From b3cbf00cbaf08eb836b4e6434634ffe62b888917 Mon Sep 17 00:00:00 2001
From: "Sugar, David" <dsugar@tresys.com>
Date: Mon, 18 Feb 2019 15:15:03 +0000
Subject: [PATCH] Allow systemd-hostnamed to set the hostname

When calling hostnamectl to set the hostname it needs sys_admin
capability to actually set the hostname.

Feb 13 11:47:14 localhost.localdomain systemd-hostnamed[7221]: Failed to set host name: Operation not permitted
type=AVC msg=audit(1550058524.656:1988): avc:  denied  { sys_admin } for  pid=7873 comm="systemd-hostnam" capability=21  scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=capability permissive=0

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/system/systemd.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 2b25a7d52..b88bf2324 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -331,6 +331,8 @@ seutil_search_default_contexts(systemd_coredump_t)
 # Hostnamed policy
 #
 
+allow systemd_hostnamed_t self:capability { sys_admin };
+
 kernel_read_kernel_sysctls(systemd_hostnamed_t)
 
 dev_read_sysfs(systemd_hostnamed_t)