Bug 1403463

Summary: SELinux AVCs for logwatch with systemd journalctl support
Product: [Fedora] Fedora Reporter: Anthony Messina <amessina>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 27CC: dwalsh, frank, herrold, iav, jsynacek, lvrabec, mgrepl, nkudriavtsev, plautrba, pmoore, varekova
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-283.24.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-06 15:31:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Logwath selinux policy for journalctl
none
Logwath selinux policy for journalctl none

Description Anthony Messina 2016-12-10 14:25:26 UTC 
After upgrading to logwatch-7.4.3-3.fc25.noarch with support for parsing journald logs, the following AVCs are generated, effectively disabling the recent addition of journald support to logwatch.  See bug #864872.

AVC avc:  denied  { execute } for  pid=19919 comm="perl" name="journalctl" dev="md1" ino=57787811 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=0
AVC avc:  denied  { execute } for  pid=19919 comm="perl" name="journalctl" dev="md1" ino=57787811 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=0
AVC avc:  denied  { read open } for  pid=31910 comm="perl" path="/usr/bin/journalctl" dev="md1" ino=57787811 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=0
AVC avc:  denied  { read open } for  pid=31910 comm="perl" path="/usr/bin/journalctl" dev="md1" ino=57787811 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=0
AVC avc:  denied  { execute_no_trans } for  pid=10444 comm="perl" path="/usr/bin/journalctl" dev="md1" ino=57787811 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=0
AVC avc:  denied  { execute_no_trans } for  pid=10444 comm="perl" path="/usr/bin/journalctl" dev="md1" ino=57787811 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=0
AVC avc:  denied  { execute_no_trans } for  pid=27384 comm="perl" path="/usr/bin/journalctl" dev="md1" ino=57787811 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=0
AVC avc:  denied  { execute_no_trans } for  pid=27384 comm="perl" path="/usr/bin/journalctl" dev="md1" ino=57787811 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=0
AVC avc:  denied  { execute_no_trans } for  pid=19018 comm="perl" path="/usr/bin/journalctl" dev="md1" ino=57787808 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=1
AVC avc:  denied  { sys_resource } for  pid=19018 comm="journalctl" capability=24  scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tclass=capability permissive=1
AVC avc:  denied  { setrlimit } for  pid=19018 comm="journalctl" scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tclass=process permissive=1
AVC avc:  denied  { execute_no_trans } for  pid=22896 comm="perl" path="/usr/bin/journalctl" dev="md1" ino=57787808 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=1
AVC avc:  denied  { sys_resource } for  pid=22896 comm="journalctl" capability=24  scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tclass=capability permissive=1
AVC avc:  denied  { setrlimit } for  pid=22896 comm="journalctl" scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tclass=process permissive=1
AVC avc:  denied  { execute_no_trans } for  pid=23638 comm="perl" path="/usr/bin/journalctl" dev="md1" ino=57787808 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=1
AVC avc:  denied  { sys_resource } for  pid=23638 comm="journalctl" capability=24  scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tclass=capability permissive=1
AVC avc:  denied  { setrlimit } for  pid=23638 comm="journalctl" scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tclass=process permissive=1
Comment 1 Nicholas Kudriavtsev 2017-04-29 12:50:21 UTC 
The same errors with Fedora 26 except "setrlimit" denial. Seems "sys_resource" denial does not prevent to run joutnalctl and get results. The local policy to resolve the denials is attached.
Comment 2 Nicholas Kudriavtsev 2017-04-29 12:51:46 UTC 
Created attachment 1275144 [details]
Logwath selinux policy for journalctl
Comment 3 Nicholas Kudriavtsev 2017-04-30 08:55:16 UTC 
Created attachment 1275268 [details]
Logwath selinux policy for journalctl

Well, I also have setrlimit denial. Here it is the updated policy.
Comment 4 Anthony Messina 2017-12-17 16:51:16 UTC 
In F27, journalctl in the logwatch_t context needs map access to journalctl_exec_t and var_log_t

AVC avc:  denied  { map } for  pid=14565 comm="journalctl" path="/usr/bin/journalctl" dev="md1" ino=57788544 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=1
AVC avc:  denied  { map } for  pid=14565 comm="journalctl" path="/var/log/journal/d23491c98ce8481cb7262477c211ea9f/user-1136600007" dev="md1" ino=109004652 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
Comment 5 Fedora Update System 2018-01-30 16:41:31 UTC 
selinux-policy-3.13.1-283.24.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8
Comment 6 Fedora Update System 2018-01-31 22:45:05 UTC 
selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a144eca5a8
Comment 7 Fedora Update System 2018-02-06 15:31:38 UTC 
selinux-policy-3.13.1-283.24.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.