Bug 1267333

Summary: SELinux is preventing /usr/lib/systemd/systemd-journald from read, write access on the file /var/log/journal/3f77855635d14fba9a3e387d445174fb/.
Product: [Fedora] Fedora Reporter: michal <bami95>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 22CC: bami95, dominick.grift, dwalsh, fedora, lvrabec, mgrepl, plautrba
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:b1b87bc02d146bb878fc8b3342a704f250c94978bd0cad5527fb090eca21f5c0;VARIANT_ID=workstation;
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-19 20:22:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description michal 2015-09-29 16:43:03 UTC 
Description of problem:
SELinux is preventing /usr/lib/systemd/systemd-journald from read, write access on the file /var/log/journal/3f77855635d14fba9a3e387d445174fb/.

*****  Plugin restorecon (94.8 confidence) suggests   ************************

If you want to fix the label. 
/var/log/journal/3f77855635d14fba9a3e387d445174fb/ default label should be var_log_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /var/log/journal/3f77855635d14fba9a3e387d445174fb/

*****  Plugin catchall_labels (5.21 confidence) suggests   *******************

If you want to allow systemd-journald to have read write access on the  file
Then you need to change the label on /var/log/journal/3f77855635d14fba9a3e387d445174fb/
Do
# semanage fcontext -a -t FILE_TYPE '/var/log/journal/3f77855635d14fba9a3e387d445174fb/'
where FILE_TYPE is one of the following: NetworkManager_log_t, abrt_var_log_t, acct_data_t, afs_cache_t, afs_logfile_t, aide_log_t, amanda_log_t, antivirus_log_t, apcupsd_log_t, apmd_log_t, asterisk_log_t, auth_cache_t, bacula_log_t, bitlbee_log_t, boinc_log_t, calamaris_log_t, callweaver_log_t, canna_log_t, ccs_var_lib_t, ccs_var_log_t, certmaster_var_log_t, cfengine_log_t, cgred_log_t, checkpc_log_t, chronyd_var_log_t, cinder_log_t, cloud_log_t, cluster_var_log_t, cobbler_var_log_t, condor_log_t, conman_log_t, consolekit_log_t, couchdb_log_t, cron_log_t, ctdbd_log_t, cupsd_log_t, cyphesis_log_t, ddclient_log_t, deltacloudd_log_t, denyhosts_var_log_t, devicekit_var_log_t, dirsrv_snmp_var_log_t, dirsrv_var_log_t, dlm_controld_var_log_t, dnsmasq_var_log_t, docker_log_t, dovecot_var_log_t, dspam_log_t, evtchnd_var_log_t, exim_log_t, fail2ban_log_t, faillog_t, fenced_var_log_t, fetchmail_log_t, fingerd_log_t, firewalld_var_log_t, foghorn_var_log_t, fsadm_log_t, gear_log_t, getty_log_t, gfs_controld_var_log_t, glance_log_t, glusterd_log_t, groupd_var_log_t, haproxy_var_log_t, httpd_log_t, icecast_log_t, inetd_log_t, initrc_tmp_t, initrc_var_log_t, innd_log_t, ipsec_log_t, iscsi_log_t, iwhd_log_t, jetty_log_t, jockey_var_log_t, kadmind_log_t, keystone_log_t, kismet_log_t, krb5_host_rcache_t, krb5kdc_log_t, ksmtuned_log_t, ktalkd_log_t, lastlog_t, mailman_log_t, mcelog_log_t, mdadm_log_t, minidlna_log_t, mirrormanager_log_t, mongod_log_t, motion_log_t, mpd_log_t, mrtg_log_t, munin_log_t, mysqld_log_t, mythtv_var_log_t, naemon_log_t, nagios_log_t, named_log_t, neutron_log_t, nova_log_t, nscd_log_t, ntpd_log_t, numad_var_log_t, openshift_log_t, opensm_log_t, openvpn_status_t, openvpn_var_log_t, openvswitch_log_t, openwsman_log_t, osad_log_t, passenger_log_t, pcp_log_t, piranha_log_t, pki_ra_log_t, pki_tomcat_log_t, pki_tps_log_t, plymouthd_var_log_t, polipo_log_t, postgresql_log_t, pppd_log_t, pptp_log_t, prelink_log_t, prelude_log_t, privoxy_log_t, procmail_log_t, prosody_log_t, psad_var_log_t, puppet_log_t, puppet_tmp_t, pyicqt_log_t, qdiskd_var_log_t, rabbitmq_var_log_t, radiusd_log_t, redis_log_t, rhev_agentd_log_t, rhsmcertd_log_t, ricci_modcluster_var_log_t, ricci_var_log_t, rpm_log_t, rsync_log_t, rtas_errd_log_t, samba_log_t, sanlock_log_t, sectool_var_log_t, security_t, sendmail_log_t, sensord_log_t, setroubleshoot_var_log_t, shorewall_log_t, slapd_log_t, slpd_log_t, smsd_log_t, snapperd_log_t, snmpd_log_t, snort_log_t, spamd_log_t, speech-dispatcher_log_t, squid_log_t, sssd_var_log_t, stapserver_log_t, syslogd_tmp_t, syslogd_tmpfs_t, syslogd_var_lib_t, syslogd_var_run_t, sysstat_log_t, thin_aeolus_configserver_log_t, thin_log_t, tomcat_log_t, tor_var_log_t, tuned_log_t, ulogd_var_log_t, user_cron_spool_t, user_tmp_t, uucpd_log_t, var_log_t, varnishlog_log_t, vdagent_log_t, virt_log_t, virt_qemu_ga_log_t, vmware_log_t, watchdog_log_t, winbind_log_t, wtmp_t, xdm_log_t, xend_var_log_t, xenstored_var_log_t, xferlog_t, xserver_log_t, zabbix_log_t, zarafa_deliver_log_t, zarafa_gateway_log_t, zarafa_ical_log_t, zarafa_indexer_log_t, zarafa_monitor_log_t, zarafa_server_log_t, zarafa_spooler_log_t, zebra_log_t, zoneminder_log_t. 
Then execute: 
restorecon -v '/var/log/journal/3f77855635d14fba9a3e387d445174fb/'


