ostnamed) should be allowed mounton access on the home directory by default.<br> Then you should report this as a bug.<br> You can generate a local policy module to allow this access.<br> Do<br> allow this access for now by executing:<br> # ausearch -c (ostnamed) --raw | audit2allow -M mypol<br> # semodule -i mypol.pp<br> <br>Apr
19 16:14:54 localhost gvfsd[1716]: ** (gvfsd:1716): WARNING **:
dbus_mount_reply: Error from org.gtk.vfs.Mountable.mount(): Failed to
retrieve share list from server: Connection refused<br>Apr 19 16:14:54
localhost gvfsd[1716]: ** (process:3622): WARNING **: Couldn't create
directory monitor on smb://x-gnome-default-workgroup/. Error: The specified location is not mounted<br>Apr 19 16:15:18 localhost audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'<br><br><br><br><br>$ sealert -l 29306eea-442b-448d-a647-6f1dede9ee78<br>SELinux is preventing (ostnamed) from mounton access on the directory /home.<br><br>***** Plugin restorecon (94.8 confidence) suggests ************************<br><br>If you want to fix the label. <br>/home default label should be home_root_t.<br>Then you can run restorecon.<br>Do<br># /sbin/restorecon -v /home<br><br>***** Plugin catchall_labels (5.21 confidence) suggests *******************<br><br>If you want to allow (ostnamed) to have mounton access on the home directory<br>Then you need to change the label on /home<br>Do<br># semanage fcontext -a -t FILE_TYPE '/home'<br>where
FILE_TYPE is one of the following: admin_home_t, anon_inodefs_t,
audit_spool_t, auditd_log_t, autofs_t, automount_tmp_t, bacula_store_t,
binfmt_misc_fs_t, boot_t, capifs_t, cgroup_t, cifs_t, container_image_t,
debugfs_t, default_t, device_t, devpts_t, dnssec_t, dosfs_t,
ecryptfs_t, efivarfs_t, fusefs_t, home_root_t, hugetlbfs_t,
ifconfig_var_run_t, init_var_run_t, initrc_tmp_t, iso9660_t, kdbusfs_t,
mail_spool_t, mnt_t, mqueue_spool_t, named_conf_t, news_spool_t, nfs_t,
nfsd_fs_t, openshift_tmp_t, openshift_var_lib_t, oracleasmfs_t, proc_t,
proc_xen_t, pstore_t, public_content_rw_t, public_content_t, ramfs_t,
random_seed_t, removable_t, root_t, rpc_pipefs_t, security_t, spufs_t,
src_t, svirt_sandbox_file_t, sysctl_fs_t, sysctl_t, sysfs_t, sysv_t,
tmp_t, tmpfs_t, usbfs_t, user_home_dir_t, user_home_t, user_tmp_t,
usr_t, var_lib_nfs_t, var_lib_t, var_lock_t, var_log_t, var_run_t,
var_t, virt_image_t, virt_var_lib_t, vmblock_t, vxfs_t, xend_var_lib_t,
xend_var_run_t, xenfs_t, xenstored_var_lib_t.<br>Then execute:<br>restorecon -v '/home'<br><br><br>***** Plugin catchall (1.44 confidence) suggests **************************<br><br>If you believe that (ostnamed) should be allowed mounton access on the home directory by default.<br>Then you should report this as a bug.<br>You can generate a local policy module to allow this access.<br>Do<br>allow this access for now by executing:<br># ausearch -c (ostnamed) --raw | audit2allow -M mypol<br># semodule -i mypol.pp<br><br><br>Additional Information:<br>Source Context system_u:system_r:init_t:s0<br>Target Context system_u:object_r:unlabeled_t:s0<br>Target Objects /home [ dir ]<br>Source (ostnamed)<br>Source Path (ostnamed)<br>Port <Unknown><br>Host localhost<br>Source RPM Packages <br>Target RPM Packages filesystem-3.2-37.fc24.x86_64<br>Policy RPM selinux-policy-3.13.1-182.fc24.noarch<br>Selinux Enabled True<br>Policy Type targeted<br>Enforcing Mode Enforcing<br>Host Name localhost<br>Platform Linux localhost 4.5.1-300.fc24.x86_64 #1 SMP Tue<br> Apr 12 18:55:06 UTC 2016 x86_64 x86_64<br>Alert Count 28<br>First Seen 2016-04-18 20:27:54 CEST<br>Last Seen 2016-04-19 16:14:48 CEST<br>Local ID 29306eea-442b-448d-a647-6f1dede9ee78<br><br>Raw Audit Messages<br>type=AVC
msg=audit(1461075288.431:423): avc: denied { mounton } for pid=3618
comm="(ostnamed)" path="/home" dev="md126p2" ino=50332160
scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0<br><br><br>Hash: (ostnamed),init_t,unlabeled_t,dir,mounton<br><br><br><br>I have tried running restorecon -v /home with no success</div>