Bug 1393774
Summary: | systemd can't create dev-log socket | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jakub Jelen <jjelen> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 24 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl, plautrba, pmoore, ssekidde |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.13.1-191.23.fc24 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-01-10 08:18:45 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jakub Jelen
2016-11-10 10:22:39 UTC
This is a problem in all other Fedoras and most probably in RHEL7 too (needs investigation) Probably related to the other issue I can see in the logs about the unlink when calling # systemctl restart systemd-journald systemd-journald-dev-log.socket results in # audit2allow ---- time->Wed Nov 9 06:46:09 2016 type=AVC msg=audit(1478691969.589:23727): avc: denied { unlink } for pid=1 comm="systemd" name="dev-log" dev="tmpfs" ino=10903 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=0 #============= init_t ============== allow init_t devlog_t:sock_file unlink; Please, add also this one. commit 30029d61dd8fec49ecdea8374b719ec4de709612 Author: Lukas Vrabec <lvrabec> Date: Wed Nov 30 13:04:26 2016 +0100 Update logging_create_devlog_dev() interface to allow calling domain create also sock_file dev-log. BZ(1393774) diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if index 31be8ac..0690edf 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -614,6 +614,7 @@ interface(`logging_create_devlog_dev',` ') allow $1 devlog_t:lnk_file manage_lnk_file_perms; + allow $1 devlog_t:sock_file manage_sock_file_perms; dev_filetrans($1, devlog_t, lnk_file, "log") init_pid_filetrans($1, devlog_t, sock_file, "syslog") logging_syslogd_pid_filetrans($1, devlog_t, sock_file, "dev-log") selinux-policy-3.13.1-191.23.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-90bd4d7d33 selinux-policy-3.13.1-191.23.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-90bd4d7d33 selinux-policy-3.13.1-191.23.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. |