Bug 1204217

Summary: rsyslog (or something) spams all consoles and shells with SELinux audit messages
Product: [Fedora] Fedora Reporter: Richard W.M. Jones <rjones>
Component: rsyslogAssignee: Tomas Heinrich <theinric>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: jlieskov, lkundrak, mah.darade, pvrabec, theinric
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rsyslog-8.8.0-2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-20 19:22:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
emerg.log none

Description Richard W.M. Jones 2015-03-20 15:53:08 UTC 
Description of problem:

In latest Rawhide:

$ ssh trick

Message from syslogd@trick at Mar 20 15:51:46 ...
 journal:<audit-1112> pid=1960 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=choo.home.annexia.org addr=192.168.0.175 terminal=/dev/pts/0 res=success'

Message from syslogd@trick at Mar 20 15:51:46 ...
 journal:<audit-1105> pid=1960 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=1000 exe="/usr/sbin/sshd" hostname=choo.home.annexia.org addr=192.168.0.175 terminal=/dev/pts/0 res=success'
Last login: Fri Mar 20 14:59:07 2015 from choo.home.annexia.org

Message from syslogd@trick at Mar 20 15:51:46 ...
 journal:<audit-2404> pid=1960 uid=0 auid=1000 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=SHA256:5e:91:96:9b:d3:3c:42:5c:21:e8:fe:8e:4c:c6:a8:ef:cb:3f:ff:b8:e8:c8:b0:2a:a3:d9:c7:65:40:dc:7a:62 direction=? spid=1968 suid=1000  exe="/usr/sbin/sshd" hostname=? addr=192.168.0.175 terminal=? res=success'

Furthermore any additional SELinux/audit messages appear in the shell.

Version-Release number of selected component (if applicable):

systemd-219-10.fc23.x86_64
rsyslog-8.8.0-1.fc23.x86_64

How reproducible:

100% (for me)

Steps to Reproduce:
1. Install Rawhide.
2. Log in.
Comment 1 Richard W.M. Jones 2015-03-20 15:54:15 UTC 
See also:
https://lists.fedoraproject.org/pipermail/devel/2015-March/209220.html
https://lists.fedoraproject.org/pipermail/devel/2015-March/209225.html
Comment 2 Richard W.M. Jones 2015-03-20 15:57:24 UTC 
Created attachment 1004552 [details]
emerg.log

Tomas asked me to supply additional information:

> You can try appending this to /etc/rsyslog.conf:
> 
> template(name="tpl" type="string" string="%TIMESTAMP% %HOSTNAME% %syslogtag% json: %$!all-json%\n")
> *.emerg action(type="omfile" file="/tmp/emerg.log" template="tpl")
> 
> Then you can look into the message metadata to see what was actually
> received.

The contents of emerg.log are attached.
Comment 3 Tomas Heinrich 2015-03-20 17:51:35 UTC 
OK, there is a bug in the imjournal plugin in rsyslog.
Some of the messages coming from journald don't have the PRIORITY field (and neither they have SYSLOG_FACILITY=, SYSLOG_IDENTIFIER=, SYSLOG_PID=), thus rsyslog has to emulate it. There's a bug in how the default value is set.

The PRIORITY field is client-provided. I'm undecided whether journald should always try to provide it so that the same value is used consistently by all the consumers.

Here's a scratchbuild to test: http://koji.fedoraproject.org/koji/taskinfo?taskID=9281778
Comment 4 Richard W.M. Jones 2015-03-20 18:45:06 UTC 
I will try that at some point, but at the moment I cannot
even log into my Rawhide machine at the keyboard, nor over
ssh.  It's that broken ...
Comment 5 Richard W.M. Jones 2015-03-20 18:58:57 UTC 
Yes, I can confirm that the package in comment 3 fixes the problem.
Comment 6 Tomas Heinrich 2015-03-20 19:01:10 UTC 
(In reply to Richard W.M. Jones from comment #5)
> Yes, I can confirm that the package in comment 3 fixes the problem.

Great, thanks. I'll push out the updated version.