Bug 1393774
| Summary: | systemd can't create dev-log socket | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jakub Jelen <jjelen> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 24 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl, plautrba, pmoore, ssekidde |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-191.23.fc24 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-01-10 08:18:45 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This is a problem in all other Fedoras and most probably in RHEL7 too (needs investigation) Probably related to the other issue I can see in the logs about the unlink when calling
# systemctl restart systemd-journald systemd-journald-dev-log.socket
results in
# audit2allow
----
time->Wed Nov 9 06:46:09 2016
type=AVC msg=audit(1478691969.589:23727): avc: denied { unlink } for pid=1 comm="systemd" name="dev-log" dev="tmpfs" ino=10903 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=0
#============= init_t ==============
allow init_t devlog_t:sock_file unlink;
Please, add also this one.
commit 30029d61dd8fec49ecdea8374b719ec4de709612
Author: Lukas Vrabec <lvrabec>
Date: Wed Nov 30 13:04:26 2016 +0100
Update logging_create_devlog_dev() interface to allow calling domain create also sock_file dev-log. BZ(1393774)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 31be8ac..0690edf 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -614,6 +614,7 @@ interface(`logging_create_devlog_dev',`
')
allow $1 devlog_t:lnk_file manage_lnk_file_perms;
+ allow $1 devlog_t:sock_file manage_sock_file_perms;
dev_filetrans($1, devlog_t, lnk_file, "log")
init_pid_filetrans($1, devlog_t, sock_file, "syslog")
logging_syslogd_pid_filetrans($1, devlog_t, sock_file, "dev-log")
selinux-policy-3.13.1-191.23.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-90bd4d7d33 selinux-policy-3.13.1-191.23.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-90bd4d7d33 selinux-policy-3.13.1-191.23.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: Version-Release number of selected component (if applicable): selinux-policy-3.13.1-191.19.fc24.noarch How reproducible: always Steps to Reproduce: 1. Remove the /run/systemd/journal/dev-log 2. Restart system-journald 3. Or play with the systemd-journald-dev-log.socket (turn off and on) Actual results: Socket is not created and logging does not work. Expected results: The socket should be created and logging working Additional info: # ausearch -m AVC # audit2allow ---- time->Wed Nov 9 08:46:21 2016 type=AVC msg=audit(1478699181.421:76704): avc: denied { create } for pid=1 comm="systemd" name="dev-log" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=0 ---- time->Wed Nov 9 08:46:22 2016 type=AVC msg=audit(1478699182.100:76708): avc: denied { create } for pid=1 comm="systemd" name="dev-log" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=0 #============= init_t ============== allow init_t devlog_t:sock_file create; --------- The logging socket dev-log can be created by systemd in socket activation (in the ListenDatagram option in the socket above), so this systemd should be able to create it.