*****  Plugin catchall (1.44 confidence) suggests   **************************

If you believe that systemd-journald should be allowed read write access on the  file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep systemd-journal /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:syslogd_t:s0
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                /var/log/journal/3f77855635d14fba9a3e387d445174fb/
                              [ file ]
Source                        systemd-journal
Source Path                   /usr/lib/systemd/systemd-journald
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           systemd-219-24.fc22.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.13.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.1.7-200.fc22.x86_64 #1 SMP Mon
                              Sep 14 20:19:24 UTC 2015 x86_64 x86_64
Alert Count                   98
First Seen                    2015-09-29 18:35:53 CEST
Last Seen                     2015-09-29 18:36:49 CEST
Local ID                      f4bb6b1d-cd69-4abd-a212-12286e89f639

Raw Audit Messages
type=AVC msg=audit(1443544609.638:1040): avc:  denied  { read write } for  pid=441 comm="systemd-journal" name="user-1000.journal" dev="sdb2" ino=33829 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1443544609.638:1040): arch=x86_64 syscall=open success=no exit=EACCES a0=555cfda258e0 a1=80042 a2=1a0 a3=72756f6a2e303030 items=2 ppid=1 pid=441 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=systemd-journal exe=/usr/lib/systemd/systemd-journald subj=system_u:system_r:syslogd_t:s0 key=(null)

type=CWD msg=audit(1443544609.638:1040): cwd=/

type=PATH msg=audit(1443544609.638:1040): item=0 name=/var/log/journal/3f77855635d14fba9a3e387d445174fb/ inode=11752 dev=00:2c mode=042755 ouid=0 ogid=190 rdev=00:00 obj=system_u:object_r:var_log_t:s0 nametype=PARENT

type=PATH msg=audit(1443544609.638:1040): item=1 name=/var/log/journal/3f77855635d14fba9a3e387d445174fb/user-1000.journal inode=33829 dev=00:2c mode=0100650 ouid=0 ogid=190 rdev=00:00 obj=system_u:object_r:unlabeled_t:s0 nametype=NORMAL

Hash: systemd-journal,syslogd_t,unlabeled_t,file,read,write

Version-Release number of selected component:
selinux-policy-3.13.1-128.13.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.7-200.fc22.x86_64
type:           libreport
Comment 1 Daniel Walsh 2015-09-29 17:36:58 UTC 
setroubleshoot told you what you needed to do?

restorecon -R -v /var/log/journal

Is there a different mount point there?
Comment 2 michal 2015-10-26 13:53:31 UTC 
It seems something was causing this error to repeat. The last restorecon seemed to work though. It hasn't shown up since.
Comment 3 Georg Sauthoff 2016-02-23 08:33:29 UTC 
I've observed similar errors (read, write, gettatr avc denied) on a freshly installed Fedora 23 system.

It was installed via the netinstall image, a few days ago.

Since I didn't mess with any files under /var/log/journal I am a little bit surprised that the SELinux contexts are incorrect.

Restorecon fixed the context for now:

# restorecon -v /var/log/journal/abc123etc/user-1000.journal 
restorecon reset /var/log/journal/abc123etc/user-1000.journal context system_u:object_r:unlabeled_t:s0->system_u:object_r:var_log_t:s0
Comment 4 Fedora End Of Life 2016-07-19 20:22:56 UTC 
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.